The General Data Protection Regulation (GDPR) continues to be a major source of concern for IT staff across the US. It’s pushing these IT organizations outside their relative comfort zones and forcing them to adopt higher security standards. This includes many common sense best practices. Being found in non-compliance means paying dissuasively large penalties which could cripple SMBs. Organization’s with security programs that include information security audits and ongoing security program development will have a solid foundation of policies, controls and practices to build upon. For those still working towards GDPR compliance, there are some free tools and services that can be very helpful. Don’t get hung up on the fact that these tools and services are free, when used correctly, they can provide significant value.

Let’s first run through the basics.

The What

GDPR is a European Union regulation that protects the personal data of those residing in the EU and seeks to unify privacy laws across the EU member countries. Published in May of 2016, GDPR immediately became law in all EU member countries once it was published and is scheduled to be enforced on May 25, 2018. The General Data Protection Regulation differs from EU Directives in that it’s a regulation and, as such, is implemented verbatim to ensure consistency across all EU member countries. EU Directives involve each country interpreting these directives into their own laws.

The Who

GDPR focuses on protecting the data and the privacy of the individual which means the personal data of EU citizens is protected regardless of whether the data controller and/or data processor is located outside of EU jurisdiction. If a company touches the personal data of those residing in the EU, then that organization needs to protect the personal data and privacy of those individuals according to the GDPR. It’s also important to note that US citizens living in the EU are protected under GDPR but EU citizens who live and work outside of the EU are not protected by GDPR.

The How

The General Data Protection Regulation has more reach than other rules and requirements governing the privacy and security of personal data. It’s driving impacted organizations to adopt stronger security baselines and to implement more effective practices around protecting personal data. This includes the requirement for data controllers, data processors, and their relevant third-party vendors to implement processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processes. Under GDPR, responsibility is shared by data controllers, data processors and relevant third-party vendors.

We’ve curated this list for those budget constrained IT departments that have limited resources but still need to improve their security posture and privacy practices.

The free tools and services highlighted in part one of this post are focused on providing guidance, checklists and tools that help with key aspects of GDPR compliance. In part two of this post we’ll focus on free tools and services that help with testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of processing (Article 32).

Data protection Assurance Checklists Provided by the ico:

  • This self-assessment toolkit was created with SMB’s in mind. Use the ico’s checklists to assess your compliance with data protection law and find out what you need to do to make sure you are keeping personal data secure. Includes controller’s checklist, processor’s checklist, Infosec checklist, direct marketing checklist, records management checklist, data sharing and subject access checklist and CCTV checklist.

Cloud Security Alliance | Code of Conduct for GDPR Compliance:

  • This free resource provides cloud service providers (CSPs), cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the European General Data Protection Regulation (GDPR).

Vendor Security Alliance | Vendor Questionnaire:

  • Need help evaluating your vendors for GDPR compliance? The VSA is an industrial security standard that can be leveraged to ensure compliance with the EU General Data Protection Regulation (GDPR) and similar regulations.

OneTrust Privacy Management Software (Free Edition):

  • Readiness Assessments OneTrust Readiness Assessments provide a guide for organizations to gauge their position to meet the requirements of Privacy Shield, GDPR, and Binding Corporate Rules (BCR) for Processors and Controllers.The Readiness Assessments provided by OneTrust have been generated by subject matter experts within the IAPP community, indicated at the start of each assessment.
  • Assessment Automation OneTrust Assessment Automation assists privacy professionals in identifying and tracking the use of personal information across the organization. Assessment Automation helps operationalize Privacy by Design (PbD) to comply with GDPR requirements.
  • Data Inventory & Mapping Tool As part of the new requirements in the GDPR regarding Records of Processing Activity (Article 30), clients need an easy way to document the flow of data throughout their network. OneTrust breaks this process down into manageable steps. Inventory, attributes, assessment and reports. We then provide the tools to track the risks associated with the movement of data.
  • Cookie Consent Tool  OneTrust Consent Management for Cookies provides website owners with a transparent mechanism for obtaining required cookie consent from website visitors and respecting Do Not Track requests, helping organizations comply with EU Cookie Laws. Consent Management for Cookies includes continuous website scanning against a 5.5M cookie database, flexible interface for managing visitor consent, and customizable visitor preferences center.
  • Data Subject Access Rights Portal (DSAR Portal) OneTrust Data Subject Access Rights (DSAR) Portal provides organizations with the ability to tailor a branded web form – linked from the company’s privacy policy web page – as well as the ability to receive notification of a submitted request, validate the identity, and automatically file an extension if the one-month deadline is approaching. 

Microsoft Partner GDPR Tools and Slide Decks: