GDPR compliance is a bear. Let’s face it. However, like anything else in life, if you whittle it down into more manageable chunks, it doesn’t have to be nearly as daunting.

Cyberstone helps companies with the cybersecurity requirements under Article 32 which include:

GDPR Requirement

  • Cyberstone Service
    • “ensure a level of security appropriate to the risk”
  • Cybersecurity Risk Assessment
    • “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”
  • NIST-Based Cybersecurity Maturity Assessment
    • “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”
  • Incident Response Plan
    • “regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing”
  • Internal and External Combined Penetration Test
  • Vulnerability Assessment

Other folks you’ll also want to engage include:

  1. Anybody involved in application development.
  2. Anybody involved in information technology.
  3. Legal counsel (especially for the privacy policy component

So how do you get started? The SANS Institute suggests companies follow the steps below.

  1. Don’t wait. Start now.
  2. Document your review of technology for GDPR compliance and your steps toward achieving compliance.
  3. Institute a constant and ever-improving process of analyzing the risks that apply to the data for which you are responsible.
  4. Adopt a routine for maintaining the considerable documentation expected under the GDPR.
  5. Evaluate and implement technologies identified in this paper not only to achieve compliance with the GDPR’s security expectations, but also to prevent a breach from ever happening.
  6. Stay abreast of and implement authoritative global guidelines on information security.
  7. Recruit, train and appoint a qualified data protection officer.
  8. Monitor efforts at an EU level and in member states to prepare for enforcement of the GDPR.
  9. Establish familiarity with the supervising authority or authorities most relevant to your operations. Become familiar with its staff and procedures.
  10. Monitor technical guidance and, possibly, codes of conduct from relevant EU authorities, such as regulators in member states and EU-wide authorities, such as the Article 29 Working Party, which will become known as the European Data Protection Board.