With the General Data Protection Regulation (GDPR) coming into force in May 2018, many companies are still unaware of it or do not have an action plan. Is this because it is such a daunting prospect that it is scaring organisations into inaction?
In this article we will look at some practical steps you can take to help you move towards compliance.
What is the solution?
Most breaches can be addressed at little cost by configuring your existing systems correctly and by training your users in an effective manner.
We use the 80/20 rule of Pareto law and feel that if the measures below are followed you could prevent 80% + of your GDPR headaches.
Know where your existing personal data is, your reason for having it and is it valid?
Look at your existing systems, find out if inbuilt security features are enabled, if not enable them.
Look at the configuration on those systems and discover if they can be configured to prevent some of the most common attacks. Patch rapidly and regularly.
Wherever possible Encrypt. Many systems have this as a built-in functionality.
Look at who has access to what and whether they should have that access. Clean up Active Directory of old accounts and tighten things up.
Adhere to the SANS top 20 critical security controls. There is really no excuse not to have these areas covered.
Train your staff in the basics of data security awareness and revisit this on a regular basis with everyone.
Get buy in from senior management to take the whole GDPR compliance issue, it has the potential to seriously impact the business and inaction will not be tolerated by the Information Commissioners Office, so do act now.
About the Author: Jim Sneddon founder of Assuredata is a security industry veteran of 17 years with a wealth of experience working with organisations helping them to become compliant and secure. He has experience of a wide range of technical and organisational solutions and will always advise on doing more with your existing investments.
Jim is also a Certified Information Systems Security Professional (CISSP) and a Certified EU GDPR Practitioner.