If your organization is like most, you may be freaking out about the upcoming General Data Protection Regulation (GDPR) enforcement date of May 25, 2018. As a CISO, there is a significant role to play, whether you are the Data Protection Officer (DPO) or not. To manage GDPR compliance, I have a strong partnership with our legal counsel \u2014 something I strongly encourage to ensure your company meets the requirements of GDPR. Without it, you may risk both damage to your reputation and fines of up to four percent of global revenue.If you read the GDPR articles, you\u2019ll see that many of the 99 articles are up to the reader to determine the actionable items for their company. There aren\u2019t always clear control points or actions to take, and many articles do not provide a clear understanding of what is truly permissible as it relates to consent, and processing and maintaining personally identifiable information (PII). As such, I\u2019ve done my best to decipher the regulation and have come up with a few key work items that should cover most organizations. In addition to the items I\u2019ve outlined below, I\u2019d also recommend the following resources: (1) GDPR Data Protection Impact Assessment from ISACA and (2) Microsoft\u2019s GDPR Assessment Toolkits.Although my company is not a large processor of PII, we are a security software development company, and our customers have an expectation that we are GDPR compliant. We process PII in our sales, marketing, and HR departments, as well as logs through our security cloud offerings. Therefore, we\u2019ve had to invest and take the steps necessary to protect our prospect and customer information.Awareness and trainingThere is no way that you are likely staffed up or have a dedicated GDPR team (that reports to the Data Protection Officer) to handle all EU PII across your company. As such, you have to raise awareness with the owners of this data and the systems that are used to process this data. If you can get them to understand the requirements of GDPR and how they are impacted, you can often use them to ensure compliance across their respective groups, moving the DPO team into a management and oversight role. (See GDPR Article 39.)\u00a0Vendor and data inventoryYou can only protect and control what you know about. You need to understand who your vendors are, what is their role as it relates to the processing, maintaining, or storing of EU PII, and if they have adequate controls in place and can attest to those controls. The good thing is that many companies that supply products or services have proactively taken steps to attest to their compliance with GDPR often using updated contractual language (e.g. Data Processing Agreements), publicly available attestation documents, or share the results of a privacy impact assessment (PIA).In addition to your vendors, you must also understand where PII is and its associated data flows and processes:Where does data move?Who has access?Is there a data owner?Are there control points for the data (so you have the ability to secure the data, control access and remove PII on request across your organization)?All the data flows and custodians of that data \u2014 both inside and outside of your company \u2014 need to be mapped out, classified (often at the system level), and documented. (See GDPR Article 30.)Data governanceThis doesn\u2019t mean that you are required to have a full-blown data classification and retention project. However, you will need a way to classify data as containing PII. If you don\u2019t need the PII, you might want to consider getting rid of it all together \u2014 or limit the time you store the data, at minimum. You can start by focusing on your key systems and roles that contain the majority of your potential EU PII. It would probably make sense to classify all data in these systems as containing PII vs. the individual data elements. In our case, we leverage many SaaS providers for processing our PII, so we have labeled those providers as such. (See GDPR Article 32.)Develop processes for the right to be forgottenNow that you have the data inventory mapped out, you should have a clear understanding of the employee roles and systems that contain or have access to PII. It\u2019s now time to develop your processes around the \u201cright to be forgotten.\u201dThe processes to forget EU PII from your systems can be both manual or automated. It really will depend on the ability of your systems to remove this data entirely and your ability to integrate the \u201cright to be forgotten\u201d into your workflow when acquiring, storing, processing, or maintaining EU PII. The key is to document these processes, so you can both prove to an auditor that you have them and also ensure that you can do this consistently moving forward.In our case, we\u2019ve built some automation in our workflow to take actions when EU employees or our customers onboard or offboard. We\u2019ve also had to create manual processes (where clean technology integrations don\u2019t exist) as it relates to our ingestion of sales lead information (whether that\u2019s someone requesting information from us online or at a tradeshow or conference). (See GDPR Article 17.)Document your legal basis for processing PIIArticle 6 of the GDPR provides six different bases for processing of PII, and they range from express consent from the data subject to processing necessary for a \u201clegitimate interest.\u201d You should assess your data inventory and ensure that you can trace and document a legal basis for processing. For example, for our business and our customers, we rely in part on Recital 49 of the GDPR, which states that certain processing of personal data proportionate to the purposes of ensuring network and information security is a legitimate interest. However, this doesn\u2019t arbitrarily exempt my company or our customers from other provisions of the GDPR, such as rights of the data subject and obligations of the data controller and data processors to implement appropriate levels of security.Data protection or privacy impact assessmentsIf you are a service or product provider, you may want to contract with a third party (e.g., law firm) to conduct a Data Protection Impact Assessment or a Privacy Impact Assessment. This is your attestation that you meet the intent of the controls outlined in GDPR and have validated that with an outside expert. Alternatively, you could consider using a self-attestation template from organizations like ISACA (mentioned earlier). This might be especially useful for companies that do not process consumer data. Although it can look intimidating, the template from ISACA really walks the user through the applicable code sections and requirements. (See GDPR Article 35.)Data processing agreementsThese are documented agreements specific to GDPR that speak to the roles (of the vendor or your own) associated with the processing of EU PII, the details of the processing, how you protect the data, access the data, transfer the data, and destroy the data, as well as the rights of the data subjects. (See GDPR Article 28.)Implement monitoring and responseYou need to understand if your PII is being moved to places it shouldn\u2019t be and that your processes for GDPR are actually working. In many audits, you get asked to provide evidence of this and you don\u2019t want to be generating it at time of audit. Additionally, your incident response processes and procedures are something you cannot forget. You will need to develop them or update them to include steps associated with responding to incidents involving EU PII. The lack thereof could have significant ramifications for your company regardless if it\u2019s an incident involving EU PII or another significant incident. There are many companies that provide technology to help you with this, and it would be a sound investment to obtain this capability. (See GDPR Article 33.)Test your processes and proceduresI think it goes without saying that you don\u2019t want to be in the position of testing your procedures when you\u2019re under the gun of an audit. You need to test your procedures early and often to ensure they are sound and meet the intent of the GDPR regulation. In many companies, technology and people change quite frequently, and you need to ensure that your processes and procedures take that into account.Although GDPR may appear daunting, difficult to understand, or hard to implement, there are many freely available resources at your fingertips that can help you and your company with organizing information, tracking compliance with specific articles, and overall demonstrating compliance with GDPR. If you focus your attention on the key areas listed above, it should help streamline your processes and accelerate your roadmap to GDPR compliance.