Six Steps to Master GDPR Compliance in 2019


Throughout the past year, GDPR compliance has become synonymous with scandalous data leaks and a lack of safeguards by tech giants to keep sensitive consumer data safe. Now that the legislation is officially here, all companies that process the personal data of European citizens must comply.

What some may overlook is that GDPR applies to online applications, smartphone apps and even applications created by companies for internal use only. This covers an incredibly broad spectrum of apps, and it’s not hard to realize just how many organizations have your basic personal information based on what’s required just to use an app. In fact, it’s commonly known that 7 out of 10 smartphone apps share our information with third parties.

GDPR Compliance_Six Steps

In fact, we recently explored this current state of affair on the podcast, Software Ate My Homework, where we asked: Is there anyone left to hack? Regardless of the answer to that question, organizations in all parts of the world must comply with GDPR standards or risk mega fines and damaged brands.

To avoid being the next Marriott, follow these six steps to master GDPR compliance in 2019:

Step 1: Get a Data Protection Officer

In order to ensure that the processing and protection of data complies with GDPR, it is highly recommended to have a Data Protection Officer, who can act as a subject matter expert on all things related to the ever-changing implications of this regulation. As consumers learn how to access their data, more questions will arise, and it will become increasingly challenging for companies to respond in accordance with the law. The Data Protection Officer should manage all these inquiries and the company’s ongoing GDPR strategy.

Step 2: Establish a Cartography of Your Applications

To be sure that you are adhering to GDPR standards and to understand the impact of GDPR across your entire application portfolio, it is important to establish a cartography of applications that process the personal data of your users. 

The identification of sensitive data, how it’s used and who has access to it is very important. Establishing a cartography will also help you understand the flow of sensitive data, which is mandatory knowledge in the case of a security failure or breach. CAST Highlight’s GDPR feature automatically detects applications that have access to personal data and flags those as priority apps for remediation or special attention to achieve full compliance.


Step 3: Keep GDPR as an Ongoing Priority

Data protection and compliance with GDPR must be an ongoing effort. Using the status and the cartography of the portfolio of the application, the next step is to identify and prioritize remediation or re-factoring effort. To keep a handle on data risk, ongoing impact analysis is mandatory. CAST can help automate this effort to track the most critical data and the level of security and robustness of all the paths through the software leading to that data.

Step 4: Get Visibility into Software Risk Exposure

If risks related to personal data have been found, then for each breach, an impact analysis should be conducted to illuminate the true software risk exposure.

Step 5: Ensure Application Security by Design

In order to ensure that users’ personal data is protected 24/7, a full process of data management must put into place in order to guarantee the protection of these data at any moment. This often begins by revisiting application design.

Many software vulnerabilities are caused by architectural design flaws. As automation and smart software become an increasingly large part of IT systems across several industries, the way these machines are programmed needs to be carefully analyzed. Poorly-chosen application security approaches can certainly impede GDPR compliance goals.

Step 6: Improve and Maintain Document

Current documentation must be written and made available at all times to confirm GDPR compliance. This presents a timely opportunity for companies to assess their portfolio and establish a smart application portfolio management practice that considers how all applications are interconnected and work together. This can also be automated and continued over time.

If you haven’t already proved GDPR compliance, you’re behind the eight-ball. But for those looking to streamline ongoing compliance efforts, the above steps can be instrumental to your success. As the outcomes of GDPR continue to evolve, it’s important to consider what impact it will have on other regulations, and even new regulatory enforcement around the world.

So, get compliant. Get a CAST assessment. And protect your customer’s data.

Filed in: Risk & Security
Narcisa Zysman
Narcisa Zysman Senior Product Manager at CAST
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item