If you are a European Union (EU) based firm or have business interests in the EU, you should be aware of the General Data Privacy Regulation (GDPR) that was approved two years ago.
How do you protect your interests and ensure compliance?
At Hilltop Consultants we support many firms that need to be GDPR compliant. Here are some frequently asked questions, tips and solutions related to GDPR.
We recommend the following steps toward better protection:
- Limit the amount of personal data collected or processed
- Limit the amount of time that personal data is held
- Encrypt all data transmission and storage of data
- Implement Multi-Factor Authentication
- Hide user information
- Do not display or record user’s IP addresses
- Increase your ability to prevent and remediate threats to personal data
- Implement a “need-to-know” basis pertaining to access to personal data
Also critical is designing a solid plan and taking the needed steps to ensure ongoing compliance.
Hilltop Consultants helps firms implement practices toward GDPR Compliance by:
- Implementing a SIEM tool with log management capabilities that adhere to compliance requirements
- Creating an inventory of all critical assets that store or process sensitive data to allow for more stringent controls to be applied
- Performing routine vulnerability scans to identity weaknesses that could be exploited
- Conducting risk assessments and applying threat models relevant to your business
- Regularly testing that the security controls are working as designed
- Ensuring that threat detection controls are in place to identify when a breach has occurred in a timely manner
- Monitoring network and user behavior to identify and investigate security incidents quickly
- Executing a documented and practiced incident response plan
- Implementing a communication plan to notify relevant parties
General Data Privacy Regulation
What is it? An EU regulation with the primary objective of strengthening security and privacy protection for individuals. It applies to all personal data that originated in the EU regardless of where it is processed, stored or transmitted. Any organization that has the personal data that originated in the EU in its systems will have to comply with the GDPR.
Who does it pertain to? Those who offer goods or services to EU citizens residing in the EU or monitor the behavior of EU citizens residing in the EU. GDPR places obligation onto (1) data controllers, the entity which determines the purposes and means of processing personal data and (2) data processors who processes the data on behalf of the data controllers.
What is the definition of Personal Data? Personal data is categorized as any identifiable information. There are several ways that an individual can be considered “identifiable” such as individual’s physical characteristics or name, physical address, photo, personal or work email address, bank information, medical information, posts on social media, biometric or IP address.
Keep in mind that all organizations having access to individual data that originated from the EU must maintain a plan to detect breaches, regularly evaluate security practices and document evidence of compliance. This is a major component of the GDPR regulation. There are ways of reducing the risks by taking the steps and actions mentioned above. Although the burden is substantial, mitigation is possible. For more information on how this applies to your firm call or email us!
Click on the links below regarding GDPR specifics and solutions aimed at GDPR compliance: