GDPR: Data-Protection Soul-Searching, Not Just Compliance
March 2018 by Tarek Jundi, Managing Director, Middle East
With just a couple of months to go, reports and surveys frequently indicate that CIOs and business owners are concerned about and unprepared for GDPR. And the race is on, with a Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by GDPR. Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it’s important that CIOs and IT directors not only focus on this critical deadline but also look beyond it.
From large enterprises to SMEs, many organisations are shifting their traditional business model away from physical assets in favour of a data-driven business model. Cloud, mobility and the advent of Internet of Things are driving this digital transformation, introducing new challenges that organisations must navigate to ensure citizens’ and employees’ data is protected.
While the combination of new technologies and the new regulation may seem an insurmountable task to manage over the next 12 months, CIOs and IT directors should look at GDPR as an opportunity. Rather than approaching it separately and in isolation, the new regulation has put a price on cybersecurity and secure data management—bringing it to the attention of the C-Suite. CIOs and CISOs should harness this opportunity to get the budget and procedures in place that will enable them to transform their organisations’ approaches to cybersecurity, and reposition IT as a function that enables business transformation and growth.
This will have a dramatic impact on a number of current security challenges many IT teams are facing, such as the massive growth in Shadow IT. According to a recent McAfee Labs Report, almost 40% of cloud services are now commissioned without the involvement of IT, and unfortunately, visibility of these Shadow IT services has dropped year on year. 65% of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure. This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52%) of respondents report that they have definitively tracked malware from a cloud SaaS application.
For the first time, GDPR gives CIOs and IT leaders the authority to clamp down on shadow IT in their company, with the support of the rest of the board who fear the ramifications of GDPR.
Better Late Than Never – Getting Started on the GDPR Journey
There are specific requirements in the Regulation—reporting breaches, reviewing processing in advance, making sure vendor contracts have particular language. But GDPR makes a larger and more fundamental ask: That each company look carefully and studiously at its environment, evaluate the data it holds, and “implement … measures to ensure a level of security appropriate to the risk.” It’s a sort of data protection soul-searching designed to protect people and their data from harm. And this perspective challenges organizations to embrace the spirit of the law and be accountable for it, not just to tick a box.
“Appropriate” and “adequate”—tough words in a security context—are found repeatedly in the GDPR. The regulation suggests that “(i)n assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” That sounds like a basic risk assessment. But what should you consider in this high-stakes risk assessment, and how do you get to where you can say you have appropriate security?
Remember: This isn’t legal advice—each company has to decide for itself what it needs to do to comply with GDPR but I would suggest you consider these steps as ways to get started on the journey:
1. Scope. Know what you have. We can’t protect what we don’t know we have. This is a good time for companies to figure out how and where they hold personal data—and not just of EU residents, and not just for its EU affiliates.
2. Protect. Know how you are protecting those assets. Are you doing the basics? Could you do more? Are your peers doing more? Are you following your data classification policy in automated ways or just expecting employees to know it? Do you delete unnecessary data?
3. Monitor and detect. Do you have technologies in place (such as encryption, data-loss prevention or anti-virus software) to protect those assets from malicious actors, loss, unwanted leaks? And do you know what to do if something goes wrong?
4. Review. Do you have a process to make sure that all new applications or cloud services are reviewed and that you know how you are using them? Are you implementing data protection by design by thinking of privacy and security at the very beginning of any project?
5. Then repeat. The regulation requires “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Some of the specifics of what the regulation requires will take years to truly understand as regulators and courts issue rulings on what comes in front of them, and companies will have different paths to compliance with GDPR. But at the core of the regulation is knowing what you do with the personal data of your employees and customers, and making sure you have stopped to consider the risks inherent to personal data in your business.
Thinking of GDPR as an opportunity to review the robustness of your data protection program and to make reforms that are good security, good business, and the right thing to do turns GDPR from a many-headed monster into healthy data-centric reform. After all, the GDPR tells us that “(t)he processing of personal data should be designed to serve mankind.”