Three Years Later: Tips for Sustaining GDPR Compliance

Since the start of the pandemic, the new way of working has resulted in many people becoming more dependent on connecting online in remote settings than ever before. This shift has resulted in a significant increase in cyber breaches.

The European Union (EU) implemented the General Data Protection Regulation (GDPR) in May 2018 to regulate the handling of personal data for all EU citizens. As high-profile attacks continue to dominate the headlines, many countries are beginning to take a hard look at implementing data privacy legislation to place a greater emphasis on the protection of data in addition to prompting authorities to get tougher on enforcing legal frameworks in the coming months. As the three-year anniversary of the law approaches, it’s important to re-examine how organizations can most effectively maintain institution-wide awareness of both technical and legal implementations required to make compliance successful.

Achieving Continued Compliance

Minimizing the data collected and stored is key, and the lawful basis for keeping all data must be continuously updated and kept in a place where it can be easily referenced. It is beneficial to have a formal process that regularly reviews the data being collected and stored to determine if changes are warranted. Organizations should also perform routine checks of their privacy policies to ensure they use the most up to date language on areas like opt-ins and cookie consent. Be sure not to forget to update employee, customer and supplier contracts as needed.

Best Practices for Working with Third-Party Vendors

More organizations are turning to third-party vendors to assist with data management, cybersecurity or backup. As companies bring on new partners, they must ensure they are also compliant. Even if a third-party vendor is the one in charge of processing an organization’s data, the company still shares some responsibility for the security of the information. This is why organizations must have a written agreement with their vendors to ensure they follow all GDPR guidelines and implement appropriate security.

Long-term Technology Investments for Continued Data Protection

GDPR requires proof of compliance, which is why companies need to document their data protection procedures and invest in the right tools to aid in protecting employee and consumer privacy. Early reporting is also key to reducing damages and fines, which means it is necessary to employ processes that allow for the detection and reporting of internal or external data breaches quickly.

Employees and consumers trust that the organizations they give business to will protect their sensitive information. However, data stored on commonly used platforms such as Salesforce, Microsoft 365 and Google Workspace are vulnerable to data loss caused by malicious threat actors leveraging malware or ransomware, as well as human error and sync issues. This is why Article 32 of the GDPR recommends that organizations possess the capability to promptly restore access to data records if one of the above incidents occurs. Companies should seek out a SaaS backup solution to eliminate the risk of data loss, guarantee business continuity and ensure compliance. This technology should provide cloud-to-cloud, automated, fully encrypted backups on stringently secure AWS servers with point-in-time recovery.

Today’s digitally-savvy users expect to see an atmosphere of respect and transparency from the organization they choose to support. With data privacy continuing to grow in prominence, adhering to the standards of GDPR can help companies promote trust and may even help build a stronger relationship with employees and the broader community.

What’s Hot on Infosecurity Magazine?