{"id":4187,"date":"2017-12-22T19:17:00","date_gmt":"2017-12-22T19:17:00","guid":{"rendered":"https:\/\/www.backupsfdc.io\/?p=4187"},"modified":"2021-09-30T14:32:31","modified_gmt":"2021-09-30T14:32:31","slug":"the-gdpr-holiday-wish-list","status":"publish","type":"post","link":"http:\/\/18.233.203.232\/the-gdpr-holiday-wish-list\/","title":{"rendered":"The GDPR Holiday Wish List"},"content":{"rendered":"\n

-or- All I Want for Christmas is to be GDPR compliant<\/p>\n\n\n\n

The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 and is considered the most significant regulation regarding data protection in the past 20 years. It will give greater rights to citizens over their personal data, as well as force companies to maintain greater control and management over the data they collect.<\/p>\n\n\n\n

So, as the end of year approaches and our holiday wish lists are being made for Christmas and the new year, an important list to make is your organization\u2019s compliance with GDPR. When it comes to GDPR compliance with Salesforce data, any organization who holds personal data on a European Union citizen will need to be compliant.<\/p>\n\n\n\n

One of the first thing you want to do within your organization is a Data Protection Impact Assessment. Inspired by the recommendations from the Article 29 Working Party for a Data Protection Impact Assessment (DPIA), the following are some of the key steps organizations should take to be compliant with upcoming GDPR guidelines. The Article 29 Working Party (Art. 29 WP) is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.<\/p>\n\n\n\n

Odaseva created the following GDPR holiday wish list so that organizations can check it twice to help them on their journey to be GDPR compliant, particularly in terms of the technical and organizational measures needed to safeguard the security of personal data (Article 32 of the GDPR).<\/p>\n\n\n\n

  1. Raise user awareness of GDPR<\/strong><\/li><\/ol>\n\n\n\n

    It\u2019s important that each organization informs anyone processing data about GDPR rules and restrictions. Write an information technology charter with GDPR rules and give it binding force. Make sure you include partners and contractors in your communication if they are processing personal data from your systems.<\/p>\n\n\n\n

    1. Hire a DPO<\/strong><\/li><\/ol>\n\n\n\n

      If your organization has not appointed a Data Protection Officer (DPO), it\u2019s time to involve your HR department and add the DPO on top of your 2018 recruitment priorities. The DPO should, at the very least, inform employees, the data controller and data processor about compliance regulations. He\/she should also monitor compliance and provide advice for a data protection impact assessment. Next, he\/she should monitor performance and cooperate with the supervisory authority when necessary.<\/p>\n\n\n\n

      1. Manage access rights to comply with GDPR<\/strong><\/li><\/ol>\n\n\n\n

        Defining access profiles is an essential part of managing access rights. Deleting obsolete access rights is also important. Each year an organization should also review the access rights and make necessary modifications.<\/p>\n\n\n\n

        1. Log authentications and manage incidents<\/strong><\/li><\/ol>\n\n\n\n

          This may seem like a no-brainer, but it\u2019s important to implement a strong login system. You should also write procedures for notification of personal data breaches, if and possibly when they occur. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.<\/p>\n\n\n\n

          1. Secure workstations<\/strong><\/li><\/ol>\n\n\n\n

            Your data is only as safe as the people working with it. Be sure your employees work on safe workstation that have an automatic session timeout procedure. Implement all the state-of-the-art security measures including using an anti-virus and make sure it is regularly updated, install a firewall and collect user consent before any action on his\/her workstation.<\/p>\n\n\n\n

            1. Secure mobile devices<\/strong><\/li><\/ol>\n\n\n\n

              Mobility has become a staple of today\u2019s workforce with the BYOD trend, yet also causes security vulnerabilities. It\u2019s important to encrypt all mobile devices and carry out backups and regular data synchronizations. Also, enforce a password policy for unlocking smartphones.<\/p>\n\n\n\n

              1. Protect internal networks<\/strong><\/li><\/ol>\n\n\n\n

                Limiting network flows to the strictly necessary can help shore up your security and compliance. Portable devices should have VPN to secure remote access. Also, leverage WPA2 or WPA2-PSK protocols for WIFI networks.<\/p>\n\n\n\n

                Securing servers is also essential. Access to administration tools and interfaces should only be given to authorized personnel. It\u2019s critical to install critical system updates immediately, while also ensuring data availability.<\/p>\n\n\n\n

                1. Secure websites<\/strong><\/li><\/ol>\n\n\n\n

                  Websites can be the weak point for organizations, especially when it comes to phishing scams. Here are a secure website checklist :<\/p>\n\n\n\n