It's been more than three months since the compliance deadline for the EU's General Data Protection Regulation, but it's clear that for most companies, there is still a lot of work to do. A June survey conducted by Dimensional Research on behalf of TrustArc found that 20% of companies reported that they were GDPR compliant, 53% reported being in the implementation phase and 27% had not yet started.
In a recent webinar titled GDPR 101: Monitoring & Maintaining Compliance After the Deadline, a panel of experts discussed GDPR compliance tips to help companies that have fallen behind and provided advice about how to remain compliant once they start to catch up. The panelists were clear that GDPR strategy is certainly not a "set it and forget it" type of process -- companies must continuously monitor and update their processes to remain compliant.
1. Know thy data
No. 1 on the list of GDPR compliance tips: Know thy data. In the digital age, information is a business asset -- a fluid asset that is constantly being shared, altered and moved. This makes a data inventory vital to GDPR strategy.
"In addition to a static inventory, we also want to include data flow diagrams -- know where the information is going and how it is being processed," said panelist Eugene Tyrrell, a senior consultant in the risk, security and privacy practice at Online Business Systems.
Eugene Tyrrellsenior consultant, Online Business Systems
Under GDPR rules, there is a huge emphasis on documentation and how the company demonstrates compliance. Answering questions like what data the company has, how it's collected, what exactly is done with it and how long it is kept, will go a long way to assisting GDPR compliance, Tyrrell said.
"If we answer those questions, it will give us a great understanding of our information lifecycle from information collection to destruction," he said. "It will also identify our custodial responsibilities along the way."
2. Think of GDPR enforcement as an investment
Although the deadline was months ago, a general lack of urgency has been holding back U.S. companies' GDPR compliance, said Chris DePippo, vice president of ethics, compliance and government affairs at DXC Technology Co.
Companies that are behind schedule should start considering long-term options that show good faith to improve GDPR compliance readiness. It's also important that companies think of GDPR compliance less as a cost and more as a business investment, DePippo said.
"GDPR compliance obviously will address the regulatory and data management risk," he said, but it also provides an "opportunity for business leaders to seize on privacy compliance and lock down data management as a discriminating business enabler."
To help achieve GDPR compliance, many companies are increasing budgets for privacy tech like data maps. These technologies are helping companies automate processes that are essential for GDPR and other regulatory mandates, said Janalyn Schreiber, a privacy consultant based in Washington, D.C.
"Technology is an opportunity for the organization to establish and manage the repeatable, defensible workflows that we need to have a sustainable compliance program," Schreiber said.
These technologies are helping business demonstrate "privacy by design" as part of IT processes, which is a best practice for GDPR -- and business in general, Schreiber said. It can also help promote data minimization, which she said can go a long way to avoiding GDPR compliance complications and reducing costs.
"If you don't have the data, you can't be at risk from it," she said. "This is going to help overall with IT organization's reign in spending -- data has a tendency to multiply."
3. Utilize a control objective framework
From a security standpoint, there are not many specific requirements under GDPR, but there are certainly elements of cybersecurity best practices in the regulation, said Tim White, director of product management for policy compliance at Qualys Inc. Cybersecurity and data protection strategy will help meet mandates to maintain the privacy of information, to avoid accidental exposure and provide follow-up notifications when an incident does occur.
"You have to look at how to implement a good security program and apply the appropriate technical, compensating and procedural controls to do due diligence to protect the privacy of the information that you hold," White said.
He suggested companies start with a control objective framework or SANS Top 20 to prioritize and implement IT security and process controls that would most benefit GDPR compliance.
"Make sure you have comprehensive coverage of all the aspects of IT security -- vulnerability management, configuration management, patching -- as well as the appropriate detection and preventative controls," he said. "Implementing good security practices is key to being compliant."
4. Revise your contracts with vendors
Vendor risk management is a huge component of GDPR strategy, White added, and, as a result, companies must make sure that their contracts have teeth in them. Compliance may also require revisions to vendor contracts to include adherence to GDPR requirements, including stipulations for periodic audits, configuration statistics and process control evidence.
Expectations about the controls that vendors have in place, and to have them collect evidence of those controls, are critical components of vendor contracts in relation to GDPR, White said. It is vital for companies to follow up regularly and verify that the vendors are indeed implementing those specific controls to maintain GDPR compliance, he added.
"Hold them accountable when they are not," White said. "That end-to-end lifecycle management of vendor risk is really critical to enforcing GDPR -- you are ultimately responsible."