Unsurprisingly, organisations both inside and outside Europe are already beginning to scramble in terms of knowing how they are going to enact GDPR and implement the requisite level of controls inside their business.
Timing is everything
The issue here comes down to timing. If a firm is aware that a data breach has occurred, it has a responsibility to be able to prove that it has taken steps to address the breach situation in a timely manner, and this in itself will impact the amount of fines that may be levied.
If we look at firms like pharmaceutical manufacturing giant Reckitt Benckiser, the breadth and size of its operation means that it has always had a big challenge in terms of identity management from a data management perspective.
Using Reckitt Benckiser as our example here, we can see that it has a large amount of data residing in Customer Relationship Management (CRM) systems, search engines and various pieces of research relating to the individuals who buy its products.
The question is: what data resides where, who can access it, which policies govern its availability and how is it managed on an ongoing basis?
Policing policy controls
The danger this type of firm faces in terms of potential identity theft is part of what the GDPR is enforcing i.e. firms need to question whether they have policy controls in place to ensure that this type of information has not been released into the market or across the web at large. Or indeed, where it has, equally, firms need to be able to account for where that information has been released.
So are companies working to become compliant with GDPR and accepting the responsibilities they must adopt to be able to lock down information and address breach notification responsibilities effectively?
We know that breach notification in the US has been arguably better and regulators have felt that similar legislation in Europe (and EMEA as a whole) has been somewhat underserved. But these inequalities only go to show how much disparity and disconnectedness there is in this space.
Let’s take Australia as a further example. The country has also had a data privacy act that has been around for a while, but again, the general feeling across media reports, industry analysts and stakeholder/practitioners themselves is that the controls and powers within this act are not up to scratch.
Practical steps to address GDPR
We now need to map the legislation emanating from the GDPR onto how companies are working to hold onto their data. This means looking at how firms are using passwords to protect data, what type of encryption they are using on each type of data, how firms are classifying each type of data… and so on.
In this way, firms can start to gain a qualitative and quantitative notion of what they are actually doing with what data. Different types of data have different levels of significance in relation to the GDPR. For example, data on what a credit reporting company thinks about a specific customer is far more sensitive than simple name and address info, which is essentially less sensitive. We work at exactly this pain point i.e. being able to categorize and manage information flows within any given organization for any given IT workload.
7 Steps to GDPR compliance
1 - Foundations - A maturity assessment is needed to help a firm know where it is in relation to being at a point of compliance. It is also at this point that we establish whether the company is hosting any EU citizen data in the first place.
2 - Policies - Firms need to establish and amend organisational policies & procedures to match GDPR requirements supporting CIAR (Confidentiality, Integrity, Availability & Resiliency).
3 - Staff - Firms must appoint a DPO (Data Processing Officer) because this is mandatory in every organisation. Also, at the staff level, firms should involve all stakeholders and get their buy-in to successfully implement GDPR requirements
4 - Detection - Firms need to be able to detect and assess changes to their data risk and security posture, in real time, at any time. In this way they will be able to analyze the severity of any data breach when and if it does occur. This detection process will also enable firms to scope out and calculate the cost (and financial impact of) any breach that does occur.
5 - Respond - All businesses will need to implement regular auto-executions of GDPR controls for related citations and build that control into a risk & security data auditing plan. Also at this point firms can accelerate remediation and orchestration through automation.
6 - Monitor - There is a real need to monitor use of data and gain real-time insight into the state of compliance to assess each firm’s risk posture. In doing so we can then track that risk status and use remediation controls when they become necessary. The monitoring process helps us quickly review the business services that are the most out of compliance and identify areas under the most duress to determine whether the issue is technical, training, or personnel related.
7 - Optimize & Predict - As we move ahead with the GDPR, firms need to create a dedicated knowledge base of articles to help responders quickly take care of repeat issues and to predict potential future threats/breaches.
Scope of data accountability
The key point is to understand GDPR applicability across all stakeholders and partners in any organization. Firms need to then put the processes and systems in place to address all areas that that are affected by the reality of GDPR. As each company works to address GDPR education inside their organization, they must also ultimately understand the scope of data accountability across their entire business.
In terms of how we can deliver on the needs of GDPR, each customer will be on a particular data-driven journey as they now embark upon the steps to GDPR compliance. Together we can progress forward and provide a platform to span and elevate us above the risk of data breach.