• Gemalto is now part of the Thales Group, find out more.

Six steps to GDPR compliance

​New EU data protection rules present organizations with the perfect opportunity to embrace security by design and offer customers a superior service. But what steps should be taken to ensure compliance?

First published on March 15, 2018

​One date that should be firmly in the calendar of all organizations holding information on individuals in the EU is 25 May 2018, the day that the General Data Protection Regulation (GDPR) comes into force.

With only a few months until the GDPR comes into force, it is now critical for organizations that have done little so far to start preparing. Gemalto, which itself started getting ready in 2013, suggests a six step approach to achieving GDPR compliance by controlling access to personal data (remembering people are, and will remain, the biggest risk), encrypting that data (even if not mandated by the GDPR) and securing and managing the keys.

The six steps to GDPR compliance are as follows:

  1. Understand the legal framework
  2. Create a data register
  3. Classify the data
  4. Start with the top priorities
  5. Assess and document additional risks and processes
  6. Revise and repeat

Many organizations respond to the need for increased security by applying patches to an existing system (a big challenge), but GDPR compliance implies security by design – a system that has been designed with security in mind from the outset, rather than simply as an afterthought. This is in line with Gemalto's recommended Compliance Infrastructure approach, which covers key aspects that organizations will need to address, providing a cost efficient and effective way to meet existing and future compliance obligations.

Building a compliance infrastructure:

  • Establish a central point of control and visibility for managing encryption technologies, keys, policies, logging and audits
  • Make sure only the right people can access private information and data can be managed without being altered, with layered access controls based on strong, multi-factor authentication solutions and hardware security modules (HSMs)
  • Ensure an authentication management platform is in place that enables the central management of authentication devices and policies
  • Develop a data protection privacy policy that makes sense to the administrator and to those who enforce it
  • Establish the centralized, efficient and secure management of cryptographic keys and policies
  • Ensure secure cryptographic key management involving robust HSMs
  • Safeguard regulated data across all applications and systems through encryption, so even if an organization's initial defences are breached, sensitive data is still protected

Learn more about GDPR with our beginner's guide.

Download Gemalto's GDPR eBook to see how Gemalto can help you identify the key aspects of GDPR and what steps to take to address its requirements.

TAGGED IN data breaches; data security; security