GDPR: 4 tips for preparation

With the following four concrete tips Micro Focus companies can prepare well for the European Union's General Data Protection Regulation (GDPR):

1. Get an overview

The GDPR is complex - it no longer merely provides a guideline as with the German Federal Data Protection Act, but introduces fixed laws with far-reaching consequences. For example, a violation of the DSGVO will result in a fine under criminal law as of May 2018. This also applies to companies that do not have a location in the EU but operate there: Up to four percent of global annual turnover may be incurred as a penalty. So there is an urgent need for action on the part of companies. A first step in the right direction would be for a company to be certified by the international standard ISO/IEC 27001. To achieve this, it is worthwhile to introduce an information security management system (ISMS). For small and medium-sized companies, however, this is usually unnecessarily costly. And beware: even ISO certification does not automatically mean compliance with the GDPR! So the first priority for every company should be to check which measures make sense for their own company with regard to data security.

2. Structure data

The GDPR gives every person the right to have their data deleted, which a company must of course comply with upon request. The definition of personal data is very broad: IP addresses, user IDs and cookies are also affected. To do this, however, it is first necessary to have an overview of where in the company personal data is processed and stored. That this task is not trivial quickly becomes clear when one considers the extent to which data is distributed in companies via e-mail and stored on local data carriers. Those who master the analysis, classification and management of their data have a solid foundation for DSGVO.

3. Control user and access rights

In the context of the GDPR, authorizations that allow access to personal data in particular must be reviewed regularly. Especially the employment of temporary employees such as interns, apprentices or trainees, but also changes of departments can lead to inadmissible authorizations in the sense of the GDPR. As a matter of principle and irrespective of the GDPR, companies should subject all authorizations to regular review. In order to keep the effort for the company within limits, the frequency of the review should be based on the criticality of the authorization - critical authorizations should be reviewed regularly at least every three months, while an annual review may be sufficient for less critical authorizations. In addition, event-based checks of authorizations should be carried out on a case-by-case basis - for example, in the event of a change of department or the departure of an employee.

4. Get insight

The constant monitoring of accesses to specific data in particular helps to identify any data protection breaches at an early stage. According to the GDPR, an attack must be reported to the supervisory authority within just 72 hours. To achieve this, however, a comprehensive overview of the process and system landscape is required. However, if processes are outsourced to external companies or to a cloud, it can take time before an attack becomes public. Technical support, for example in the form of SIEM solutions, analyze the system almost in real time. A SIEM program centralizes the evaluation and storage of event logs so they can be sifted through in a very timely manner. An alternative is a somewhat simpler change monitoring solution. Although it does not enable analyses of complex processes, it already significantly shortens response times in the event of security incidents.

Conclusion: Create transparency

In addition to data protection, the GDPR places one thing above all else: transparency. Companies must clearly and transparently formulate how they use personal data. This must be made comprehensible - who has seen the information and who has used it for what? How are cross-border data transfers handled? Is there already a data protection officer in the company who takes care of the new requirements in a bundled way? Even if personal data is stored on behalf of other organizations, the new regulations must be complied with - there is a lot to consider.

Text: Christoph Stoica, Regional General Manager at Micro Focus

There are more preparation tips here