Report | 5 mins
Getting GDPR Right: A Ten-point Checklist for the New CISO
Being a CISO is all about getting the basics right.
One of the basics that a new CISO has to be extra vigilant about is compliance.
As a cybersecurity partner, helping with CISO transition comes as an unwritten yet significant part of Hadrian’s job requirement. Hadrian has helped several new CISOs, particularly in European businesses, manage the vast array of compliance requirements in the region.
The biggest of all compliance norms, however, continues to be the GDPR. While the application and the ambit of specific sections vary according to the situation and region, we can always prepare well with getting our basics right in compliance in the European region.
Here is a ten-point checklist to start with:
1. Appoint a Data Protection Officer (DPO)
The Data Protection Regulation (Regulation (EU) 2018/1725) obliges all EU institutions and bodies to appoint a DPO. This individual will oversee GDPR compliance and must have sufficient resources and authority. Ensure the DPO reports directly to senior management, as this role is essential in the European context due to strict GDPR regulations.
2. Maintain detailed records of data processing activities
Article 30 of the EU General Data Protection Regulation (GDPR) mandates that organizations keep internal records detailing all personal data processing activities conducted by the organization. Document the purpose of each processing activity, the types of data involved, the data subjects, and the recipients of the data. These records should be readily accessible for inspection by supervisory authorities.
3. Conduct data protection impact assessments (DPIAs)
For processing activities that pose high risks to individuals' rights and freedoms, conducting Data Protection Impact Assessments (DPIAs) is essential. These assessments help identify and mitigate risks. Regularly review and update DPIAs to keep them relevant and effective.
4. Handle data subject rights requests
Implement clear procedures for managing requests from individuals exercising their GDPR rights. This includes rights to access, rectify, erase, restrict processing, and data portability. Ensure you can respond to these requests within the required time frame, usually one month.
5. Establish a lawful basis for processing
Each data processing activity must have a lawful basis under GDPR. Whether it’s consent, contractual necessity, legal obligation, vital interests, public task, or legitimate interests, identify and document it. Ensure that consent is obtained transparently and that individuals can easily withdraw their consent.
6. Develop a data breach response plan
A well-defined data breach response plan is vital. Train all staff to recognize and promptly report data breaches. If a breach occurs, notify the relevant supervisory authority within 72 hours and inform affected individuals if the breach poses a high risk to their rights and freedoms.
7. Manage international data transfers
If your organization transfers personal data outside the EU, ensure compliance with GDPR requirements for international data transfers. Use approved mechanisms such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or ensure the recipient country has an adequacy decision from the EU. Certain sectors have to follow specific international agreements for data transfers, such as the Passenger Name Records (PNR) and the Terrorist Financing Tracking Programme (TFTP).
8. Implement robust data security measures
Ensure that appropriate technical and organizational measures are in place to secure personal data. This includes encryption, pseudonymization, access controls, and regular security audits. Work closely with your trusted cybersecurity partner to ensure complete compliance and the establishment of strong security measures.
9. Conduct regular training and awareness programs
Regular training sessions on data protection principles and GDPR compliance are essential for employees. Raise awareness about your data protection policies and procedures. Ensure all staff understand their responsibilities regarding data protection and privacy.
10. Develop and update data protection policies
Create comprehensive data protection policies that cover all aspects of data processing, security, and compliance. Compliance reporting automation helps you immensely here. Regularly review and update these policies to reflect changes in regulations or business practices. Make sure these policies are effectively communicated to all employees.
Additional Considerations
ePrivacy Directive Compliance: Ensure compliance with the ePrivacy Directive, particularly regarding the use of cookies and electronic communications. Obtain explicit consent for the use of cookies and provide clear information about their purposes.
National Regulations: Stay informed about additional data protection and privacy regulations specific to each EU member state where your organization operates. Ensure compliance with these local laws and guidelines that complement GDPR.
You need not shoulder the responsibility of executing all the basic steps needed to get your footing firm as the new CISO. Hadrian simplifies the intricate world of cybersecurity with our collective expertise compiled into a detailed three-step guidebook specifically designed for new CISOs.
To download our e-book to gain the essential strategies and insights you need to thrive in your role as a CISO, click here.