Years ago, in preparation for graduate school, I had to take the Graduate Management Admission Test (GMAT). However, my typical study habits consisted of drinking coffee and pulling all-nighters just before a test, and I took the same approach when prepping for the GMAT. I bought a book with test-taking strategies and practice exams and cracked it open for the first time at about 6:00 pm the day before. The initial paragraph said: “Using this book to cram the night before the GMAT will do nothing to improve your score.” I was crushed. But I took the exam anyway, scored well, and got into the business school I was hoping for.
Why is this relevant? Because many organizations are preparing for the General Data Protection Regulation (GDPR) the same way I prepared for the GMAT. Even though the regulation goes into effect soon (May 25th, 2018), about 60% of organizations say they are not ready for GDPR – and are not likely to be ready when it goes into effect. GDPR carries stiff penalties, and waiting to start prepping for it is a losing proposition. Begin as soon as you can, I would suggest starting by performing a self-assessment to determine your organization’s readiness, and the next steps you need to take.
I recommend structuring your GDPR self-assessment based on people, process, and technology as shown below:
Assess your readiness by first looking at the “people” side of the equation and asking the following questions:
- Are your employees aware of GDPR?
- Do they understand it’s importance, and the ramifications of non-compliance (fines, reputational loss, etc.) if your organization fails an audit?
- Have your people been trained on GDPR?
- Do they realize that almost everyone in the organization is responsible for GDPR compliance in one way or another?
- Are steps being taken to make compliance an on-going activity (GDPR is not going away)?
- Have they “bought into” the regulation, and understand that GDPR instills practices that are just good business in a world where security breaches are commonplace?
As you assess your readiness from a “people” standpoint, I have a few suggestions to help. First, drive GDPR awareness from the top of the organization on down. Executive sponsorship will be key, and buy-in must be obtained in all areas at all levels. Compliance needs to become part of the organization’s culture, and almost everyone is responsible for it, not just your Data Protection Officer (should you need one). Develop and roll-out awareness and training programs that are specific to the roles of your employees. Make it understood that GDPR is not the company “program du jour”; it is a very important, on-going activity. Performing a self-assessment and documenting results and action plans could also help you build a defensible position to use with an auditor should a breach occur.
Assess the personal data you have, and determine which falls under the jurisdiction of GDPR. For GDPR purposes, personal data (PD) is defined as information that allows a physical person to be directly or indirectly identified, i.e. name, phone number, IP address, etc. Document the processes you use to manage data that is subject to the regulation. Look for areas where data security could be exposed, develop plans for closing gaps, and then manage and track execution. This could also help you build a defensible position if a breach were to occur.
The third component of your assessment should be based on technology. However, GDPR does not specify which technologies should be used for compliance, but Article 32 states that “Taking into account the state-of-the-art….implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…”
My suggestion is to assess the technologies you use to manage data security, identify gaps, develop an action plan to close those gaps, and then manage execution. You will likely find that no one technology vendor can fill every gap, but here are some areas where BMC can help:
- GDPR requires Data Portability, meaning that subjects have the right to receive their data from your organization and transfer it to another. To do that, you need to know where that data resides. BMC Discovery solutions can help you understand where your information is stored and eliminate blind spots (servers that you do not know about, and that could be vulnerable to a security breach). BMC also offers solutions for securely managing and automating internal and external file transfers.
- GDPR mandates Security of Data Processing – personal data is protected in a manner that ensures appropriate security including protection against unauthorized processing, accidental loss, destruction, or damage. To help satisfy this requirement, BMC SecOps solutions can improve the security of servers and networking devices and manage security vulnerabilities.
- Another GDPR requirement is centered on Data Privacy by Design – data protection is included from the outset of designing systems, products, and services. BMC’s SecOps Policy Service can help you find and correct security exposures early in software development and cloud operations processes, including multi-cloud.
- A key part of the GDPR regulation is making sure your mainframe data is recoverable in a timely manner. BMC offers a mainframe backup and recovery solution that can estimate, simulate, and show that your data is recoverable in a timely manner.
Remember also that technology alone does not make an organization compliant with GDPR, organizations make organizations compliant. My suggestion is to look at using the combination of people, process, and technology to come up with the right approach for your business.
Hopefully you are not like me when I was studying for the GMAT, and are well on your way towards being ready for GDPR when it goes “live” on May 25th. Whether you started early or late, and are ready or not, assessing your preparedness should be a worthwhile activity. I hope the items above will help you be ready when the regulation goes into effect.
These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.