The EU's General Data Protection Regulation (GDPR) is a set of consumer data privacy regulations that apply common guidelines to companies. Although the enforcement data isn't until May 2018, the regulations pose looming issues for CIOs as they could face significant fines for non-compliance.
According to the EUGDPR.org, "The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.”
How can CIOs prepare for a GDPR compliance audit?
1. Streamline permissions
You must be able to identify who on your staff can create, change, or log in to application-specific accounts. To address this challenge, many big data software tools suggest standard templates for installation. However, many of these models for commercial vendors do not reflect the compliance standards needed in 2018.
An audit needs to prove how personal data is stored and how data is manipulated. Therefore, you must identify who on your staff can create, change, or log in at these application-specific accounts, or worse, the operating system root account.
2. Consistent Disclosure
With GDPR organizations who suffer a breach will have 72 hours to notify EU citizens of any data breach to the Data Protection Authority and anyone affected by the breach. This process could prove extremely difficult, especially for larger breaches such as the Equifax breach. In order to avoid the additional costs associated with an audit, it's important that an organization has implemented a sound communication and management strategy for their customers.
3. Right to be forgotten
Any business that handles the data of EU citizens will have to erase data "without undue delay" if the individual asks them to do so or if the data was unlawfully processed. In order to handle the sheer volume of these "right to be forgotten" requests organizations need to make sure that they have the right automatic processes put in place.
4. Think beyond privacy
Solely focusing on data privacy while planning for GDPR compliance can be problematic. Although a huge government regulation, GDPR isn't the first of it's kind. Your organization and its employees should conduct research and learn how different industries handled big government regulations in the past.
By implementing the best practices noted here your organization will be track towards being a fully compliant with GDPR. However, managing all of the regulations and policies involved with a regulation as large as this could prove extremely difficult. The best way to stay on top of and avoid an audit surrounding GDPR is to automate and manage your compliance environment with a comprehensive compliance management solution.