​​Need help? Call Us: (805) 505-7375                  Check Novesh's Event Calendar for our Exciting Cybersecurity Workshops at Thousand Oaks City Hall.         

Binary data banner

What is GDPR Compliance?

On May 25, 2018, the long-awaited EU General Data Protection Regulation (GDPR) came into effect. GDPR aims to bring consistency around how the data of EU customers and users are protected. The regulation makes organizations responsible to maintain best practices to secure EU data anywhere it resides. Lack of compliance can lead to sizable legal consequences and can cost companies dearly, including hefty fines.

What are The Penalties for Violating GDPR?

Failing to comply with the GDPR regulations regarding data privacy, private data collection without explicit consent, the deletion of private records, providing collected data to users within 30 days, or the transference of data without consent could lead to a penalty of up to 4% of your company’s annual worldwide revenue, or €20 million, whichever is higher.

What are the four simple steps you should take?

There are some more basic steps you should take before you start worrying about how GDPR impacts your systems, and here are our top four steps:

1. Awareness and Education

Nobody is going to lift a finger to support your GDPR efforts if they don’t know what it is.  So start by educating your colleagues: What does the law require, and why is it relevant for us?  What are the penalties for non-compliance?  Which of our applications are likely to be in scope for compliance? Basic education is vital, not only to make people aware of the new regulation but also to start thinking about how to allocate staff and financial resources for dealing with it.

2. Monitor the Situation

It’s important to understand that GDPR is very new, and to some degree vague.  How it will be audited and enforced is yet to be fully determined. There is a lot of information available, but not much of it can be considered definitive.  Nonetheless, if you are going to have a key role in GDPR planning, you need to try to read as much as possible, to help you distill out the key points. You also need to know that various EU bodies are slowly trying to clarify portions of the law, and they publish guidance periodically.  So set aside a bit of time each month to see if there have been any updates, as these will start to clarify the situation and will help you in your planning efforts.

3. Start Hunting for the Data

Your eventual strategy for GDPR compliance will broadly have two components:  processes and controls on your organization’s existing applications, and the processes that will be required when new applications are being rolled out.  For the former, you need to start looking for in-scope data in your existing IT systems. Like all compliance situations, the more systems you determine are not in-scope the better, because these can be excluded from your compliance activities.

Of course, finding the in-scope data is the driver for evaluating how big your GDPR effort will need to be. 

4. Establish and Verify Robust Logging

All compliance regimens identify logging as a key control, and GDPR implementations will be no different. Therefore, a logical initial step is to review and verify logging activities on key applications and supporting infrastructure. This must include not just the logging itself, but automated or manual controls to review the logs periodically to identify unauthorized or malicious activity. It also must include logging of administrator activities on critical infrastructure.

If you need more info about these services, please contact us.