birthday candle in shape of "1" for first birthday
PHOTO: Gift Habeshaw

We might be nearing the end of spring, but in the privacy and security world, it feels like winter. Security and privacy officers at organizations across the globe are feeling the chilling effects of it being one year since the EU began enforcing its General Data Protection Regulation on May 25, 2018.

Since the GDPR went into effect, many companies have experienced large-scale public security scandals and issues, with Facebook making the news on a regular basis. In addition, California revealed its Consumer Privacy Act. In this increasingly uncertain data privacy landscape where a new data breach makes headlines daily, it’s clear that many organizations haven’t made full progress towards complying with the GDPR one year later.

Some may think it’s a coincidence that the series finale of “Game of Thrones” roughly coincided with the one-year anniversary of the GDPR enforcement, but I think not. Winter is here if you’re in the trenches of trying to comply with the GDPR.

Your Annual GDPR Check-Up

There are some simple steps your organization can take in wake of the GDPR anniversary:

  1. Understand what data you hold and where it lives. In our world today, data is everywhere and it can take many forms — structured or unstructured, at rest or in motion. It flows through information gateways, websites and web applications, instant messaging applications and collaboration systems. It can be in the cloud or on-premises. Because of this, it’s critical to determine what data your organization holds and then properly classify it. Only then can you set the appropriate levels of permissions and protection — a step that will get you closer to GDPR compliance.
  2. Properly protect your data to make it an asset. Dark data is a huge topic of conversation as organizations become more concerned about safeguarding sensitive customer and employee information. Because of this, it’s likely that a substantial amount of data might be lost in silos, file shares or instant messages. To make this data an asset again, I encourage your organization to go through a discovery process to ensure risky data is living in the appropriate place. When this happens, employees will feel more empowered to help keep that data safe.
  3. Encourage your entire staff to view security as a part of their jobs. I’ve discussed this in my previous columns but it’s certainly worth re-iterating: if privacy and security are simply seen as a cost to the business or “someone else’s job,” then it’s likely that your quest to comply with GDPR will be unsuccessful. Instead, privacy and security teams should work to develop a service level agreement with colleagues in IT and other departments. By implementing a standardized and reputable process and baking security and privacy into your culture, more employees across the organization will come to you for best practices at the beginning of a project vs. only coming to you to sign off on something. This way, the privacy and security team is providing advice, guidance and review at every step of the process – thus becoming a trusted advisor on all things data protection.
  4. Consider adopting automation tools to allow colleagues to request a privacy and security impact assessment. This is another area where privacy and security teams can truly prove their value. By leveraging technology to assist with assessments and requests, you can provide colleagues with a reasonable estimate and timeline for their project. Being involved in the process early will save them from having to make last minute design changes or decisions with the clock to launch ticking.

Related Article: Turn Data Audits Into Your Best Ally Against Future Hacks

Consumers Have the Power

While the tips outlined above are general best practices every privacy and security team should work into their approach, they are also actionable steps organizations can and should take to make complying with GDPR more attainable. If nothing else, the GDPR has raised consumer awareness of their privacy rights and the obligations of companies to protect their data. With one year of GDPR enforcement under our belt, keep in mind that regulators have the power to punish companies for failing to protect data. It’s certainly not an easy regulation to comply with, but in today’s landscape where consumers have the power to lose respect or trust for organizations who do not properly care for their data, these steps are so crucial.