A Practical Guide to GDPR Compliance - Part 4: Continuous Compliance
If you’ve stuck with us through Parts 1, 2 and 3, you know we’re taking a different approach to GDPR compliance. One that doesn’t rely on fear and hyperbole. Instead, we’re focusing on the processes and technologies you already have in place that can be tweaked and optimized for the GDPR mandates.
So far, we’ve assured you that panic is not necessary. We’ve assessed our current position (orientation) and used technical measures to validate data protection (analysis). Now, we can move to a point of ongoing GDPR compliance. Conveniently, this is the third mandate from GDPR. Let’s dust off the Rosetta Stone again.
GDPR Mandate: Continuously monitor data protection measures.
Translation: Look at the network in real-time to see if all is well.
Now that we’re approaching data protection with a risk-based method and are capable of technical measurement, we need to keep things clean and compliant. The cost of non-compliance with GDPR can punish the bottom line with large fines and the erosion of consumer trust. To be sure, non-compliance does not tend to happen immediately after calibrating our networks to conform to regulatory guidelines. Compliance drift happens over time, slowly and often without notice.
Knowing there is a tendency to drift, EU regulators have included guidelines for continuous monitoring. Article 32 of the GDPR states organizations must have, “a process for regular testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of [data] processing.”
We are being called to maintain ongoing, real-time, continuous compliance. Surprised?
Does anyone really think that compliance is a one-time project? You demonstrate continuous compliance every day. If you haven’t taken the trip to continuous compliance, there are three items you’ll need on your journey:
- Real-Time Monitoring
- Scaled Data Ingest
- Customizable Reporting
The first thing to bring with you on the journey to continuous compliance is real-time monitoring. Real-time monitoring takes data from across your network with a live stream of logs, configurations, changes, policies, vulnerabilities and the like. The data comes together in a tapestry so that you can see when GDPR compliance drifts.
Scaled Data Ingest
No amount of real-time monitoring will work if the monitor is choked by petabytes of data. Any latency in the data throughput means the reporting will no longer be real-time.
So, we need scaled data ingest that flexes with surges, network changes and mutations, platform shifts (cloud, virtual, containers) and traffic flowing throughout the system. Scaled data ingest means a data fabric akin to Elastic or other Big Data solutions that can support high-throughput.
Once May 25, 2018 comes, you will have everything in place to demonstrate GDPR compliance. But have you ever seen a compliance standard or an enterprise network remain static? Customizable reporting allows you to fine-tune as GDPR goes from vague to highly-specific. Customizable reporting also gives you the flexibility to adjust as your network changes. You can mix and match controls based on your context, what’s being monitored and what actions you should take.
These three components come together to satisfy the third GDPR mandate for continuous monitoring. And that translates to: “Look at the network in real-time, see if all is well.” I suspect you are reading this with your eyes on a computer screen. I further suspect one or more systems are up and running on that same screen showing you network security details.
Are you in a state of anxiety? Probably not. You already know how to scale your data ingest, monitor in real-time and customize reports. You live and breathe continuous compliance. GDPR is merely a special case of what you have been doing your entire career. We see again, there is nothing to fear.
Want this blog series in one handy document?
Download our eBook “Why GDPR Is Nothing to Fear: A Practical (and sometimes philosophical) guide to complying with the General Data Protection Regulation” by clicking here >>