Achieving GDPR compliance can take you anywhere from few months to a year, and a significant amount of effort spiked with challenges. Getting management to understand impact of the regulation, comprehending guidelines in the mandate, together with lack of resources, budget and support are important stages to cross.
With deadline of May 2018 fast approaching you can still look at options to simplify your compliance efforts. Moving to cloud is one of them. Let’s see how.
There is no one-size fits all solution, but you can choose from solutions that meet prescribed GDPR requirements. Organizations compliant with existing IT standards like ISO 27001 are already on the path to compliance, but clauses like protection, review and reporting of personal data, as well as changes in storage, and user rights still need to be addressed.
Challenges in meeting GDPR
- The basic requirement of the GDPR as derived from the principles in Article 5 and Article 30, is to first identify and map personal data in the organization. Assess what personal data is collected, purpose it was collected, where it is stored, retention periods, whether it is shared, how it is protected and so on. Knowing what data exists and where, helps you effectively apply compliance requirements under the GDPR. However, given complexity of today’s software ecosystem, this is a rather large task to execute.
- Once personal data is identified, ensure appropriate technological measures to secure it (Article 32). Sensitive data stored and processed must ideally be be encrypted, and strong authentication mechanisms, access restrictions applied for protection from unauthorized access. These measures seem intricate to implement, nevertheless critical for mitigation and recovery preparedness if your data is exposed to loss.
- The GDPR further fortifies data protection by restricting transfer of personal data only to organizations complying with all conditions specified in the regulation (Article 44). Taking this into consideration, checks need to be made on physical location of your data. Whether cloud or on-premise: identifying, monitoring, and controlling where your data resides is mandatory from a GDPR perspective.
- GDPR Articles 12 through 23 talks about rights of the data subject. Provisions need to be made to respond to the data subject’s requests, including rectification, deletion and stoppage of use of their data. Ensure changes as result of these requests reflect in all data touchpoints. Being on the cloud could make this simpler and easier.
- The GDPR not only requires you to comply, but also document proof of compliance (Article 30). Other actions to demonstrate compliance involves – having proper governing structures, information notices, Data Protection Impact Assessments(DPIA), maintaining audit trails, introducing breach reporting mechanisms and more.
Getting people, processes and technology to meet compliance is a task large enough, and adding to this is dealing with operational overheads imposed by the regulation. Access to correct information and guidance for compliance efforts has also been a challenge for companies looking to address their security concerns.
To reduce risk of non-compliance you can look at various technology options to meet recommended guidelines. Compliant cloud solutions are definitely an option considering agility, efficiency and scalability of solutions offered. Introduce infrastructure, service automations to increase productivity, and reduce operational overheads. In short, it’s time you take advantage of securely governed infrastructure and services.
For more on how does cloud help meet your GDPR obligations, read: 3 Ways Cloud Simplifies Your GDPR Compliance.
Disclaimer: This article is provided for informational purposes only and should not be relied upon as legal advise or to determine how GDPR might apply to you and/or your organisation. We encourage you to obtain independent professional advice, before taking or refraining from any action on the basis of the information provided here.