As you may know, GDPR is a new set of rules — 99 in all — aimed at protecting the privacy and security of EU citizens online. These rules are now approved and scheduled to go into effect on May 25, 2018.
All organizations based in Europe are affected. But even if your organization isn’t based in Europe, it could still be affected by GDPR if it does any of the following:
- Offers goods and services, including those that are free, to EU citizens.
- Monitors the online behavior of EU citizens.
- Holds and processes personal data on EU citizens.
Tough requirements — and heavy fines
Assuming GDPR affects your organization, here’s some of what you’ll need to do to comply:
- Notify the public of any data breach at your organization within 72 hours of discovery.
- Prove your GDPR compliance by providing documentation, impact assessments and data-protection designs.
- Hire or contract a data protection officer (DPO) as part of your organization’s accountability program.
- Allow EU citizens to easily withdraw their consent from letting your organization process their personal data — and be able to prove it.
- Inform all EU data subjects on the risks of transferring their data before you move it anywhere outside the EU.
What’s the cost of non-compliance? You could be fined by the EU. The fines, set on a tiered structure, run as high as 4% of your organization’s annual revenue or €20 million, whichever is higher.
First steps to accelerated compliance
You can accelerate your GDPR compliance by first assessing your organization’s readiness and understanding your exposure. That includes discovering and assessing all personal data in your organization that’s subject to GDPR.
To help, DXC offers its Cyber Reference Architecture (CRA), a highly structured framework of nearly 350 discrete security capabilities. We use the CRA to address complex security transformation requirements. It’s vendor-agnostic, granular and versatile enough to enable speed and agility.
DXC has also used the CRA to develop specific set of “security blueprints.” These are plans that accelerate the development of security transformation programs.
To develop these GDPR blueprints, we examined all 99 articles of the regulation. Then we selected the required capabilities from the CRA to produce a reference model solution.
To start, think of the end
To accelerate your GDPR compliance, it’s vital that you begin with the end in mind — that is, full compliance achieved before the EU’s deadline. Most traditional assessments don’t do that. Instead, they merely assess your ability to comply. They also can takes months just to create a plan.
By contrast, DXC GDPR Services offer you a powerful combination of legal and business advisory, active data management and data protection solutions.
The DXC Cyber Maturity Review for GDPR assesses your ability to perform the capabilities as specified in DXC’s GDPR blueprint. This eliminates the lengthy “analysis phase,” and it also leverages your existing capabilities wherever possible. This both shortens the time you’ll need to become GDPR-ready and lowers your cost.
May 2018 is just around the corner. The time to accelerate your GDPR readiness is now.
To learn how DXC can accelerate your GDPR readiness, visit us today at: dxc.com/gdpr
Author: Ed Reynolds
Ed Reynolds is project management lead for data protection and privacy in security advisory services at DXC. He was previously a cloud security strategist at HPE Enterprise Security Services, where he focused on securing hybrid clouds for enterprise use. Before that, Ed worked at EDS, where his clients included NASA, 7-Eleven and Westinghouse.