The GDPR is big news. There seems to be an endless stream of organisations coming to the market with silver bullets or magical applications which will “take away all of your pain and GDPR requirements”, but the reality is, these solutions can only support your compliance. The idea behind the GDPR is to promote a standard practical requirement to data protection, but it doesn’t say how you should do it…
There is no mention of Firewalls, Data Loss Prevention (DLP) solutions or File Integrity Monitoring because the GDPR is applicable to all organisations processing personally identifiable information; from banks to managed service providers, to local councils and corner shops. The above controls may not be applicable to all those types of organisations. What Falanx recommends is a pragmatic, common sense approach to compliance.
It is imperative that organisations understand what information they have and justify it. Once an organisation goes through this process, they are in a much better place as they can remove unrequired information (from PCs, laptops, and emails etc) and understand exactly what information they need to protect. How can an organisation justify that they have protected their data if they don’t know where their data is?
The GDPR states that all processing should be lawful – this does not only mean consent! There are lots of reasons that processing is lawful and consent is just one of these. Organisations should assign a lawful justification to all personally identifiable information within the organisation.
Once you know what information you have, you ned to protect it through privacy by design and privacy impact assessments. It is important that organisations can evidence that they have actively understood the risks associated with their data processing activities and have implemented controls or solutions to reduce the risk to an acceptable level.