The European Union General Data Protection Regulation (GDPR) goes into force this week with two years for organisations to comply (25 May 2018). As the countdown begins, organisations handling personal data of European Union citizens need to begin preparing for compliance. As a cloud access security broker, Netskope have a few first steps to help you get started. For a more comprehensive list, take a look at our GDPR Checklist.
Identify personal data and where the data resides in the cloud, including cloud apps and services that collect user information.
Organisations commonly will know what personal data are being used when looking at sanctioned applications. But with shadow IT, organisations will need to take a close look at what cloud apps are in use and do proper due diligence on the cloud security behind those apps. By knowing which apps are in use and where personal data are flowing, IT can start to define proper security processes and controls
Begin creation and documentation of processes and policies.
This means deciding and defining proper cloud security procedures and processes that will bring you into compliance with the GDPR with specific examples being defining how data breach notifications would possibly happen, how to protect personal data flowing in and out of cloud apps and services (i.e. encrypting personal data as they are being uploaded or preventing personal data from being uploaded to unsanctioned apps), obtaining employee consent for legitimate use of personal data, actually having documents for auditors and authorities describing each of these processes and policies, and more. Many companies may just rely on security tools they have purchased for security, but in order to achieve full GDPR compliance they will need to prove and/or document the measures they’ve taken.
Train and educate employees.
Education will be key to successful compliance and full cloud security for the GDPR. Not only do employees have the right to know how their personal data are being used, they should understand the security policies and procedures their company is undertaking for GDPR compliance. Many larger companies will even need to appoint or hire a data protection officer to implement the new rules and help with auditing and assessments as needed by the GDPR governing bodies.
To learn more about how the GDPR applies to your organization, sign up for one of our regional GDPR workshops, led by leading legal and privacy experts.