As you may know, the EU's General Data Protection Regulation (GDPR) will be in full effect on May 25, 2018. As we discussed in a previous article, the aims of this regulation are to protect the fundamental rights and freedoms of natural persons and to also ensure their right to protection of personal data as well as the free movement of said data.
The date may seem far away, but it gives just enough time for your organization to make the proper changes in the IT framework to comply. Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements. In order to subvert hefty fines and tarnished reputations - organizations should prepare for the regulation now.
GDPR CHANGES FOR IT AND CLOUD SERVICES -
- The GDPR gives individuals rights to a copy of their personal data, an explanation of the categories of data being processed (e.g., location data, browsing history, demographic data, voice data), the purpose of the data processing, and to name any third parties that might receive that data.
- Individuals will have the right to erase personal data that is no longer relevant to the reason it was collected. For enterprises, this means data needs to be removed from all databases, including backups, archives and anywhere else that it is stored.
- Individuals have the right to rectify their personal data - and these changes must be reflected in all databases.
- Individuals have more say in the processing of their data. They may require that irrelevant data is deleted, and relevant data is simply stored and not processed.
- Individuals have the right to a copy of their data.
- Organizations now have to ensure:
- Sensitive personal data is encrypted/pseudonymised
- Processing systems and services maintain data confidentiality, integrity, and availability
- Deleted or lost personal data can be restored in a timely manner in the event of a physical or technical incident
- Security measures are routinely tested for competency
- Breach detection and prevention tools are in place
- Individuals have the right to be immediately notified when a breach has taken place.
HOW TO PREPARE YOUR CLOUD APPLICATIONS FOR GDPR:
According to Netskope Cloud Report, the average European enterprise is using 608 cloud apps. Going forward, it will be imperative to know which apps meet GDPR security standards and take measures to exclude the applications that do not. GDPR requirements include greater data access and deletion rules, risk assessment procedures, gives individuals the right to alter their data.
An Enterprise Architecture Management tool such as LeanIX will help you uncover vulnerabilities and systematically follow up on their correction. Visualization tools such as the LeanIX Heat Map can provide information on business-critical consequences for your company in the event of an application failure or hacking attack.
DEMONSTRATE GDPR COMPLIANCE WITH AN ENTERPRISE ARCHITECTURE MANAGEMENT TOOL.
After the GDPR is in place, it will be imperative to display how you process personal data, how you handle risks and what measures for damage limitation you have implemented. The latter is especially relevant when you conduct a DPIA - which the GDPR requires for every implementation of a new system that uses personal data. The LeanIX Inventory View function demonstrates your GDPR compliance by providing a quick and clear overview in table form of all applications, interfaces, data objects and technologies in your IT landscape.
As you can see, compliance with the GDPR will take measurable time, expertise, and implement many changes in the IT landscape. Is your company ready for these changes? Learn how to Master the GDPR with Enterprise Architecture.