Throughout our journey, we learned about the breadth, scope and location of our data, we started to manage it, and we validated that it was protected and secured. However, completing these tasks still did not ensure compliance.
This only encompassed the first 3 principles of the 5 lessons which we learned.
- Know your data
- Manage the data
- Protect the data
- Documentation and compliance
- Continuous improvement
This journey brought us to the final two principles: Documentation and Compliance, as well as Continuous Improvement.
Lesson 4 and 5 can be brought together. Everything you do today for documentation, and that is automated, can also be used for continuous improvement.
First, it is important that each process in your environment is documented. The data itself might be classified and secure, but what about the underlying infrastructure or services? What if data is being moved from one location to another? If an employee moves from one division to another, will he receive the correct rights for his new responsibilities and are his old rights revoked? Is the data that you are collecting (which was relevant 6 months ago) still relevant today? (Run those surveys from lesson 1 on a regular basis again.) Did your 3rd party provider change the way it handles your data because the requirements have changed? Is the data of your newest workload protected by design? Encrypted in transit where necessary? These are only a few of the questions that you need to ask yourself constantly.
Documentation not only helps in the event of an audit, but also for your internal Data Protection Officer (or anybody acting as such depending on the size of your organization). That Data Protection Officer will be able to use that documentation to revise workflows, change access to certain data and ensure that the company remains compliant with the legislation.
Many questions will require manual surveys or effort to complete, but others can be automated through dashboards and reporting. We already said that one piece of technology won’t be able to resolve all of your requirements, so your Data Protection Officer will need to receive reports and have dashboards from different sources. This information will be come from multiple sources: The actual data itself, the infrastructure for data delivery, security and data protection profile (review of access, potential breaches…), manual surveys and more.
GDPR requires constant monitoring, auditing, review and improvement.
The road to GDPR compliance does not stop the 25th of May, 2018. This is only the beginning. Becoming compliant, and remaining compliant requires continuous monitoring, auditing, reviewing and improvement. A single technical solution to document and monitor does not exist today. Reports and dashboards will come from a variety of sources in your organization. Some of the work will be manual while other will need to come from the various technical solutions in place. Make sure you investigate from each solution what data it can deliver so that the Data Protection Officer can monitor and revise if necessary.
The Veeam journey to GDPR compliance was an enlightening and valuable exercise. We are passionate about sharing these experiences to both help our customers and to ensure that users can have the confidence they need in their digital life.