The European Union General Data Protection Regulation (GDPR) becomes fully enforceable on May 25, 2018. According to recent surveys, 60% of companies polled are going to miss the deadline; it's a sobering number considering how severe the fines and penalties could be for companies found to be noncompliant in the aftermath of a security breach. The reality is many businesses still do not understand what compliance with the GDPR really means.
With perhaps a few exceptions, every business that collects personal data from customers, clients, and vendors is going to experience a security breach where that data is exposed, comprised, and/or stolen. This inevitable fact is just one of the costs of doing business in an interconnected world. The GDPR does not, and cannot, expect businesses to patch unknown security vulnerabilities or avoid security incidents altogether. However, the GDPR does require businesses to make every effort to mitigate the damage security breaches have on people, particularly EU citizens.
To that end, it is vital that all enterprises take measured and documented steps to close security vulnerabilities, prevent security breaches, and mitigate the risks when prevention fails. The mere fact that an enterprise made a substantial and documented effort in this regard could be enough to establish GDPR compliance and avoid substantial fines and penalties after a security breach.
Here are 10 specific things your enterprise can and should do in preparation by the GDPR compliance deadline of May 25, 2018. (Note: The items on the list are not presented in any specific order—all of them are important and progress for each should be well-documented.)