GDPR is about to come into effect, how can companies protect their data in compliance?

Starting from May 25, 2018, the EU General Data Protection Regulation (GDPR) will officially come into effect, which strengthens the relevant provisions on data privacy, data processing, and data security. The newly revised regulations apply to all businesses operating within the European Union, as well as businesses that collect or process personal data originating from the EU (residents or tourists).
At the beginning of this year, I attended an online seminar on the upcoming implementation date of GDPR, mainly on how global enterprises can complete their compliance projects. As a senior data privacy consultant at Imperva, I understand the importance of keeping up with the latest EU regulations and working towards them.
The attendees of the conference include Barbara Cosgrove, Privacy Officer at Workday, Naheed Bleecker, Senior Privacy Advisor at Trust Arc and Sue Habas, and Vice President of Strategy Technology at ASC Technologies.
This meeting was chaired by Dr. Branden Williams, Director and Senior President of Cybersecurity at MUFG Union Bank. At the meeting, we conducted in-depth discussions on the key measures required for data privacy, security, and compliance projects to be implemented by May 2018.

Overall, four types of measures need to be taken, specifically:
1) Embedding privacy protection design
2) Understand the storage location of data
3) Establish a database and classify
4) Implement appropriate security control measures

Embedding privacy protection design
Barbara Cosgrove said, 'Actually, what we need to see is that appropriate privacy protection measures are embedded throughout the entire development process (products, processes, transmission services, etc. that use personal data).'.
According to GDPR regulations, the first step is to determine whether the enterprise has updated its product design process and adjusted its management policies, including data privacy inputs during the initial phase of the project. In addition, she also stated that 'relevant privacy impact assessments need to be conducted to identify any risks and ensure that you truly understand whether the processing methods of personal data will expose data subjects to high-risk environments'.

Understand the storage location of data
Naheed Bleecker suggests that closely monitoring the entire lifecycle flow of internal data within a company is a simple way to maintain good data supervision. Understanding all control measures related to data is crucial. Where does the data exist? Who can access the data? Where does the data flow to? Who will come into contact with the data? Which specific data elements will be collected? Have relevant licenses been obtained? What data storage and retention standards have been implemented? These are the personal situations that enterprises need to understandAnother major aspect of data regulation is understanding how third parties interact with data information. Therefore, GDPR not only creates opportunities for stakeholders to receive relevant training, but also helps to build stable relationships with customers and partners.

Establish a database and classify
Sue Habas said, "Business operators hope to automate business and data storage matters. In addition, they also hope to achieve centralized processing of database metadata and classification, so that everyone can access the dataIn addition, you may also need to categorize information and enable internal end users (business and technical) of the enterprise to access this information. Habas said, "Collecting privacy data and addressing and managing such issues is a fundamental part of the business process.
It is necessary to collaborate with product and business teams to enable relevant personnel in the enterprise to understand and manage data. Therefore, data needs to be processed in a transparent and responsible manner (regardless of the technology, purpose, or jurisdiction used). That is to say, it is necessary to supervise the entire data silo.
Have you obtained the relevant licenses? What data storage and retention standards have been implemented? These are all the personal situations that enterprises need to understand

Implement 'appropriate' security control measures
Agreeing to conduct database and asset tracking is the foundation of various comprehensive privacy projects. But it's not the primary issue. The primary task is to deploy appropriate security controls for the personal data of employees, customers, and end-users collected, processed, and stored.
GDPR not only explicitly requires data anonymization and encryption to protect the security of data processing, but also increases the fines for non-compliance for companies that have not taken "appropriate" security measures, which is equivalent to a fine of 2% of the company's global total revenue or $10 million.
So what exactly does' appropriate 'mean? How to start understanding data privacy, risk, or compliance projects? Firstly, it is recommended to start with enterprise data asset management, which involves inventorying the asset management of various data storage points, databases, and functional departments. For example, does everyone in the company have a safety knowledge blind spot?
It is also necessary to encrypt data during data transmission and various local storage procedures, and establish and maintain event and data violation response projects. I strongly recommend that everyone create a flow chart for their data flow and processing within the company and record it in relevant documents. Once a data violation occurs, you can learn about the specific situation within the first 24 and 72 hours after the violation.

Best practice method
The introduction of GDPR represents a groundbreaking turning point in the field of global enterprise processing and protection of personal data.Aligning the privacy functions of enterprises and their internal systems with the best practices of GDPR is not a simple task, but it is a cause that every enterprise needs to strive for.
Professional data privacy or security projects will have completed the minimum compliance preparations for GDPR by or around May 25, 2018. But after May Day, I suggest you reconsider and check if there are any omissions in your data privacy project.
During the implementation of the project, it is mainly necessary to implement four basic issues with better practice standards, and the enterprise also needs to prepare to cope with the currently improving global privacy standards. This is not only required by regulations such as GDPR, but also a competitive business characteristic brought about by the increasing attention to data privacy issues in the current society.