With the European Union’s General Data Protection Regulation (GDPR) compliance deadline of May 25, 2018, you’ve only got a few months to decide what, exactly, GDPR means for your company, your customers, and your employees.
Compliance with new data protection regulations is crucial to avoid legal liability, protect your brand, and preserve customer and employee confidence. Those who fail to meet compliance guidelines face heavy financial penalties.
GDPR doesn’t just affect European companies. Any business collecting and handling the personal data of EU citizens must comply even if they’re based outside the EU. As such, these changes bring new liabilities for the vast majority of businesses around the world.
If you meet any of the following criteria, GDPR affects you:
- You have a business presence in an EU country.
- You have a business presence outside an EU country, but you collect and process the personal data of EU citizens.
- Your company consists of more than 250 employees.
- Your company has fewer than 250 employees, but you process sensitive personal data.
1. Identify Your Sensitive Data
First, develop a complete picture of where customer data that is required to be protected under GDPR exists within your organization. It may be in structured systems such as applications or databases, or it may reside as unstructured data (such as an Excel spreadsheet or PDF report exported from an application or database) located on file systems, collaboration portals (such as SharePoint) or even in cloud storage systems (such as Box or Google Drive).
2. Determine Who Has Access
Second, understand who should have access to customer data and reconcile it with who does. This should be an ongoing process, not a one-time event. Make sure to include all applications and file storage platforms (both those running on-premises and in the cloud) where you are actively storing customer data.
3. Create Preventive & Forensic Controls
Users should have access to only the minimum resources they need (“least privilege”) and access to sensitive data should be highly restricted. You need to build a governance model that aligns access to applications and data based on business need. This is where identity and data access governance tools can help make sure users are not able to attain improper access; then, automate review and monitoring processes for user access.
Let our team of IT identity and data protection experts help you take the first steps to comply with GDPR directives that apply to your organization. We have long-time expertise, methodologies and practical tools to accelerate your GDPR adoptions. Do not hesitate to contact us.
Request a free appointment
