If you do business in the European Union, or you hold data about or generated by EU citizens, you need to be compliant with the General Data Protection Regulation (GDPR). GDPR puts data protection front-and-center, so how do you ensure you meet those regulations? We’ve done the research and created a list of useful tips on staying compliant with GDPR and ensuring you don’t run afoul of data requirements.
Let’s get into it.
Make Sure that Data Protection Applies Across all Technology Environments
GDPR applies to data you hold, regardless of where it is stored. That means all of your environments, including:
- Live, operational data that you use to run business processes, operations, and applications.
- Test data that you use for developing and testing new products and services.
- Archived data for inactive systems or customers.
- Backup data that you’re storing for data recovery and business continuity purposes <link to DR blog post once published>.
- Data held locally in your onsite data centers plus data held in public, private, or hybrid clouds.
- Data that’s “at rest” or “in transit.”
- Data that you share with third parties.
Understand and Audit the GDPR Data You’re Holding
GDPR relies on protecting all of the relevant data you hold, which typically means anything generated by or involving a citizen of an EU country. If you want to properly protect your data, you need to understand various factors including:
- The information that you’ve captured about your EU customers.
- All the places that data is stored.
- The systems and processes that use that data.
- The protections in place to secure that data.
Search, question, and audit all the data you hold, so you have a complete picture of all the information that’s affected by GDPR.
Ensure Your Data Processing Systems Provide Maximum Integrity, Availability, and Resilience
GDPR requires that data processing systems have “integrity, availability, and resilience.” Examine the various IT service provision requirements around your processing systems for various areas including:
- Availability management so that data and systems are available to employees and customers when needed.
- Demand and capacity management to ensure that both operational and recovery environments have the space and speed to meet the demands placed upon them.
- Incident and problem management so that data issues are identified and resolved quickly, and the root causes of failure are addressed to prevent recurrence.
- Disaster recovery to ensure that data is properly backed up and easily recoverable in the event of a worst case scenario that reduces or removes access to operational data.
Protect GDPR Data from Data Breaches and Unauthorized Access
With data breaches on the rise, it’s vital to do everything you can to protect sensitive information. You can achieve this through a combination of web application security practices such as multifactor authentication, penetration testing, vulnerability assessments, and role-based access to name a few. You can also look into encrypting the GDPR data that you hold <link to encryption blog post once published>, whether it is “in transit” or “at rest.” This provides an extra level of protection and security, as without decryption keys, illegally accessed data is effectively useless to a hacker.
Make Sure that EU Customers Can Delete All the Data You Hold About Them
One of the most important areas of GDPR is “The Right to be Forgotten.” This means a customer can request your company erase data that you hold about them. You must ensure you have proper data erasure processes in place, across all your environments, and that they are properly aligned with your customer facing teams.
These tips will help you stay compliant with GDPR, protect customer data more effectively, and create a more disciplined approach to data management. And that’s good for everyone.