Identity and Access Management (IDAM) – Having the proper IDAM controls in place will help limit access to personal data for authorized employees. The two key principles in IDAM, separation of duties and least privilege, help ensure that employees have access only to information or systems applicable to their job function.

Data Loss Prevention (DLP) – Relevant to GDPR, DLP helps prevent the loss of personal data. Incorporating DLP controls adds a layer of protection by restricting the transmission of personal data outside the network.

Pseudonymization & Encryption – Pseudonymization is something the GDPR “advises” but doesn’t require. However, if an incident leading to a security breach occurs, investigators will consider if the organization responsible for the breach has implemented these types of technical controls and technologies. Encryption may include field level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit

Incident Response Plan (IRP) – A mature Incident Response Plan should address phases such as preparation, identification, containment, eradication, recovery and lessons learned.  

Third-Party Risk Management – Processers are bound by their controller’s instructions and must follow GDPR and can be liable for any incidents associated with loss or unauthorized access to personal data. Sub-processors also will need to comply with the contractual relationship established between themselves and the processor. As you can see, GDPR compliance is just as important for third party relationships as it is internally for an organization as long as those third parties process, store, or transmit personal data of EU data subjects.

Policy Management – A policy must receive enterprise-wide buy-in (backed by training) in order to manage and update security controls in an always changing cyber security environment. Put it all together and, if managed and followed accordingly, policy management is a foundation for compliance toward GDPR readiness.