The countdown to General Data Protection Regulation (GDPR) enforcement has begun. Ready or not, all organizations that p
The Road to Resilience:
ARE YOU READY FOR GDPR?
The countdown to General Data Protection Regulation (GDPR) enforcement has begun. Ready or not, all organizations that process personal data that originates in the EU must comply with these new mandates by the enforcement date.
GDPR enforcement starts May 25, 2018 KEY GDPR STATS:
Only about
Potential fine under Global Data Privacy Regulations (GDPR):
50%
Deadline to notify authorities of breach:
72
€20M OR UP TO
of IT and security practitioners have started to prepare for the GDPR mandate
4%
HOURS
OF REVENUES
On the Road to Resilience:
YOUR GPS FOR GDPR INCIDENT RESPONSE PHASE I: PEOPLE & PROCESS
READY
MILESTONE 1:
GOVERNANCE
MILESTONE 2:
POLICIES & PROCEDURES
• Establish GDPR project management team
• Define “personal data” consistent with GDPR
• Have business units appoint GDPR leader
• Examine policies and procedures governing how personal data is collected
• Determine your Data Protection Authority (DPA) • Assess need for Data Protection Officer (DPO) or Representative
• 75,000 New Data Protection Officer jobs will be created in the next 2 years
PHASE II: TECHNOLOGY
SET
MILESTONE 3:
CROSS-BORDER TRANSFER METHODS
MILESTONE 4:
DATA PROTECTION RISK
• Determine appropriate mechanism for transferring data across borders
• Identify company’s information security program • Identify options for GDPR certification bodies • Choose a GDPR certification partner
MILESTONE 5:
THIRD-PARTY VENDOR MANAGEMENT • Establish and maintain data protection requirements for third parties
GO
• Create model language for vendors processing personal information
START DATE FOR GDPR ENFORCEMENT
25 MAY, 2018
• Amend contracts to incorporate new language
PHASE III: CONTINUOUS IMPROVEMENT Though the May 25, 2018 GDPR deadline can feel like a race to the finish line, preparing, practicing, and responding to a data privacy incident is a journey to continual improvement. Below are recommended milestones for GDPR and other regulatory-driven incident response preparedness obligations. MILESTONE 6:
RESPONSE PROGRAM FOR ACCESSING PERSONAL DATA • Create procedures
MILESTONE 7:
MONITORING NEW OPERATIONAL PRACTICES
• Provide mechanisms for updating personal data
• Integrate Privacy by Design
• Response policies for data portability
• Training and conducting impact assessments
• Response to "right to be forgotten"
• Track and mitigate data protection issues • Report impact assessement and analysis results to regulators
MILESTONE 8:
DATA PRIVACY & BREACH MANAGEMENT PROGRAM • Create data privacy incident/breach response plan • Create breach notification and reporting procedure • Create log to track data privacy incidents
MILESTONE 9:
TRAINING & AWARENESS PROGRAM • Conduct privacy and data security training at least annually
• Document compliance/accountability of your breach mgmt program • Identify ongoing privacy compliance responsibiity
GET ON THE ROAD TO GDPR READINESS WITH IBM RESILIENT
GET FURTHER DIRECTIONS TO GDPR READINESS
IBM Resilient has everything you’ll need for GDPR Readiness and your Incident Response programs. Learn how you can better navigate the GDPR landscape at: www.resilientsystems.com/cyber-resilience-knowledge-center/GDPR Sources: EUGDPR.org; The Ponemon Institute: The Need for a New IT Security Architecture, March 2017
