GDPR: Now the Real Work Begins
The EU’s General Data Protection Regulation (GDPR) deadline has come and gone. But in the trenches, the roll out has just begun — interpreting and addressing “best practices” security requirements, assessing the impact now that major players, such as Google and Facebook, have changed their data sharing policies, analyzing customer reactions, and keeping an eye on investigative and enforcement actions. If you’ve been wading through GDPR preparations for the past year or so, you already know this is not a set-it-and-forget it regulation. The unprecedented international reach of this legislation represents an ongoing commitment to protecting sensitive data, providing data subjects with access and control over their information, and continuously monitoring and improving all parts of the data ecosystem.
The Heat is On
The privacy and security tasks outlined in GDPR requirements are enormous and endless. And as everyone should be well aware by now, the potential penalties for compliance failures are significant. Of course, there are many companies who weren’t completely compliant before the deadline. They will need to set priorities, conduct gap analyses, and get serious about meeting their obligations. During the early phase of enforcement, information commissioners in charge of overseeing GDPR compliance in each country will certainly be looking for flagrant violations in order to emphasise the gravity of the rules and make examples of negligent organisations. In other words, the next several months would be a particularly bad time to experience a data breach involving personally identifiable information, especially if your organisation’s GDPR response is slow, ineffectual, or incomplete.
Adding fuel to the fire, the GDPR deadline has converged with the fallout from extremely high-profile events that have put a spotlight on the data privacy debate: the massive Equifax breach; the Facebook-Cambridge Analytica scandal; and the relentless stream of attacks on retail businesses, restaurants and hotels, hospitals, and banks. Individual data privacy rights are rather suddenly a hot topic across the US, and the debate is likely to heat up as midterm elections ramp up in an already tumultuous political environment. It is increasingly hard to keep quiet about data privacy failures, and nearly impossible to claim ignorance of what’s at stake.
The GDPR affects any organisation that handles the personal data of European Union (EU) residents, regardless of where it is processed. The rules add another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organisations are already struggling to address. As American businesses continue to transform in order to take advantage of digital technology and data-driven capabilities, few organisations will completely escape GDPR obligations.
However, organisations will benefit from the uniformity introduced by the reform and will evade having to circumnavigate the current array of often-contradictory national data protection laws. There will also be worldwide benefits as countries in other regions are dedicating more attention to the defence of mission-critical assets. At the Information Security Forum (ISF), we believe that the GDPR has the potential to serve as a healthy, scalable and exportable regime that could become an international benchmark.
Global businesses, including those in the US, EMEA and Asia, that fully commit themselves to GDPR compliance will be ready for regulations that may emerge in response to Equifax, Facebook, election interference, and whatever big data scandal comes next. Even without new regulations, given the current pushback, global businesses should seriously consider the problem of damaged public trust and figure out how to maintain and project a reputation for corporate responsibility.
Leading organisations are looking beyond compliance, by extending the breadth of GDPR compliance programs to leverage additional benefits. Examples include:
- Consolidating activities into broader information governance programs
- Embedding information security into the design of business applications and technical infrastructure
- Improving data protection and privacy practices
- Extending information security’s reach within the business.
The Finer Points
So, what should your organisation be doing now that the deadline has passed and it’s time to dig into the details?
- First, figure out where all your customer data is. You can’t protect and defend data if you don’t know it exists, where it is stored, and how it is used and processed.
- Second, conduct a gap analysis. If you company is not in good data shape, you must identify the key areas that require assessment and remediation, and tick those off your list as quickly and thoroughly as possible.
At this point, you’ll incur some costs; you’ll need to focus resources on those gaps and you’ll probably need some external support from GDPR experts. You should aim for complete visibility in to your current state and a detailed plan for what you want to achieve and how to move expeditiously toward those goals. Set up regular review processes, document all efforts, and make sure that all stakeholders are on board and understand the rules and the consequences of not following them.
For companies that have been working diligently on preparations and are essentially compliant, this is the time to focus on the finer points of the regulation, and to put policies and processes in place to ensure that the ecosystem of service providers, vendors, and partners can be managed in a comprehensive but streamlined manner. Larger companies should have a Data Protection Officer (DPO) in place, and SMEs should assign equivalent responsibilities to a senior employee, retaining outside expert help when needed.
Remain on High Alert
This is definitely not the time to be talking about “winding down” your GDPR efforts. That would be the equivalent of walking off the racetrack just as the start signal is given. May 25 was the starting line. It’s important to remember that we never know which way regulators and legislators are going to go until they act. Also, data breaches can happen anytime, to any company. Now is a bad time to bet that GDPR enforcement won’t affect your organisation.
In the event of a complaint, breach, or audit, information commissioners will not tolerate “I didn’t know” or “I’ll have to look into it, I run a large organisation” as answers. You have to know, you have to be confident that you have the right processes in place, and you have to be able to defend them as being reasonable and compliant.
Supervisory authorities are government-appointed bodies that have powers to inspect, enforce, and penalise the processing of personal data. Around the world, authorities enforce data protection requirements, most notably the Federal Trade Commission (FTC), which has substantial regulatory powers.
Supervisory authorities will investigate any complaint that they receive through a variety of measures such as audits, and reviews of certifications and codes of conduct. Complaints may be received not only from the data subjects themselves but also from any organisation or association that chooses to complain or has been chosen by a data subject to represent their interests.
These authorities have a variety of corrective powers from which to choose, including the ability to issue warnings and reprimands to controllers or processors. Far more substantial powers include compelling an organisation to process data in certain manners, or cease processing altogether, as well as forcing an organisation to communicate data breaches to the affected data subjects.
No organisation that operates on a global footprint of suppliers can afford to be negligent or falling behind on GDPR compliance. The checklist of rules requires extreme preparation and responsibility all of which must be shouldered by the organisations. GDPR affords individuals new and enhanced rights and freedoms and holds organisations responsible for enabling them. This is a risk best managed by establishing an enterprise-wide GDPR program.
Making Sense of it All
Even though negative ramifications are already emerging, most experts have done their best to put a positive spin on GDPR. One thing is certain — GDPR enforcement in the context of emerging trends will compel most industries and digital organisations to think long and hard about data privacy issues. It’s an opportune time to rally everyone in your organisation to participate in the discussion and work around data privacy protections and building trust with customers. Every employee should consider protecting data to be their individual responsibility. It’s important for all types of staff — executives to marketing managers — to understand the requirements and consequences, the importance of following related policies and procedures, and the imperative of assessing and monitoring third parties. We recommend proactive education on these topics and audits to gauge how successful those efforts are.
Building a corporate culture that prizes and respects data privacy will pay dividends for years to come. Every organisation should carefully analyse the risks and rewards of its own data protection investments; in the aftermath it is clear that many companies overspent on limited aspects of the new law instead of taking time to approach the issue holistically. If your company has managed to reach a solid state of GDPR readiness, turn to translating those obligatory actions into tangible business benefit. Structure your GDPR programs to exploit these opportunities and develop the resilience and capabilities to meet future regulatory challenges, consumer expectations, partner requirements, and threats.
Just as we are nowhere near being finished with GDPR work, we are most definitely not approaching the end of the privacy debate. We will need the expertise and tools we are developing now to address every new scandal, unprecedented breach, and disruptive consumer tech trend that comes our way. The ISF has prepared a number of different guides, the latest of which is The ISF’s Implementation Guide for GDPR, which is available on our website. The guide walks organisations through the preparation process and is an excellent reference point for all of your GDPR needs.
About the Author
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
For more information: www.securityforum.org