Jump-starting Risk Assessment for GDPR Compliance

Small and medium-sized businesses (SMBs) everywhere are bracing themselves for the new General Data Protection Regulations (GDPR). Scheduled to come into force from May 2018, GDPR applies to any organisation – regardless of size or resources – that processes or stores data containing personal particulars, or personally identifiable information (PII), of EU citizens. Short of time or money to invest and without the luxury of compliance teams, data protection officers or legal experts to advise them it can be hard for SMBs to know where to start. Furthermore many SMBs are unfamiliar with data security best practice. This perceived weakness makes the average SMB more likely subjected to cyber attack than enterprise.

There is one process, however, that can help both GDPR compliance and reduce exposure to data breaches. It’s known as Risk Assessment.

Risk Assessment comprises half a dozen basic steps that even the smallest firm can follow in order to be GDPR compliant.

Assemble the right team
The compliance team should include anyone responsible for managing or processing PII. Start with the stakeholders — who is most likely to be affected by GDPR? This usually means those in charge of handling customer relationships alongside the heads of marketing, HR, IT and legal. Appoint a Data Protection Officer to head this team – they will have overall responsibility for GDPR compliance.

Study other compliance standards and frameworks
GDPR lacks specific procedures and precise definitions so use other compliance standards and frameworks, such as PCI DSS, as a starting point. They may have a different purpose, but the same primary goal of protecting sensitive data is the same.

Know your data
Classify the types of data you collect and store. Before you can begin to assess risks you need to know which data is sensitive, where it resides and who has access to it. Data classification is also essential for responding promptly to auditors’ requests, spot security incidents, identify their root causes, and fulfil data portability requirements. Adopt a single platform for data governance and policy management. This will help avoid data storage fragmentation – a great risk to data integrity and therefore regulatory compliance.

Identify your unique risks
Identify the risks specific to your organisation and classify them in terms of severity and likelihood using categories like high, moderate and low. Determine exactly what valuable assets could be harmed by each risk. Each organisation will have its own unique set of risks and possible consequences.  A risk matrix can be a valuable cheat sheet to help ensure nothing is missed.

Determine your risk/benefit ratio
GDPR asks businesses to carefully weigh the benefits of processing data a certain way against the attendant risks. This means different organisations may score the same threat differently according to the chances of it occurring versus how effective mitigation measures might be. “The processing of personal data should be designed to serve mankind,” says GDPR. If this means storing more personal data you can do so — just don’t forget to weigh up the need to process that data against the risk of storing it.

Repeat Risk Assessment continuously
GDPR requires risk assessment to be an ongoing process. This means constantly monitoring new data, discovering new risks, re-evaluating risk levels, taking mitigation action and updating the action plan. Ensuring these measures are aligned with GDPR requirements requires full visibility
into controls, processes and practices at all times.This may mean, for example, having greater insight into and control over access permissions in order to minimize the risk of sensitive data being accessed
by unauthorized people.

In business nothing ever stays the same for long. The organization is constantly evolving, growing the customer base and adopting the latest information systems. At the same time advances in technology allow cyber attackers to develop increasingly sophisticated threat techniques. Effective protection for sensitive data requires organizational risks to be continuously assessed for new vulnerabilities.  It also the only way to be sure users have done nothing that weakens the company’s overall security posture

In summary, GDPR simply demands every organisation fully understands its own unique security vulnerabilities and takes appropriate steps to reduce or eliminate them. Regular checks are also required to ensure security best-practice keeps pace with changes in the business. Unlike other industry regulations that require inspection by external auditors, GDPR is entirely self-policing. Provided you can demonstrate that the security systems you have in place are adequate for your business complying with GDPR is relatively straightforward.


By Matt Middleton-Leal, GM, EMEA of Netwrix Corporation

European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.