If you’re an EU resident or work for an organization that handles the personal information of European citizens, you may be aware that GDPR, or the General Data Protection Regulation, is looming. The regulation thoroughly explains the level of privacy to meet when implementing new procedures for securely processing data.
However, it does not provide clear guidance for IT departments on how to make their companies’ technology processes more secure. For the third installment of the GDPR blog series, let’s explore what a company’s IT team can do to help ease the GDPR compliance process.
1. Enforce Personal Device Protection
Laptops, smartphones, and tablets are extremely vulnerable when it comes to the loss or theft of personal data. At any given time, a device can house thousands of documents containing personal data that could fall into the wrong hands. Alarmingly, users often neglect the use of authentication passwords, fail to use encrypted data transmission channels, use software unapproved by IT departments, or lack anti-virus software. Failing to do these things makes personal devices even more vulnerable than they inherently are.
IT departments should enforce that the personal devices of employees be fully guarded with encrypted measures and equipped with the appropriate anti-virus software that scan the device regularly.
2. Map Out Your Organization’s Device and Data Flow
In our first two GDPR blog posts, we stress the importance of having an overview of all the personal data that lives within your organization, including your website. Arguably one of the most important steps, mapping out your organization’s data will allow you to identify which areas of your business are at risk for being non-compliant. Then, you can make recommendations to organizational management on next steps.
If you have a Data Protection Officer (DPO) or a person responsible for handling your organization’s data, make sure to communicate and coordinate closely with this role as it may be the difference between smooth sailing and big fines.
3. Implement Appropriate Technical and Organizational Measures
With the arrival of GDPR comes new obligations for all affected organizations, such as data subject consent, data anonymization, breach notification, and transborder transfers. All will require organizations to undergo major operational reform, in which IT will play an integral role. Because IT is responsible for monitoring and maintaining the security of an organization's domains and IP addresses, it makes sense that GDPR, a privacy and security regulation for for customers in the EU, would be so closely tied with these departments.
One of the first steps for IT would be to complete a comprehensive audit of all technical and operational measures in the organization. From there, IT can determine if everything is operating as it should, as well as identify the risks posed and potential next steps. For even tighter security, ensure that your anti-malware and anti-virus software are updated. Doing so won't necessarily ensure tighter security, but makes for a good start.
Achieving GDPR compliance on your website is a cross-departmental effort. Ready to get other teams on board? Download the free e-book, GDPR: Working Together for a Compliant Website, for a collection of tips for web, IT, and marketing teams.