Starting with the impact of General Data Protection Regulation (GDPR) for USA based business houses – PCI DSS compliant organizations will not have to struggle, however it is better to get an expert opinion and be sure about it. Overall GDPR revolves around managing compliance risks, protecting sensitive data and streamlining enterprise processes. Identity and Access Management capabilities play a major role in key aspects of GDPR compliance. The deadline brings an opportunity for businesses establishments to ensure that their processes are aligned to principled approach of building privacy, security, compliance and transparency.
Considering many aspects of digitization, the regulatory environment around IT practices, consumer data privacy and business practices is seeking strict compliance. As European privacy law, the GDPR takes its due effect in May 2018, so many questions are revolving around compliance – marking confusion and lack of clarity. Many organizations are quite compliant with the requirements if GDPR, it is suggested to take account of processes with respect to data management, accesses and data usage processes.
IAM capabilities play a major role in creating compliant processes. For GDPR, the deadline brings an opportunity for businesses establishments to ensure that their processes are aligned to principled approach of building privacy, security, compliance and transparency.
Some key questions to answer at this point are:
- Are processes for securing personal and sensitive data compliant with GDPR requirements?
- What are the processes around data collection, data processing, and supporting technologies?
- Do you have a clear understanding of how access and encryption are defined for data at rest and in transit?
IT Managers are often unsure about the data security standards applied by their department – there is no documentation. Bringing an expert in to have a detailed discussion with you on GDPR Compliance initiatives undertaken in your organization. An assessment of complete IT processes is first and important step towards taking control of data security measures. I would urge you to look at GDPR as a core enabler to prepare your business for future digitization challenges. As a regulation, GDPR is confused as an IT issue – however the broad-sweeping implications also relate with strategic business insights gathered for marketing and sales, executive level decision making via big data insights need to be looked in to.
While it is believed that the processes are watertight in your organization, making an assessment viz-a-viz requirement of GDPR compliance will only help. Some key points that one must cover in such assessment are:
- Complete account of your enterprise application that hold or transmit personal data
- Visibility of devices, users and applications, whether on premises, in the cloud or mobile.
- Flag devices or accesses that do not have appropriate security controls.
With sterner requirements around data privacy, governance, data mapping and impact assessment requirements; many organizations are contemplating appointing a data protection officer responsible for GDPR compliance. The requirements of GDPR include a new data breach notification requirement – It is mandatory to notify the relevant European data protection authority of a breach within 72 hours. Furthermore, a prompt notification must be made to affected individuals when there is a high risk to them.