As of May 25, 2018, businesses that have customers, suppliers, or employees located in the European Union are now subject to the General Data Protection Regulation, or GDPR.
If you’re a U.S.-based company, this law lays out rules for how you handle and protect personal data that are likely more strict and far-reaching than anything you’ve dealt with domestically.
For network managers, there are a lot of moving pieces involved in making sure you’re compliant with GDPR. Penalties for noncompliance could be very steep. Of course, the consequences to your business of a data breach or poor handling of customer data are probably already on your mind – so ideally, not all of the tasks necessary to achieve compliance will be brand new.
If you’re still determining what network changes will be necessary to ensure GDPR compliance now and in the future, here are some top considerations for your planning and implementation:
Accountability: Designate a leader with network security and data protection experience who can be principally accountable for ensuring compliance. Your data protection officer won’t be doing it all alone, of course, but accountability will help keep details from slipping through the cracks.
This person’s responsibilities may include:
- Determining whether any part of your organization is doing business in the EU, thus subjecting your business to the law
- Mapping out your network and documenting data collection, handling, or security issues as they’re identified and resolved
- Auditing and working with a compliance officer / legal professional to ensure that internal and external policies, as well as vendor agreements, will meet GDPR requirements
- Overseeing the implementation of security measures and ongoing updates to the network as it grows and changes
This is an area where hiring outside help may be the way to go – particularly if you don’t feel confident that you have the existing capacity or expertise on your staff, or if hiring a new employee will take too long.
Collaboration: GDPR compliance will require the effort of multiple departments. Your network security team will have a lot of responsibility for ensuring network visibility and data security, but other departments will need to be informed about the law and probably have responsibilities of their own.
From IT to sales and marketing, anyone who has responsibility for collecting or handling personal data will need to understand the law and how they can support the full compliance program.
Visibility: For the network manager, GDPR is all about network visibility. Step 1 to figuring out what processes or technology need to be changed is first knowing where your operations are, what data needs to be protected, how data is presently handled, and what security risks currently exist.
Start by establishing good network visibility so you can have a clear map of your network as well as what measures need to be taken to shore up any issues.
Automation: Unless your network is extremely small and not growing at all, you’ll probably need the help of automation. Now is a good time to look at what processes in your network management are still being done manually that could be automated.
Network mapping and documentation, vulnerability risk management, reporting, monitoring, and other security processes should all be assessed.
Documentation: If called upon to prove compliance with GDPR, you’ll need accurate and ongoing documentation. Keeping accurate records of your network map as well as your security and compliance measures will serve you operationally, too (more on that here if you need general documentation tips to get started).
Reporting: If a data breach does compromise the security or integrity of data subject to GDPR, this must be reported within 72 hours.
Ongoing maintenance: Compliance isn’t a one-and-done project. By establishing good documentation, automation, accountability, and repeatable processes as early as possible, you’ll make it easier to maintain data security as your network grows and evolves.