On May 25, 2018, enforcement of the European Union (EU) General Data Protection Regulation (GDPR) will go into effect. In response to the new data protection challenges that have emerged in recent decades, the GDPR has a number of key data security objectives, including reinforcing the concept of data privacy as a fundamental right, clarifying organizations’ responsibilities for EU data protection and defining a baseline for the protection of any personal data of individuals in the EU. Understanding what these security objectives mean for you is key to GDPR compliance. The GDPR data security requirements can be classified into three broad categories:
  • Assessment
  • Prevention
  • Monitoring/Detection
We’ll go into more detail about what each of these responsibilities entail below.

Assessment of Data Security Risks

Organizations are required to perform Privacy Impact Assessments when processing Personal Data of EU individuals.  Additionally, organizations are required to perform Data Protection Impact Assessments when the processing of personal data is likely to present a “high risk” to the data subject. This enhanced type of assessment must include a thorough evaluation of your data processes and profiles as well as investigation into how these help safeguard individuals’ personal data. Similar processing operations that present similar risks can be addressed in a single assessment. These assessments will give your business a stronger foundation for preventing personal data breaches by identifying the gaps and risks that already exist.

Monitoring and Alerts

Preventive security measures cannot completely eliminate the possibility that a data breach may occur, but the GDPR requires a number of monitoring and alerting mechanisms to enhance detection of such breaches. Companies are required to monitor or audit all activities on relevant personal data and are also encouraged to maintain these records in a central location under the responsibility of the data controller (meaning other data processors and third-parties must not be able to alter or destroy the records). The GDPR also mandates timely notifications of personal data breaches by controllers to the supervisory authority in no later than 72 hours (where feasible).

Minimizing Costs & Ensuring Quality of Protection

Implementing data security without proper planning can have long-term ramifications when it comes to day-to-day IT operations and administrative costs, and these costs may be greater if you have let security processes lapse in the past. However, non-compliance with the GDPR regulations carries even greater risks. The GDPR recommends taking steps to both minimize the costs of security controls and increase the quality of protection, starting with making data protection a core part of any system design. The GDPR also recommends centralizing administration when dealing with the security of multiple applications and the protection of personal data in all stages of the data lifecycle. While Bronto can’t tell you what you need to do in your compliance efforts, we can answer general questions about what Bronto is doing and point you to resources that may help you in your quest. Visit the DMA’s library of GDPR resources or the Oracle Marketing Cloud’s GDPR center.