How to prepare the DPO arrival ?
The amount of data that companies are processing continues to grow. Cloud computing and Big Data make it possible to manage a growing amount of information to better understand consumer behavior. But some of this data is very sensitive such as personal identities, addresses, credit card numbers … It is therefore necessary to strengthen global security to protect consumers.
To help companies, a new job is needed: the Data Protection Officer. It is an evolution of the old job in France named personal data correspondent or IT and freedom correspondent. The DPO position is defined in the General Data Protection Regulation (GDPR – 2016/679 of the 27 april 2016).
What is the DPO role ?
The main mission of the DPO is to make sure the organization he works for is in compliance with the personal data legal statement. To do so he has to, among other:
– Inform and make people aware of the “IT and privacy” culture
– Ensure compliance with the GDPR
– Inform, empower and alert the employer or customers
– Analyze, investigate, audit, control
– Present an annual report to the employer or customers
– Interact with the supervisory authority
TOP 5 tips to help the DPO in his mission
1- Reinforce the IT park visibility :
Make an inventory of your IT assets and know their location to better monitor personal data. As IT environments become more dynamic, especially with the cloud use, security teams have less visibility on deployments. The departments (commerce, marketing, human resources, …) have more freedom to choose their tools and we see that solutions in SaaS mode are increasingly used. More than 80% of employees admit to use a Saas application that has not been validated by their IT department.
2- Know your level of cyber risk :
Do a security audit to know its vulnerabilities and those that can be quickly exploited. With an average of 28 new vulnerabilities discovered every day in 2016 (50 per day in 2017), it is necessary to make an inventory to know the exposure level of the company. The DPO must provide precise information on the actions implemented in his company or his client as well as measure the risk that the personal data incurs.
3- Build an action plan :
Establish an action plan to reduce its level of risk quickly by focusing on the highest-risk assets. The best way to build your action plan is to rely on relevant and easy-to-understand risk indicators. They will allow the DPO to see where the level of risk is most critical in order to prioritize the actions to take. They will also facilitate communication with the employer or client to inform about the cyber attack possibilities and their consequences.
4- Automate detection :
Set up a solution for continuous analysis of security breaches. It will allow the CISO to be alerted as soon as a new vulnerability is detected so that the security teams can apply the patches quickly. Also, daily tests will provide the DPO with the data he need to ensure the company follows the action plan with visible results over time.
5- Test your network internally :
The fear of a company is to suffer an external cyber-attack like ransomware or malware. But it must not forget to check the configurations on it network that could give too much administrator privileges to people who do not use it. Human error is involved in almost 83% of cyber attacks. The DPO must therefore insist on employee training. The knowledge and application of good safety practices by all is necessary in the process of compliance with the GDPR.
Security solutions that will help the DPO
As the GDPR requires a DPO in each company which collect personal contact information, they must be prepared to facilitate their work. To help them, these solutions must be put in place:
–Vulnerability scanner: a real preventive security solution, it allows to know its flaws to intervene on it before an attack occurs. It will detect if the security solutions in place (firewall, antivirus …) are well configured.
–SIEM: it allows to analyze, manage and correlate logs in near real time. Security staff can take defensive action more quickly. It can be coupled with a SIEM to tend to a SOC.
–SOC: complete solution that acts as a system of detection, analysis, prevention of risks, raising of alerts and also, decision support, protection and exploitation of eventualities.
In order to help companies to prepare the DPO work, we offer you a 14-days monitoring of your IT infrastructure. You will be able to discover your level of risk as well as complete reports of your vulnerabilities to prepare your action plan.