Throughout the past year, GDPR compliance has become synonymous with scandalous data leaks and a lack of safeguards by tech giants to keep sensitive consumer data safe. Now that the legislation is officially here, all companies that process the personal data of European citizens must comply.
What some may overlook is that GDPR applies to online applications, smartphone apps and even applications created by companies for internal use only. This covers an incredibly broad spectrum of apps, and it’s not hard to realize just how many organizations have your basic personal information based on what’s required just to use an app. In fact, it’s commonly known that 7 out of 10 smartphone apps share our information with third parties.
In fact, we recently explored this current state of affair on the podcast, Software Ate My Homework, where we asked: Is there anyone left to hack? Regardless of the answer to that question, organizations in all parts of the world must comply with GDPR standards or risk mega fines and damaged brands.
To avoid being the next Marriott, follow these six steps to master GDPR compliance in 2019:
Step 1: Get a Data Protection Officer
In order to ensure that the processing and protection of data complies with GDPR, it is highly recommended to have a Data Protection Officer, who can act as a subject matter expert on all things related to the ever-changing implications of this regulation. As consumers learn how to access their data, more questions will arise, and it will become increasingly challenging for companies to respond in accordance with the law. The Data Protection Officer should manage all these inquiries and the company’s ongoing GDPR strategy.
Step 2: Establish a Cartography of Your Applications
To be sure that you are adhering to GDPR standards and to understand the impact of GDPR across your entire application portfolio, it is important to establish a cartography of applications that process the personal data of your users.
The identification of sensitive data, how it’s used and who has access to it is very important. Establishing a cartography will also help you understand the flow of sensitive data, which is mandatory knowledge in the case of a security failure or breach. CAST Highlight’s GDPR feature automatically detects applications that have access to personal data and flags those as priority apps for remediation or special attention to achieve full compliance.
Step 3: Keep GDPR as an Ongoing Priority
Data protection and compliance with GDPR must be an ongoing effort. Using the status and the cartography of the portfolio of the application, the next step is to identify and prioritize remediation or re-factoring effort. To keep a handle on data risk, ongoing impact analysis is mandatory. CAST can help automate this effort to track the most critical data and the level of security and robustness of all the paths through the software leading to that data.
Step 4: Get Visibility into Software Risk Exposure
If risks related to personal data have been found, then for each breach, an impact analysis should be conducted to illuminate the true software risk exposure.
Step 5: Ensure Application Security by Design
In order to ensure that users’ personal data is protected 24/7, a full process of data management must put into place in order to guarantee the protection of these data at any moment. This often begins by revisiting application design.
Many software vulnerabilities are caused by architectural design flaws. As automation and smart software become an increasingly large part of IT systems across several industries, the way these machines are programmed needs to be carefully analyzed. Poorly-chosen application security approaches can certainly impede GDPR compliance goals.
Step 6: Improve and Maintain Document
Current documentation must be written and made available at all times to confirm GDPR compliance. This presents a timely opportunity for companies to assess their portfolio and establish a smart application portfolio management practice that considers how all applications are interconnected and work together. This can also be automated and continued over time.
If you haven’t already proved GDPR compliance, you’re behind the eight-ball. But for those looking to streamline ongoing compliance efforts, the above steps can be instrumental to your success. As the outcomes of GDPR continue to evolve, it’s important to consider what impact it will have on other regulations, and even new regulatory enforcement around the world.
So, get compliant. Get a CAST assessment. And protect your customer’s data.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.