With the European Union’s General Data Protection Regulation (GDPR) now fully in effect, the scramble for many to reach the level of required compliance is over. Now comes the issue of maintaining compliance. This is best done through regular self-assessments and external audits by certified authorities. This has now become best practice to prevent any nasty surprises and large fines from ruining your day in the future.
This article is intended to provide companies with the tools to conduct accurate self-assessments so that when it comes time for an external auditor to conduct an audit most of the hard work has already been done.
Why perform audits?
Compliance is not a state once achieved it can be forgotten about. Rather, it is a state that needs to be evaluated regularly. Regardless of whether you believe the legislation to be a win for privacy or a nuisance demanding more effort than it’s worth, they need to be done. In little under a year since GDPR was adopted the European Data Protection Board reported that it had received 65,000 data breach notifications and had issued fines totaling 63 million USD. Falling foul and being issued a fine is enough reason to conduct compliance audits and self-assessments.
Create a Plan
The first step is to create a plan. This should ideally contain a set of written and actionable processes that look to meet the law’s requirements step by step. If you are new to creating such a plan the International Standards Organization has created a helpful template to assist. Another important aspect to consider when creating the plan is what is the nature of the data the company collects over its entire lifespan. The managing of personal data, security risks, and risks to data must be clearly mapped out.
Look for Compliance Gaps
This can be an exhaustive process as to find gaps the entire ecosystem needs to be analyzed. This includes how records are processed and logged, technical and security controls, how data is transferred, how data requests are handled, and how the data is protected. Once this discovery phase is complete a report needs to be created. The report must be just as exhaustive as the discovery phase. It must include a complete picture of the findings as well as recommendations and changes that need to be made to ensure compliance.
Next, your chosen team will need to remediate those gaps to meet GDPR compliance needs. This needs to be done in a systematic way prioritizing what poses a greater security risk and doing those first. The highest risk areas can be determined by what will result in the biggest impact on the business if found to be non-compliant and perceived probability of occurrence.
Lastly, these need to be tested. It would be pointless to have gone through all that effort to find and plug the compliance gaps for the newly implemented remediation controls not to work. These new controls should be tested and re-tested until all involved are confident the gaps are closed.
Debates surrounding the efficacy of GDPR are now purely academic, what is not academic anymore is ensuring compliance. Conducting self-assessments and audits regularly is essential to remaining compliant.