It has been over two months since the General Data Protection Regulation (GDPR) went into force. There was a lot of attention focused on the May 25th “deadline,” as if it was a finish line, when in fact it is just the start of what should be an effort that has no finish line. The GDPR—and security compliance in general—is like physical fitness. It is an ongoing process, a “lifestyle,” not an event.
Think about that analogy for a minute. Every day there are millions of people around the world who make a decision to lose weight and / or exercise to achieve better health. That’s an awesome goal and those people should be commended. As we all know, though, most of those people won’t have the discipline and commitment to follow through. Just look at the massive influx of new gym memberships at the beginning of the year after everyone makes New Year’s resolutions to get healthy, and how empty those gyms are again by February.
Similarly, there were companies around the world working diligently (or scrambling at the last minute) to prepare for the GDPR by May 25. The problem with compliance in many organizations is that it is treated as a singular event—a moment in time—just to pass an annual audit, which leads to disruptive, expensive fire drills.
Just as with diet and fitness, there are many silver bullet solutions and fads, but achieving the goal comes down to common sense and best practices. You can eat all protein, or no protein, or take this pill, or do that exercise program—and they will all generally work to some extent for some period of time. Lasting results, however, only come from fundamental changes that you can—and are willing to—sustain over time. The same is true for GDPR compliance.
It comes down to three basic steps. Just follow these three steps consistently, and you can achieve and maintain compliance with the GDPR (or health and fitness if you like).
· Set Achievable GDPR Compliance Goals
Set reasonable goals. If you’re 150 pounds heavier than you’d like to be, telling yourself you’re going to lose 150 pounds sounds like a good idea—but that will take a very long time and sometimes the progress will be slow. Don’t set yourself up to be frustrated or disappointed. You’ll just give up. Commit to losing 15 pounds. Then, when you hit that milestone, set a new objective that is within reach.
With compliance, you have to start from where you’re are at and set small objectives that keep you moving in the right direction. You can certainly keep you eye on the ultimate prize—your long-term objective—but you should also break down the steps to get there and take them one at a time. Use the 80 / 20 rule and start with the achievable tasks that will provide the biggest impact.
· Daily Commitment to Your GDPR Compliance Strategy
For long term results, you can’t follow a diet for a few days and then eat whatever you want for a few days, and then do the diet again. You can’t exercise one week, and then get lazy the next week, and then start up again. I take that back. You can do that—and it would probably be better than doing nothing—but it will take you longer to reach your goals, and difficult to maintain results with that strategy.
Compliance is an all day, everyday thing. You must be committed to consistently follow best practices and established policies. It is not enough to be compliant right before an audit and then keep your fingers crossed that it will stay that way, and it doesn’t work if you only focus on doing the things that need to be done once a month, or every other week.
· Monitor and Review Logs and Key Metrics
Are you making progress toward your goal? Once your goal is achieved, are you able to maintain it? How do you know? With diet and fitness, there are simple metrics you can review. You can weigh yourself periodically—daily, weekly, or whatever works for you—and verify that you are moving toward or maintaining your goal. For fitness, you can use measurements like how far you bike or run, or how many laps you swim, or how much weight you can lift, and easily tell if you’re making progress or maintaining your objective.
What about compliance? Compliance works the same way. Are you making progress toward being fully GDPR compliant? Once you’re GDPR compliant, are you effectively maintaining security compliance? How do you know? As the saying goes, “what gets measured, gets done.” You should identify the indicators and metrics that will help you monitor and measure compliance and review them on a regular basis. Logging and reporting are effective tools to help you monitor compliance, identify issues, and implement resolutions and improvements.
If you treat compliance like an event, you missed the point—and there’s a good chance you could find yourself on the wrong end of a fine from the EU. Treat compliance with the GDPR like health and fitness. Follow best practices and do the fundamental, common sense things you need to do to achieve and maintain compliance.
If you are just getting started, or still on your journey to meeting GDPR compliance, check out some of our recent GDPR blogs.
- What GDPR Compliance Means to the IT Security Professional
- What you need to know about GDPR Article 32
- GDPR Q&A with a Cybersecurity Compliance and Privacy Expert
- Use these frameworks to establish GDPR security controls
To learn more about how Alert Logic can help you comply with GDPR compliance or other security compliance requirements like PCI DSS Compliance, HIPAA, SOX or SOC 2, contact one of our cyber security experts who can help you put together a plan that we can help you get up in running in days for a single monthly price.