Six Steps to GDPR Compliance
Published by D.D.Garbis in GDPR & Compliance · 10 May 2017
Tags: #GDPR, #Compliance, #DataProtection
Tags: #GDPR, #Compliance, #DataProtection
General Data Protection Regulation – GDPR was approved by the EU Parliament on April 14, 2016 Regulation No. 2016/679 and it has come into force 20 days after its publication in the Official Journal of the EU. As a Regulation it is directly applicable in all EU Member States two years after set in force, on May 25th 2018, when the bodies; companies and organizations that will not comply will face heavy fines.
General Data Protection Regulation replaces the EU Directive on Data Protection 95/46/EC, and aims (a) to harmonize data protection laws across Europe (b) protect and strengthen the privacy of EU citizens and (c) to reshape the way in which the agencies active in the EU approach and manage personal data security. GDPR will also require much closer co-operation between the different independent authorities such as “Supervisory Authorities” or “Private Data Protection Authorities”.
Six steps to achieve GDPR Compliance
Step #1: Briefing and Basic Training
- Understanding GDPR and its importance to company’s operation.
- Personnel basic training on GDPR and data security.
Step #2: Analysis
- Conducting thorough analysis for understanding company’s data storage structure(s), data moving procedures and which of the company’s employees have access to the data.
- Documenting findings.
- Decision on data retention, data collation and data deletion.
Step #3: Security policy
- Review existing security policy documentation.
- Definition of new security policies for data protection "at rest" and "in motion".
- Definition of new security policies for data access.
- Update security policy documents with the new policies for data protection and data access.
Step #4: Implementation and Technology
- Data protection "at rest" and "in motion" through encryption technologies.
- Data access control through multi-factor authentication technologies.
- Data change, update and delete control.
- Data leakage control.
Step #5: Extensive Training
- Personnel full training regarding GDPR.
- Personnel training on company’s data protection and data security policies.
- Personnel training on data protection best practices.
Step #6: Implementation Feedback and Audit
- Perform checks on security policy implementation.
- Perform checks on security technologies implementation and security improvements.
- Personnel annual retraining.
- Create and executing drills on data management and data transfer.
- Establish mechanisms for "forensic" analysis on private data security breaches.
In CubeIQ we have the tools, methods and processes with which we can support any business that maintains and manages individuals’ personal data to be compliant with the General Data Protection Regulation 2016/679/EU.
- Data Encryption Systems and Hardware Security Modules – HSM.
- “Data at Rest” Protection, Unstructured Data, Structured Data, Databases, Disks and Files protection & encryption, Key Management.
- “Data in Motion” Protection, Network and WAN protection & encryption - Ethernet Encryptors.
- Full PKI Environment Deployment, PKI Encryption & Decryption, Signatures and Certificates Generation & Authentication.
- Multi - Factor Authentication, Physical OTP (Time & Event) tokens, soft OTP, Out of Band – OOB OTP, Mobile OTP, and Pattern based OTP.
- Digital Rights Management for Document Distribution, Adobe PDF, Microsoft Office Documents Protection.
- Physical & Logical access control, Physical access control with Centralized Management, Same medium Physical & Logical access control with Centralized Management.
- End point security, Clientless End point security for Monitoring and Enforcing Security Policy.
[Link] EU: European Data Protection Board (EDPB)
[Link] EU: European Commision Data Protection Rules
[Link] EU: www.eugdpr.org
Related Directives and Regulations
EU Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
For more information on CubeIQ solutions and services on GDPR compliance please visit www.cubeiq.gr