July 19, 2016

General Data Protection Regulation survival guide: four practical questions to ask yourself

Markus Melin

Head of Tieto Security Services, Tieto

EU’s General Data Protection Regulation has a wide scope, but there’s no need to panic or feel overwhelmed. Work your way through the following practical questions, and complying with the requirements of the new legislation becomes much easier.

As noted in a previous post, the European Union’s new privacy legislation, or the General Data Protection Regulation (GDPR) is here and mandates every company and organization operating in the European Union to comply.

GDPR’s scope is wide, so this may feel like an overwhelming task, but don’t panic just yet. When eating an elephant, take one bite at a time. Here are four questions every organization affected by the GDPR must ask themselves. After outlining answers for these, it all feels much more manageable.

What data is covered by GDPR?

The new regulation is about personal data. The European Commission defines personal data as ”any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

As you can see, the definition and the scope of applicable data are large. So the first thing is to map what personal data you hold, not only about customers but about all stake holders, and what such data is likely to be collected or generated in the future.

Where is that data?

The next step is to locate the data. Don’t skip any possible locations. Cloud storage, mobile devices, backups, caches etc. probably add up to a complex system. Key thing is to understand where data is stored and accessed on daily basis

Pay special attention to unofficial, temporary, unsupported or outright forbidden possible locations, such as employees’ personal email attachments or memory sticks. Just because data is not supposed to be stored in some way doesn’t mean instructions are always followed. Remember the human factor!

How to protect the data?

When you have answers to what and where, you’ve already come a long way. The next step is to ensure that all data covered by GDPR is adequately protected and that all systems and processes are up to date.

It’s relieving to know, however, is that GDPR doesn’t expect 100% bullet-proof protection – that would be impossible, because breaches and accidents may happen. What GDPR does expect is that organization can demonstrate genuine and sufficient attempt to comply to the protection requirements.

 How to react quickly enough?

Visibility and real-time or nearly real-time situation awareness are key to cyber security in general and coping with GDPR in particular. That’s because GDPR is not only about keeping personal data protected from unauthorized use, it also gives data subjects extensive rights to learn what data is stored about them and influence how it’s used in organization. Moreover, GDPR requires that when such requests are received, reaction must be swift.

Thus, occasional audits are not enough. You must have a continuous bird-eye view on what’s going on. You can read more about cyber security visibility in our earlier post.

In future posts, we’ll dig deeper into the GDPR theme and discuss processes and the human factor. Stay tuned!


Download Tieto Security Services whitepaper here.


Stay up-to-date

Get all the latest blogs sent you now!