Save Effort on GDPR Compliance Audits

The General Data Protection Regulation (GDPR) compliance, which comes into force on May 25, 2018, seeks to provide unified and clear rules on stronger data protection that are fit for the digital age, give individuals more control over their personal information processed by companies, and standardize data privacy laws across the EU. Any organization that processes the personal data of any EU residents — even if it is located outside of the EU — is subject to GDPR compliance audits. Conducting regular data protection audits internally is essential to achieving compliance with GDPR.

What are the key GDPR audit requirements you need to comply with?

GDPR and ISO 27001 are two significant compliance standards that aim to strengthen data security and mitigate the risk of data breaches. No wonder people ask whether it is enough to be certified to ISO 27001 to become fully compliant with GDPR. However, complying with the GDPR is no easy task and even ISO-compliant companies cannot feel confident now. If an organization fails to comply with the GDPR, it can be slapped with huge fines (up to €20 million or 4% of annual worldwide turnover) and suffer damage to its corporate reputation, as well as face class-action lawsuits from users and the risk of losing customers. So, here are the main GDPR requirements and the initial steps to take to comply with them:

  • Privacy by design — Implement appropriate technical and organizational measures for ensuring that sensitive data is processed properly and is accessible by only the appropriate people. Be aware of where GDPR-regulated data resides in your network, keep an eye on users who have access to that information and spot critical events around that data.  
  • Accountability — Collect, process and store personal data based on the data protection compliance principles. A good first step toward ensuring and demonstrating compliance with the GDPR data management and protection requirements is to restrict access to data based on the principle of least privilege and be ready to demonstrate to auditors that you rigorously adhere to that principle.
  • Extended rights of data subjects — Provide data subjects with information about whether, where and for what purpose their sensitive personal data is being used. Ensure your business can find, delete, rectify or provide a copy of any user’s personal data upon their request.
  • 72-hour data breach notification — If you discover a data breach, notify the supervisory authority within 72 hours, providing details such as how the data breach occurred, what measures were taken to mitigate the risks, and the type and number of files that were affected.
  • Data Protection Officer appointment — Appoint a DPO who will be responsible for ensuring that your organization’s data protection policies and processes adhere to GDPR requirements. The DPO must keep records of all processing operations involving sensitive data, suggest ways to improve data governance and systematically assess data security risks.

What types of sensitive personal data does the GDPR regulate?

Prior to undertaking a data protection audit to comply with GDPR requirements, it is necessary to identify all data you store that is considered sensitive by GDPR standards. Any information relating to a data object is classified as personal data and is therefore protected by the GDPR. It is often helpful to divide GDPR-related information into categories like these:

  • Biographical information: SSN, date of birth and email addresses
  • Medical history: Sick leave data and genetic information
  • Workplace and education records: Salary, tax information, and employee or student numbers
  • Online identifiers: Cookies that contain PII or IP addresses
  • Other personal data: Religion and geo-tracking data

Use these categories to perform a thorough analysis of the data in your systems, so you can prioritize protection of all data that the GDPR considers "personal data".

How can you spend less time and effort on GDPR compliance audits?

It is hard for organizations to handle this volume of GDPR data on their own, so consider investing in an auditing solution that will help you find and properly secure GDPR-related content. The monitoring software from Netwrix dramatically simplifies GDPR compliance. For example, instead of painstakingly searching through each of your file shares for the personal data of an EU citizen to comply with the right to be forgotten, you can simply enter any identifying information about the individual in the search engine and get complete and accurate results in seconds.

You can also quickly provide evidence that only eligible employees can read, modify, or delete GDPR files, and ensure that no malicious activity is going on around GDPR data. In case of a data breach, the Netwrix Auditor platform will send an alert with details about the incident, so you can pass this information on to the supervisory authority in a timely manner, as well as investigate the breach further. Moreover, Netwrix Auditor can help you prevent such incidents and strengthen security controls across your IT infrastructure by enabling you to perform constant auditing and uncover security weaknesses before they lead to a breach.

Netwrix Auditor report: Sensitive Files Count by Source. Shows the number of files that contain specific categories of sensitive data.