How to prepare for the GDPR

and turn it from foe to friend

The EUs new General Data Protection Regulation (GDPR) aims
to align the privacy regulatory environments in Europe. Many
organizations are uncertain about how to cope with the requirements,
and see the new regulation and its penalties as a threat. This guide
shows how to turn GDPR from foe to friend.

nexusgroup.com
contact@nexusgroup.com
 Guide
How to prepare for the GDPR

How to prepare for the GDPR

and turn it from foe to friend
The EUs new General Data Protection Regulation (GDPR) aims to align the privacy
regulatory environments in Europe. Many organizations are uncertain about how
to cope with the requirements, and see the new regulation and its penalties as a
threat. This guide shows how to turn GDPR from foe to friend.

GDPR enters into application May 25, impact assessment, which states what
2018. The regulation is complex and personally identifiable information (PII)
intertwined with other regulations and is collected and how that information is
laws, but the 6 pillars of the GDPR are: maintained, protected and shared.

The right to be forgotten. Consent.

Organizations have to erase personal If personal data is to be collected,
data at the subjects request, without
undue delay.
Privacy by design.
Systems and technology across the
organizations need to be designed
to limit data collection, retention and
accessibility.
Breach notifications.
Organizations have to notify the
supervisory authority about data
breaches involving personal data no later
than 72 hours after becoming aware of
the breach.
Users have the right to be informed
about data breaches involving their
personal data.
Risk and impact assessments
Organizations have to perform a privacy
organizations have to get valid and
explicit consent from the individuals.
The organizations must also be able to
prove that they have gotten consent.
Individuals may withdraw their concent.
Parental consent is required if personal
data is to be collected about children
under the age of 16.
Data portability.
Upon request, organizations have to
provide individuals with their personal
data in a structured and commonly used
format.
Organizations that fail to have the
routines and documentation in place that
GDPR requires can get fines of up to 2%
of their global revenue. Serious breaches
against the regulation can lead to fines of

