With many nuances to consider, adhering to the General Data Protection Regulation (GDPR) requirements can be a daunting task. After all, the entirety of the GDPR consists of a whopping 99 Articles. Fortunately, by following a GDPR security checklist, you can help your organization ensure that all required facets of data security are covered without sifting through pages and pages of legalese.
This post outlines what the GDPR is, who it applies to, and the critical steps you can take to establish compliance.
What is the General Data Protection Regulation (GDPR)?
Currently considered the toughest data privacy and security law in the world, the General Data Protection Regulation (GDPR) imposes strict requirements for the collection and use of any personal data pertaining to people in the European Union (EU). While the GDPR went into effect on May 25, 2018, its roots can be traced back to the 1950 European Convention on Human Rights. Article 8 of the convention describes the “right to respect for private and family life” which was in serious need of updating to account for how data is gathered and used in the modern technological landscape.
This GDPR lays out specific rules for the protection, processing, and movement of personal data. In doing so, it aims to protect fundamental individual rights and freedoms. The regulation applies specifically to the processing of personal data by automated means, or the processing of data related to filing systems. Personal data is any information tied directly to a specific person, such as their name, identification numbers, place of birth, biometric records, and so on.
Who does the GDPR apply to?
The GDPR applies to any individual or organization around the world that targets, processes, or collects data pertaining to people in the EU. This means that even organizations in the United States and elsewhere outside of the EU must comply if they are to handle data of persons in the EU — even if that data isn’t processed or stored in the EU. In other words, any organization desiring to do business with the EU or extend its services to EU citizens must comply.
Some exceptions exist, however. For example, if the personal data in question is being used by authorities for criminal investigation or public security reasons. Data handled for personal or household activity is also exempt. And the regulation doesn’t apply to anonymous data — which is personal data that has all personally identifying information removed from it so that it can no longer be correlated with a specific individual. Pseudonymization and encryption are not sufficient for exemption, however.
Two categories of actors are mentioned explicitly in the regulation — data controllers and data processors. These may be individuals or organizations who control or process data of people in the EU.
The word “controller” in the regulation refers to any individual, public authority, business, agency, or other body that has a role in deciding the purpose and means of processing personal data. In other words, as the title suggests, any body that is responsible for controlling or making decisions about data.
The word “processor” refers to any individual, public authority, business, agency, or other body that processes personal data on the controller’s behalf.
9-step GDPR cybersecurity checklist to ensure compliance
We suggest the following checklist to help ensure compliance with the GDPR.
1. Conduct a data audit
Determine what data you have and what data you are collecting from people within the EU. It is only by knowing what you have that you can start taking action to protect it and align with regulations. As you conduct a data audit, be sure to examine all sources of data, types of data collected, and how that data flows through your organization. Organizations of all sizes may benefit from using a data protection impact assessment (DPIA).
2. Understand the type of data you’re collecting
Organizations with at least 250 employees — or those that conduct higher-risk data processing — must keep a current list of processing activities that meet the specifications of Article 30. This list should include the following:
- Type of data
- Who has access to the data
- Purposes of collecting and processing the data
- Measures you are taking to protect the data
- Plans for erasing the data after use (if applicable)
3. Assess data collection requirements
GDPR compliance requires ensuring you only collect data that is absolutely necessary. To that end, you should review your data audit and determine if there are any personal data routinely collected that does not serve a specific purpose. From there, you should then make efforts to permanently delete the unnecessary data and prevent further collection. Conducting a Privacy Impact Assessment (PIA) can help identify why information is collected and how it’s being used as a starting point.
4. Implement a real-time threat detection and response solution
Once you understand the data you’re collecting and have ensured you are only collecting the minimal data necessary, the next step is to take measures to protect that data. Basic data protection measures such as encryption and anti-malware are a starting point, but the threat landscape is constantly evolving, and breaches happen in even the most secure environments. Because of this, it’s vital to be able to detect active threats in real-time and have plans in place for immediate response and mitigation. Tools such as Security Information and Event Management (SIEM) can help.
5. Be transparent
Transparency comes in two forms. First, you should make it clear to all users exactly why you are collecting their data and what you intend to do with it. This can be accomplished by providing clearly displayed acknowledgments at every data collection point. Second, in the event of a breach in which personal data is exposed, GDPR regulations mandate that you must notify authorities within 72 hours and inform users as soon as possible.
6. Continuously monitor all third-party risks
Risks come from many sources. You may have done all that you can to protect data within your organization, but you must also stay on top of third-party risks. A solution such as the Third-Party Risk Management program offered by SecurityScorecard can help you understand third-party risks and take measures to remediate any vulnerabilities.
8. Verify the age of users consenting to data processing
The GDPR only allows the use of personal data if that data belongs to a person who is at least 16 years of age. If you need to collect data from younger individuals, consent must be given by a parent or guardian. To ensure you don’t inadvertently collect unauthorized data from minors, you should include an age verification step anywhere users enter personal data.
9. Include a double opt-in as needed
While not explicitly mandatory per the GDPR, implementing a double opt-in procedure for new email sign-ups more solidly establishes consent, which helps prove compliance. Users opt-in when they sign up, and then verify consent a second time via a confirmation link.
How SecurityScorecard can help ensure GDPR compliance
GDPR is still relatively new, but enforcement has ramped up since its inception — a trend that is likely to continue. Regulators are unafraid of imposing fines against organizations of all shapes and sizes. Companies have even been fined for breaches at their vendors, emphasizing the importance of third-party risk management. (This trend is only set to continue with regulations such as DORA.)
SecurityScorecard Security Ratings provide organizations with an instant picture of their cybersecurity posture as a starting point. From there, more thorough compliance assessments are available that can help ensure compliance with GDPR and other applicable regulations.
Not only is SecurityScorecard committed to helping you with compliance, but as a company, we maintain our own compliance with GDPR and all applicable U.S. federal regulations, including the Federal Trade Commission (FTC) Act, the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act. Request a demo to learn more today.