Maintaining GDPR compliance isn’t just about technology, it’s also about outlining the right GDPR process for each key competency across your organization and operationalizing it so that it’s part of your regular, ongoing checks. While much of this work can seem pre-emptive and superfluous, it can save your organization valuable time in an emergency scenario.
Part of this planning, of course, will be your GDPR Impact Assessment. But you’ll also need to develop key processes that protect your hard-earned GDPR compliance, even with the introduction of new applications and projects.
Developing a GDPR Process for Your Company
Automate What You Can
The first rule of efficiency when it comes to cost-effective private cloud compliance management is to automate what can be automated. Look to automate everything from the processes around identity management through container configuration checks.
Here’s an example: should an individual request that the organization remove its data, having scripts or agents that can scour the cloud for data and purge that information from everywhere the information is stored (including authoritative sources, test environments, and backups) will ensure compliance. Be sure to take the processes for a spin. In a test environment, mount a workload and test the ability to search for information to be deleted. Try the process. You don’t want to wait for a customer removal request to have to figure out whether your process drives the desired result. Test it early and know you are ready.
Such scripts and processes should also be in place for identifying and classifying data so that at any given moment, regulated data on the cloud can be identified and managed as required.
GDPR: A Cheat Sheet
Planning & maintaining GDPR compliance in private clouds.
Develop Manual Processes for Everything Else
Certainly, not all processes can be automated. To ensure that each new GDPR process is implemented, it may be best to institute checklists and manual checks to ensure tasks that need to be done are completed. Remember, it’s not security that is the challenge, it is typically being able to track and classify data to ensure relevant security and compliance policies governing the data are consistently enforced throughout the cloud in all workloads, backups, and connected systems. To ensure continuous compliance, organizations should plan to regularly assess and audit their processes and capabilities.
And as expected, some things will need to be a mix of automation and manual processes. For example, in the case of a data breach, you’d likely have automated detection and alert methods in place, and perhaps even pre-scripted notifications to send to impacted data owners. You’ll need additional processes between the detection and notification to confirm the affected data, determine severity, and begin repairing/fixing. This is where checklists and risk frameworks can save you a lot of time, if you’ve prepared them in advance.
Microsoft has published a helpful implementation guide that, although targeted to users of its Azure cloud, is very helpful regardless of your cloud implementation. They advocate a “plan, do, check, act” (PDCA) approach to creating agility within your organization, and it’s a great resource if you’re looking for a deep-dive on process development.
There’s Still Time for GDPR Process Development
There’s good and bad news surrounding all of these compliance and security processes. The bad news? Most organizations have immature data management processes, and it’s going to take a significant amount of ongoing work to bring data management to the state required by GDPR. The good news is that once there, not only will the organization be more secure, but it will be more effective and agile with its cloud.