nexusgroup.com
contact@nexusgroup.com 2
up to 4% of a companys global revenue.
This has created great attention all
the way to the top management in
organizations handling personal data
about EU citizens, which almost all
European organizations and many
organizations outside of the EU do.
GDPR is a good thing for the privacy of
the individual. It shifts the power to the
users: the service providers no longer
own the data about the individuals and
cannot do whatever they want with the
data.
But contrary to what many believe
GDPR can also be beneficial for most
organizations. If an organization does
not know where its data is or have
insufficient security and access controls
in place, it is running a risky business.
Organizations fulfilling the requirements
given in the GDPR will have better
control, better security and run less
operational risk. You can also choose
to take the opportunity to make the
interactions with your external users
more frictionless, as well as making your
internal users work easier.
GDPR does not need to be a foe for
organizations. By following the to-do list
below, you will turn GDPR into a friend.
1. Appoint a person, who knows your
business and your technology landscape,
to be your organizations own GDPR
expert.
2. Make sure you understand your
current regulatory environment. In cases
where GDPR and your current regulatory
environment contradicts, you need to
follow the existing laws and regulations.
3. Understand the security organization
and systems you have today. If you do
not follow basic security practices like
patching of software or having firewalls
in place, this has to be fixed as soon as
possible. It is advisable to follow a well-
known scheme like ISO 27001, since it
makes the process smoother and also
makes it easier to obtain a certification
at a later stage.
4. To protect sensitive data from
peering eyes, username and password
is not enough. You need to use strong
authentication. Bear in mind that you also
need to ensure strong authentication
when you delete a customer and their
data imagine what happens if you
wrongly erase data belonging to another
person. Organizations in the Nordic
countries may choose to let their users
authenticate with their nation-wide
electronic identities (eIDs), such as
BankID, NemID and Tupas. The benefit
with using these eIDs is that you serve
your users with their familiar login and
document signing mechanisms, which
can remove much of the user friction and
support issues expected to follow the
new regulation.
5. Understand and document the
necessary changes you need to do on
both the technical and the business side.
Examples on the technical side can be
what you have to do to be able to delete
information upon request, improve
access control to data and servers, and
encrypt sensitive data. On the business
side you need to look into how you
handle communication, how you are to
get informed consent from users, and
how you are going to present, move and
delete personal data in a secure manner.
nexusgroup.com
contact@nexusgroup.com 3
6. The GDPR requires you to make risk
and vulnerability analysis for sensitive
data. This also means that you have to
classify the data.
7. Document how you are going to
follow the regulation. Start early a
data protection agency (uncomfortably)
near you may very well ask for the
documentation sooner than you think.
8. Go through all vendor agreements
and make sure the vendors are
contractually bound to comply with the
GDPR requirements. To make sure that
the vendor (and the vendors vendors)
operates in Europe is very likely a good
idea. Choosing a cloud-based service
outside Europe may even be illegal in
some cases, so local cloud providers may
very well win over global giants in the
next few years.
9. Restricting access to sensitive data is
not just about managing digital access
managing physical access to buildings
and server rooms is also important. A
hot tip is therefore to get an identity
and access management (IAM) system
in place. For the sake of security,
consistency and manageability, you may
want to choose a system that manages
both the physical and digital world in one
system. Look for a system that integrates
with all your physical access control
systems (PACS) and manages all digital
identities for people, software and things
(internet of things, IoT).
Following the to-do list above means
that you:
- Know what data you have and where based authorization and single sign-on,
your data is.
- Have identified your risks and card readers.
vulnerabilities.
- Have implemented routines and
supporting technologies that restrict
access to personal data.
- Can prove that you follow the GDPR.
- Know what you can expect from your
partners and what responsibilities you
cannot outsource.
- Have upgraded the overall security of
your organization.
Living up to the GDPR is not an easy task,
and it involves a lot of different disciplines
and people. An important part of solving
the compliance puzzle is to choose the
right supporting technologies.
Identity and security company Nexus
Group can contribute to your GDPR
compliance by providing the following
technologies:
- Everything you need to issue and
manage identities across your entire user
base. This includes internal users needing
access to your buildings, rooms, computer
systems, and cloud applications, as
well as all of your external users, such
as customers, citizens and partners.
Handling this in one single system is a
tremendously efficient way of enforcing
and documenting the policies you need to
have in place in May 2018.
- Tools to enforce your policies for
digital and physical access across your
organization. We can help you replace
cumbersome password policies with easy-
to-use strong authentication on multiple
platforms. We enable fine-grained, role
and we also offer products for physical
access control, such as access cards and
nexusgroup.com
contact@nexusgroup.com 4
- The ability to log everything that
happens in the systems and to see who
has access to what, which is important
for auditing purposes.
- Digital signing, which makes the
process of delivering and deleting
personal information upon request
smoother and more automated.
Nexus believes in making life as easy
as possible for your users, both internal
and external. By choosing the right
supporting technology to live up to the
GDPR you are not only making GDPR
your friend you are making yourself a
better friend of your users too.
GDPR might not be your most easy-
going friend, and with all the work and
cost this friend brings to the table you
might have enjoyed another friends
company more. But since this friend has
invited themselves, you better make
the most of the situation and turn it
into something positive for both your
organization and your users.
nexusgroup.com
contact@nexusgroup.com 5
About Nexus Group
Swedish-owned Nexus is an innovative and rapidly growing product
company that develops identity and security solutions.
Our technology makes it cost-efficient and user friendly to protect
e-commerce or internet banking, protect electronic services in the public
sector, manage physical and digital access, secure entry, and protect
communication between devices.

The very basis of all security, both physical and digital, is the creation,
management, and control of identities. We have made identities that
are reliable for people, software, and devices since 1984, and our
technology today is relied upon by a large number of organizations
and 100 million end users around the world. We are 300 employees at
15 offices in Europe, India, and the US, and we have a global network
of partners.

Contact us Social media

Tel: +46 8 685 45 60
E-mail: contact@nexusgroup.com