05 Feb Where do we start in terms of preparing for GDPR?
Once the new stage is set and the associated challenges, it’s time to get down to business. Perhaps reviewing the entire on-premise installation or continuing to take a chance on it improving your security means the incorporation of new elements and new associated costs. Or at least updating devices or software, without this option being able to assure you it’s always up to date.
Is it perhaps time to go for cloud subscription models which guarantee a better security, full flexibility, scalability and continual technological updates? On our part, as manufacturers of business solutions and cloud services, we have spent years firmly committed to our customers’ security. It suffices to point out quickly that in April 2016 we were the first large local supplier to obtain the High Level certificate from the National Security Framework and our commitment with the LOPD who have counted on our technology, advice and support for years.
What we propose to our customers is a transition to hybrid environments supported by an administration based on the cloud, at the speed specified by each organisation and keeping control through a unified administration console.
The final aim is to have mechanisms to prevent the loss of data, establishing access controls to corporate resources (applying the new multi-factor techniques, for example), keeping mobile devices under control, and having technologies available which enable the assurance of regulatory compliance which applies to each size or activity sector.
In general, in terms of actions to be taken in the face of complying with GDPR, we recommend that both our partners and our customers approach the regulation by focusing on a general set of key controls and capabilities. These can be summarised in four vital areas: Detect, Manage, Protect and Inform.
- Detect, identifying which personal data you have and where it is stored. Don’t just consider traditional data bases, but also structured or unstructured information, or in other resources which may serve us to identify people directly or indirectly.
- Manage, focusing on how you use and access personal data. Once the inventory of data has been completed, it is also important to develop and implement a data governance plan. This can help you to define policies, roles and responsibilities for access, administration and the use of personal data, and guarantee that the data handling practices comply with GDPR.
- Protect, establishing security controls to prevent, detect and respond to vulnerabilities and violations of data. The application of the new regulation can be the trigger for the creation of plans to manage risks and adopt risk mitigation measures. We are talking about extending (or confirming) the use of protection using passwords, applying encryptions, activating audit records… everything that can help us to guarantee compliance.
- Inform, keeping the required documentation, managing data requests and notifications of non-compliance efficiently. GDPR establishes new standards of transparency, accountability and record keeping. You will have to be more transparent in the way in which personal data is handled, as well as how you actively keep the documentation that defines your processes and the use of personal data.
Once these phases have been proposed, we invite you to lean on our experience and make the most of our resources in preparation for GDPR. Not forgetting that as the digital transformation of businesses continues, information has become one of the main assets of our organisations.