Have You Asked These 9 Questions About GDPR?
Security | Jun 13, 2017
Enforcement of the new EU General Data Protection Regulation (GDPR) goes into effect on May 25, 2018 with the potential for significant penalties for non-compliance.
With 11 months remaining before GDPR goes into effect, you might assume everyone is charging ahead and getting ready… right? As it turns out, many are not. In a recent survey our team conducted with the help of SC Magazine, 24% of companies say they will not be compliant by May 25 of next year. Another 30% are working on compliance, but do not have a timetable for roll out. Only about 16% of businesses surveyed have reached advanced stages of compliance planning.
As the first, but certainly not the last, major global data privacy regulation, the GDPR is seen as a bellwether for many international businesses thinking through how they should manage cross-border data sharing, customer privacy, and sensitive data management.
Understanding data is the core of GDPR Compliance – where it resides, how it is managed, and who has access. Less than one year prior to the enforcement deadline, organizations need to ask (and answer) important questions about how they are managing data. Finding the answers to the questions below will help organizations prioritize the technology solutions and investments needed over the next year to prepare for GDPR.
What counts as sensitive data?
First off, sensitive data takes different forms within every organisation. Retail firms may be most concerned with customer financial data, while pharmaceutical companies may prioritise the protection of trade secrets and intellectual property. While there are common forms of personal identifying information (PII) and personal sensitive information (PSI) like credit card numbers, social security numbers, addresses, etc., there are also unique sets of data related to intellectual property, trade secrets, or other corporate data that may be very sensitive to an organisation.
The ability to define custom parameters for sensitive data is imperative for risk management solutions. Only then is it possible to properly discover and protect all high-risk, high-worth data across the enterprise.
Where is data located, why is it stored, and how long is it kept?
Organizations need to have a clear answer to all three questions.
Historically, data was generally stored across multiple geographic locations. Now, security teams must deal with data stored in “borderless” cloud data stores. Security teams also need to analyse and differentiate between private networks, cloud repositories, and third-party applications like file shares, Office 365, etc. to completely map where sensitive data is stored in a multi-dimensional landscape. At the same time, we are dealing with an exponential increase in the volume of data being created and stored.
So not only do security teams have to find data in a more complex world, new regulations – like GDPR – now require organizations to define the purpose for saved data and the retention period of data stored or archived. The where, what, when, and how of data are all critical questions for security and information governance teams to understand.
Can you draw me a map?
Mapping the data landscape can be a helpful tool for organizations looking to avoid common issues with regard to data sprawl and data retention. For example, sensitive information often leaves an organisation by accident as data stored in hidden spreadsheet rows, included in notes within employee presentations, or as part of long email thread. Companies can avoid accidents like these by scanning the enterprise for sensitive data at-rest to understand where data is located, creating an accurate map, and then removing that data from unauthorized locations.
Who has access to sensitive data?
Once the questions of ‘what constitutes sensitive data?' and ‘where is that information stored?' are answered, organizations need to address access rights. Rights should be based on roles and responsibilities within relevant departments or business functions.
Unauthorized access to PII is a major source of risk and organizations are often shocked by who has access to information within the company. To help mitigate this risk, employee training is critical to ensure sensitive data stays with authorised personnel. Organizations need to involve HR to educate everyone about the importance of proper data handling. Understanding the value of data reinforces its significance as an asset that needs to be protected, just like physical property.
When is data being transferred?
Perhaps the most important question for GDPR compliance deals with the circumstances around data transfer. Organizations need to understand what happens when personal data is transferred from within the EU to countries outside the European Economic Area (EEA). GDPR stipulates that organizations cannot transfer this data unless appropriate protections are in place. It's important to note the very strict definitions of data transfer and requirements under new cross-border data privacy regulations like GDPR. For example, if a user in the United States views – just opens and views – a file located in the EU, that is considered a data transfer.
How is data managed?
Understanding the answers to the previous questions allows an organisation to begin building a data-centric privacy strategy to reduce digital risks. Doing so requires an up-front investment of thought, energy, and, yes, budget. In 2016, the Ponemon Institute found that the global average cost of a data breach was US$ 4 million (£3 million), and rising. This does not include additional – and growing – regulatory, legal, and reputational costs. Risks can never be fully eliminated, but with a data-centric approach, they can be managed.
Protecting data and ensuring compliance with the new regulations, like Privacy Shield, is about asking simple, but inherently challenging, questions. Trust is something businesses work to establish with customers every day and, once lost, it is very difficult to regain. Proactive data management policies, combined with the right technology solutions, will make it much easier to comply with the new regulations and reduce digital risk for any business.
Are the right stakeholders involved, and, if not, how do I involve them?
In 2017, sensitive data management and compliance must be priorities for the C-suite and members of the board. Ideally, organizations will already have a Chief Information Security Officer (CISO), CIO, or CSO with responsibility for information governance/data risk management who also manages cybersecurity.
Unfortunately, responsibility for data risk management is still often spread across many departments and stakeholders including IT, Legal, Security, etc., without a clear chain of command. Clarifying responsibility will be an important part in ensuring successful management and an ability to demonstrate compliance.
After establishing accountability, ongoing education is imperative. Most corporate boards lack cybersecurity or digital risk management experience. Bring senior business leaders together at regular intervals for education sessions and risk mapping to build shared understanding. When mapping digital risk, evaluate exposure and potential business impacts. Tying digital risks to business risks creates a common ground and shared vocabulary.
If unclear on where to start, contact the Audit Committee. They will most likely already be discussing cybersecurity risks with the auditors. If there is not a cybersecurity or technology related subcommittee on the board, this is a great place to start.
What technology solutions are needed to ensure compliance?
Testing of both technology and processes is an excellent way to take senior leadership one-step further. New technology is also continually evolving, and the area of proactive data security is growing.
Organizations should regularly review spending priorities, should consider how existing and new tools support changing compliance and security needs. GDPR compliance provides an extra incentive to do this evaluation now as it will involve a range of tools. Some of the critical solutions needed include:
- Data Classification tools
- Governance, Risk, and Compliance (GRC) tools
- Enterprise Information Management (EIM)
- Mobile Data Management
- Collection tools
The breadth of required systems and components necessary to demonstrate compliance is another reason that clear accountability and reporting structure is established all the way up to the C-suite and board.
Conclusion – Are you prepared to pay?
Finally, while regulations like GDPR can at times seem onerous, the need to better understand how data is created, stored, used, and shared is real. Unknown data is a massive business risk.
When considering the costs and processes associated with compliance, organizations need also remember that penalties for non-compliance with GDPR can be substantially higher than other compliance penalties – up to 4% of worldwide revenue with a €20 million cap.
The digitization of almost everything continues to ensure that cybersecurity and digital risk management will only continue to become more important. The best-prepared organizations will coordinate security, digital risk management, and compliance at the most senior levels. Those that do not will likely face more significant breaches and greater costs associated with mitigation, remediation, compliance, and reputational damage.
Patrick Dennis is the President and CEO of Guidance Software.