Last updated on August 9, 2019

One of the most recent and wide-ranging laws impacting the security profession globally is the European Union’s General Data Protection Regulation, or GDPR. As of May 25, 2018, the GDPR is a legal and enforceable act of the European Union.

In this post, we will detail the key findings as a security professional how to work to satisfy the requirements of GDPR.

General Data Protection RegulationGDPR

Chapter 11  2  3  4
Chapter 25  6  7  8  9  10  11
Chapter 312  13  14  15  16  17  18  19  20  21  22  23
Chapter 424  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43
Chapter 544  45  46  47  48  49  50
Chapter 651  52  53  54  55  56  57  58  59
Chapter 760  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76
Chapter 877  78  79  80  81  82  83  84
Chapter 985  86  87  88  89  90  91
Chapter 1092  93
Chapter 1194  95  96  97  98  99

First two things not included in GDPR:

  • GDPR Does not include privacy or personally identifiable data
  • GDPR is an extraterritorial regulation. Any organization which coleects / stores / processes / tramsits / changes personal data of EU citizens, have to follow the requirements of GDPR, even it is not based in EU.

(ISC)2 developed a framework for success:

Phase 1: Develop

  • Identify senior stakeholders and engage each business unit affected. 
  • Allocate adequate resources to support implementation. 
  • Inventory and analyze the personal data held across the organization. Verify procedures to ensure they cover all rights EU individuals have under GDPR. 
  • Review how consent is sought, obtained and recorded to determine if changes are needed. 
  • Designate a data protection officer (DPO) when processing involves specific data categories, personal data processing is large scale, and if processing these special types of personal data is core to your business. 

Phase 2: Implement

  • Identify gaps and developjroject plan to meet the data protection requirements set forth by GDPR. Two areas identified as particularly adding to the heavy workload are data protection impact assessments (DPIA) and subject access requests (SAR). Companies need to scope out how they plan to do these, and they too are subject to a risk assessment/maturity roadmap process.
  • Refine the solutions necessary for improving data protection and ensuring adherence to requirements and regulations. 
  • Implement procedures to detect, report and investigate personal data breaches.
  • Test, deploy, and OA all controls and solutions developed to achieve compliance.
  • Develop an internal GDPR audit plan.
  • Operationalize the efforts of monitoring all data protection controls created. 

Phase 3: Improve

  • Move into a state of continuous improvement. 
  • Put GDPR efforts into maintenance/review/update mode. 
  • Enhance controls and customer service to remain GDPR-compliant and build trust and vkle with customers. 

1. Setting the GDPR Strategy 

Phase 1: Develop

  • Identify senior stakeholders and engage each business unit affected. 
  • Allocate adequate resources to support implementation. 

Objectives:

  • Become familiar with sepcific articles
  • Identify articles that apply to your company
  • Identify stakeholders who will make decisions