Podcast: Play in new window | Download
Full Episode Transcript
Hey there, and welcome. I’m Rocio Baeza and today we’re going to be talking about “how can I become GDPR compliant?” So this is a very common question that I get asked time and time again, and I would say that it’s not surprising. I would say relatively speaking, GDPR is still new. There are other laws and regulations that have the same spirit, but may not have the same reach as GDPR. So think HIPAA in the healthcare space. So even though HIPAA was put in place many years back, I still get questions around, “Hey. How can I become HIPAA complaint?” So the same way that many years later, people are asking how can I become compliant with this law, or that regulation.
I would expect that question to continue with GDPR. And, I would say that one of the biggest reasons that the question will continue to come up is we’re seeing so many organizations, so many tech companies that are just popping out of everywhere. I mean, with technology and the Internet, it’s just so much easier to build something. Because different people will build different organizations and technologies at different times, because that will just continue to happen, these organizations, they’re building their ideas and their products and their services, at one point they’ll be asking themselves, “Hey. I think I need to worry about GDPR. How can I become GDPR compliant?”
So, we’re going to be talking about that in today’s episode and I think it’s important to acknowledge that this is not clear cut. The answer to this question may be clear to a professional, to a cyber security professional, that has worked with GDPR for some time and now. But I would say that the answer can still be ambiguous. I would say that, okay, so the GDPR, it was written. It’s a piece of regulation and it was written by lawyers and politicians. I would say that it’s not expected that the regulation will come off as easy to read and understand.
I also want to point out that GDPR is actually long and it’s complex. So it’s not just captured in one sheet of paper that makes it very easy for anyone to grasp. And I would also say that it will take time to read thru it. Also, somehow the marketing materials for the many GDPR solutions and products that just I’ve seen out there, they claim to solve it all. “Hey. If you buy my product or service, you will be GDPR compliant!” So I think that because of these three things, the answer to that question is still ambiguous. It’s not clear cut how one can become GDPR compliant. And I would say that in working with GDPR, I would say that there is a simple answer. Now, just because something is simple, it doesn’t mean that it’s easy but I think by making something simpler, it will make it easier to understand.
All right. So I did mention that GDPR is a regulation and it was written by politicians and lawyers. So what this means is that lots of energy and time went into selecting the right words. And the words that are used, I would say that it’s very specific and it’s filled with terminology that might come off as jargon and might come off as being complex, and that it’s not easy to understand. So in working with GDPR with my clients, I’ve had to read and re-read, and re-re-read different sections of GDPR. Now, I will say that relatively speaking, I would say that GDPR is actually written in a way that is easier to understand than other similar laws and regulations. But, it doesn’t use the words, the terminology that I use on a day to day basis.
Let’s also address that GDPR is just long. Right? So in looking at the official text, so I regularly address the PDF version of the regulation and I’m seeing that it’s a total of 88 pages. And this is organized in 99 articles. And I mean, that’s lots of reading. That’s lots of thinking and re-reading wheen you’re trying to figure out, “Oh, okay. How does this requirement apply to this specific scenario?” So I think it’s important to acknowledge, hey, the GDPR is long. Let’s also take a moment to talk about the marketing that is out there with the many GDPR resources and products that are available.
I would say that I’ve seen lots of marketing pitches that I would say are over the top and are borderline deceptive. So I’ve seen, “Hey! Buy our tool! Buy our app! Buy our software! To be GDPR compliant.” I’ve also seen, “Hey! Build our GDPR compliant cloud, or tool or system”, and like this has an undertone that if you move your operations in another environment that it is automatically GDPR compliant, that somehow “their” GDPR compliance is transferred over to you and that’s all you have to do. That is not true. And I would see these very creative and borderline deceptive marketing pitches in conferences. I would say that I would see lots of this in 2018. I haven’t gone to many security conferences yet in 2019. We’re in week two as of the recording of this episode, and like I guess the point that I wanted to get across here is, if someone is asking, “How can I become GDPR complaint?” Because GDPR was written by politicians and regulators, because of the volume and the length of the regulation, because of the marketing pitches that are out there, this is not a clear … There is no clear cut answer.
So, what I want to cover in today’s episode is just the four step process in my GDPR implementation blueprint. So, in the years working with various data security laws, regulations, frameworks and standards, there’s a process that I follow. It took me many years and many mistakes to be able to get at this point. But it’s something that has worked very well for me and I would like to share this RESOURCE so that if it’s helpful to you, if it’s helpful to you to determine, “Hey, how can I figure this out for my organization?” this is a tool that you can use.
