General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personally identifying information (PII) by organizations within the European Union (EU.) GDPR also applies if the PII of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. GDPR has rules related to incident management and reporting; therefore, it is critically important to be proactive and have a mitigation strategy in place since failure to report and respond to breaches can have a significant financial impact on the organization. How can your organization establish the proper processes to mitigate the risk of GDPR breaches before they occur? Below are some initial thoughts:
1. Using techniques such as information mapping, decision charts, and workflows or playbooks to track where personal data is maintained and determining the need to maintain such data
2. Having a repeatable, documented root cause analysis process in place so that the process can be used in the event of a breach
3. Ensuring the requisite controls and processes are in place, as well as repeatable and defensible, in the event of a breach. This includes following the National Institute of Standards and Technology (NIST) framework for cybersecurity to establish security processes. The framework consists of five (5) core functions that are applicable to GDPR, and which are generally addressed concurrently:
- Identify - Develop an organizational understanding to manage the GDPR risks to systems, people, assets, data, and capabilities to prioritize and focus efforts. Categories within this function include Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy, all of which would apply within GDPR response.
- Protect – Develop and implement safeguards to protect delivery of critical services, to contain the impact of a cybersecurity breach. Categories within this function include Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. These categories are critically important in GDPR compliance, and would include activities such as security assessments and action plans related to the outcomes of the assessments so that any gaps can be addressed.
- Detect – Develop and implement appropriate activities to identify the occurrence of a GDPR cybersecurity breach, to enable timely discovery of a cybersecurity event. Categories within this function include Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
- Respond - Develop and implement an action plan regarding a cybersecurity incident, to contain its impact. Categories include Response Planning, Communications, Analysis, Mitigation, and Improvements. Communications and disclosure are specifically required by GDPR.
- Recover – Develop and implement activities to maintain recovery plans for capabilities that were damaged due to a cybersecurity breach, including timely recovery to normal operations. Categories include Recovery Planning, Improvements, and Communications. Your organization’s ability to be GDPR-compliant rely on planning and continuous improvements to your infrastructure.
4. Maintaining structured records of your organization’s compliance and mitigation to demonstrate it to regulators if necessary
Trillium has significant experience in privacy, cybersecurity, procedure mapping, and implementation, including NIST processes. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.