You’ve Achieved GDPR Compliance—Now What?

For those organizations impacted by General Data Protection Regulation (GDPR), the months and weeks leading up to May 25 were fast and furious. As the deadline loomed, the focus was simple: do whatever is needed to achieve compliance.

Now that the deadline has passed, in many ways, the pressure is off. But in other ways, it’s just the beginning. As you settle into day-to-day compliance, you could find that the tactics that got you to the finish line aren’t the best solutions for your ongoing needs.

“Companies are resorting to temporary controls and manual processes to ensure compliance until they implement more permanent IT solutions… Much work remains to be done after the May deadline if businesses are to overcome challenges like these and develop solutions that are sustainable in the long term.”

—McKinsey & Company

To ensure you can sustain GDPR compliance for the long haul, you may need to dig deeper into four key areas: compliance framework, incident management, request management, and executive visibility.

Compliance Framework

In the race to meet the compliance deadline, you may have pieced together manual solutions and workarounds, like spreadsheets. But continuing to use inefficient and ad hoc governance and management methods will put you at undue risk.

Companies can be fined up to 4% of their annual global revenue or €20 million, whichever is higher, if they fail to comply with GDPR standards.

Given the potentially devastating fines associated with non-compliance, spreadsheets simply aren’t a sustainable solution. You need a simple way to map GDPR articles—like those detailing consent (7), data access (15, 16, 17, 20), protection (25), and security (32)—to company controls to ensure you have your bases covered.

Incident Management

In your haste to comply, you may be using stop-gap solutions—like doubling up use of your help desk software—to manage GDPR events and incidents. But should an actual incident occur, instant identification, locking down access to incident data, and rapid communications are paramount.

“Businesses must also ensure that the processes designed during GDPR preparations work in practice and deliver the expected results.” —McKinsey & Company

Per Article 33, you must provide notification within 72 hours of a personal data breach to the supervisory authority. Furthermore, you must communicate high-risk breaches to the data subject without undue delay, as detailed in Article 34. To protect against additional fines (up to 2% of annual global revenue) for failure to meet these requirements, you need a formal and reliable process to ensure all events and incidents are managed, communicated, and auditable.

Request Management

While it has many layers, GDPR is ultimately about personal data control. Providing your data subjects with access to the data you store about them and giving them control over how that data is used (Articles 15-20) are the bedrocks of the regulation.

“…companies will need to ensure they have enough staff, adequate training, an appropriate process, and a ticket system equipped to handle related requests.” —McKinsey & Company

Because it’s also the most consumer-facing piece of the compliance puzzle, your ability to enable and manage access to personal data is critical. While the guidance around how you do this may be fuzzy, the rules of engagement are straightforward. Those who deliver the best customer experience through a simple self-service portal will win. And those who don’t risk losing customers to more able competitors.

Executive Visibility

GDPR requirements around data protection impact assessments (DPIAs)—like those detailed in Articles 35, 37, 38, and 39—can’t be sustained by cutting corners. If you’re relying on disparate and/or manual systems for aspects of GDPR, you’ll also be challenged by the regular data audits, reviews, and data management exercises needed to maintain compliance.

You need to provide executive management and your data protection officer (DPO), if applicable, a unified view of compliance governance and management. Beyond compliance, your visibility into the numbers and types of requests and incidents you’re managing is key to performing ongoing risk assessments and gap analysis, so you can streamline and refine your compliance posture.
Conclusion

As an IT pro, you’re no stranger to the challenge of data privacy and protection. But GDPR adds a whole new layer to your security governance and risk management requirements. More than ever, you need your service desk and security procedures to be tightly coupled.

The Cherwell Information Security Management Solution (ISMS) integrates a set of enterprise security management capabilities that address the demands of both security and service desk leaders. When you rely on the Cherwell ISMS for your data governance and management, you can:

• Simplify mapping of GDPR articles to your security controls.
• Streamline your security compliance, easing the burden of your next audit.
• Accelerate security event and incident handling to aid your compliance.
• Extend self-service portal capabilities to provide data subject access.
• Automate risk assessments to better anticipate and mitigate risk.

You’ve achieved GDPR compliance. Now, it’s time to make it sustainable. 

Get to know Cherwell's Information Security Management Solution.

Learn Now

McKinsey & Company quotes sourced from: Daniel Mikkelsen, Henning Soller Malin, Strandell-Jansson, Marie Wahlers, “GDPR compliance after May 2018: A continuing challenge,” McKinsey & Company, April 2018.