So again, this is called the GDPR Implementation Blueprint. We will be providing more information about where you can find this if you want to have a download copy available. But, we will get to that. So, this blueprint is organized into four phases. And the first phase is you want to determine what applies to your organization. The second phase is you want to conduct a gap assessment. So for the requirements that apply to your organization, you want to see, all right, what are you doing and what are you not doing? Phase number three, you then will implement what is missing and step number four, you will continue to do what applies to your organization and you’re going to be measuring for compliance along the way.
All right. So let me just take, go one level deeper for each of these four phases and then I’ll point you to how you can get a copy of this resource. All right. So going back to phase number one. You want to first determine, okay, what applies to your organization? I want you to know that not all of the GDPR requirements apply to all organizations. Now, there are lots of requirements. Some requirements apply to all organizations. There will be organizations that have to do it all and there will be organizations that only have to do some. And, if you’re looking for a visual on the possibilities, then I would point you to our free resource. It’s called the 10 GDPR Components. So this is a great visual so that you can see, all right, what are the 10 chunks of things that GDPR encompasses? So that you start to have an idea of the breadth of GDPR.
Okay, so that’s phase number one. Phase number two, you want to conduct a gap assessment. So, after you figure out which of the 10 GDPR components apply to your organization, you want to conduct a gap assessment so that you understand, all right, for the components that apply to my organization, am I already doing those things? And for the things that you are not already doing, you want to make a list of those gaps which will then feed into phase number three. All right. So once you’ve completed phase number two and you have that list of, all right, these are all my gaps, you then want to implement what is missing. You want to fill the gaps. So, and I will say that you should start with filling the gaps and after you filled the gaps, if you want to go the extra mile and implement the remaining GDPR components, that is an option that you have. It’s not required, but that’s an option you have. If you like to go that extra mile and you want to implement all the requirements of GDPR, hey, more power to you.
But I would say start with those components that for sure apply to your organization. And, once you’ve completed that, what that means is, you’ve understood … All right. You have an idea of the breadth of GDPR, you understand which of the components apply to your organization, and you have a list of the gaps that you have to fill. And then you have already filled the gaps. So with phase number four, what you do is, you want to transition to maintenance mode so that you continue to do what you’re supposed to do and what means is, you want to ensure that all the pieces are working as designed. That they are working as expected. That people are still doing what they’re supposed to be doing. That systems are still doing what they’re supposed to be doing. And, you want to have regular audits to ensure that you’re measuring for compliance and when you’re measuring for compliance, if you found that like, hey, something isn’t working as it should, you have the opportunity to flag that, correct it, so that you are in the cycle of continuous compliance.
With GDPR, there is an accountability principle where you have to measure for compliance. So you have to be able to demonstrate that you are complying with GDPR and the only way that you can do that is by measuring for compliance on a regular basis. Whether this be an audit that you do internally, or this is an audit that you pay another organization, an audit firm, to do on your behalf.
All right. So to close out this session, I want to point you to where you can get a copy of this GDPR implementation blueprint. So, if you go to … So there are two ways to get them. The first way is to just go to our show notes. You should be able to find a link there. And so, that link will provide you to a PDF document that lists the four phases that we covered. Now, for these four phases, there is detail behind that. There is detail on, all right, for phase number one, these are the steps that you want to take. For phase number two, these are the steps that you want to take. And the order that you should take those steps. So if you want to see that detail, then I just need you to opt in. Provide us with your e-mail address so that we can e-mail you a copy of that resource. And just in full transparency, we will be using your e-mail to provide you with more information, more resources that we have prepared that we think will be helpful for you.
All right. So thank you very much for checking out today’s episode. I hope you found that to be helpful and we’ll see you on a future episode.
Well wait, before you close out the episode, I want to quickly share. I recently started a virtual community to help professionals like you on your journey with GDPR compliance. Now when I got started with the cyber security space, I found myself doing lots of reading, Google searches and trying to find information. I often times had to do a lot of investigation before I was able to figure out, okay, what’s my next step? Or how do I address this problem that I’m facing? And I want to provide you the resource that I wish I had as I was learning this. If this sounds interesting, I invite you to learn more about this virtual community and you can do that by going to our website, gdprstandup.com, and clicking on the button that says, click to join our virtual community. Thank you very much.
Helpful links and resources
- GDPR Stand Up Website: gdprstandup.com
- The 10 GDPR Components
- The GDPR Implementation Blueprint
- Free GDPR Data Inventory Course: http://gdprstandup.com/free-course/
- Join the GDPR Stand Up Virtual Community