Achieving GDPR compliance can take anywhere between a few months to a year, and requires significant effort. The lack of resources, getting management to understand the impact of the regulation, comprehending the guidelines in the mandate – have to be crossed before you can achieve the compliance.
With the deadline of May 2018 fast approaching, you can still look at options to simplify your compliance efforts. Moving to cloud is one of them.
There is no one-size-fits-all solution, but you can choose from solutions that meet prescribed GDPR requirements. Organizations compliant with existing IT standards like ISO 27001 are already on the path to compliance. But clauses like protection, review, reporting of personal data, and changes in storage and user rights still need to be addressed.
Challenges in meeting GDPR
- The basic requirement of the GDPR as derived from the principles in Article 5 and Article 30, is to first identify and map personal data in the organization. Assess what personal data is collected, the purpose it was collected for, where it is stored, retention periods, whether it is shared, how it is protected and so on. Knowing what data exists and where, helps you effectively apply compliance requirements under the GDPR. However, given complexity of today’s software ecosystem, this is a rather large task to execute.
- Once personal data is identified, ensure appropriate technological measures to secure it (Article 32). Sensitive data stored and processed must ideally be be encrypted, with strong authentication mechanisms and access restrictions applied for protection. These measures seem intricate to implement, but are critical for mitigation and recovery, if your data is exposed to loss.
- The GDPR further fortifies data protection by restricting transfer of personal data only to organizations complying with all conditions specified in the regulation (Article 44). Taking this into consideration, checks need to be made on physical location of your data. Whether cloud or on-premise: identifying, monitoring, and controlling where your data resides is mandatory from a GDPR perspective.
- GDPR Articles 12 through 23 talks about rights of the data subject. Provisions need to be made to respond to the data subject’s requests, including rectification, deletion and stoping use of their data. Ensuring that changes that occur as a result of these requests, reflect in all data touchpoints. Being on the cloud could make this simpler and easier.
- The GDPR not only requires you to comply, but also documents proof of compliance (Article 30). Other actions to demonstrate compliance involves – having proper governing structures, information notices, Data Protection Impact Assessments(DPIA), maintaining audit trails, introducing breach reporting mechanisms and more.
Getting people, processes and technology to meet compliance is a mammoth task, with the additional responsibility of dealing with operational overheads imposed by the regulation. Access to correct information and guidance for compliance efforts has also been a challenge for companies looking to address their security concerns.
To reduce risk of non-compliance, you can look at various technology options to meet recommended guidelines. Compliant cloud solutions are definitely an option considering agility, efficiency and scalability of solutions offered. Introduce infrastructure, service automations to increase productivity, and reduce operational overheads. In short, it’s time you take advantage of securely governed infrastructure and services.
For more on how cloud can help meet your GDPR obligations, read: 3 Ways Cloud Simplifies Your GDPR Compliance.
Disclaimer: This article is provided for informational purposes only and should not be relied upon as legal advise or to determine how GDPR might apply to you and/or your organisation. We encourage you to obtain independent professional advice, before taking or refraining from any action on the basis of the information provided here.