January 2018 Issue
A ‘game changer’ is how the EU’s forthcoming General Data Protection Regulation (GDPR) has been described by the Information Commissioner’s Office (ICO). Scheduled to take effect from May 2018, the regulation introduces new laws that will fundamentally change the way businesses can collect, use and transfer personal data. With the GDPR representing the biggest shake up in data protection legislation in 20 years, non-compliance is not an option. Businesses will need to use the remaining time wisely and tailor their strategies to ensure they meet their obligations.
Pfeifle: Could you provide an overview of the broad intent and objectives of the forthcoming GDPR, and the general trends that have led to its creation?
Lehmann: When the Data Protection Directive came into force in 1995 it was the first major attempt by the European community to standardise data protection rules in Europe. However, this attempt was only partially successful because the Data Protection Directive was only a minimum standard, at least in parts, and Member States found different solutions to data protection problems. Now, the General Data Protection Regulation (GDPR) is the latest attempt to achieve a real standardisation because it is binding in all Member States.
Douglas: The broad intent of the GDPR is to provide individuals with extended personal data rights within the new paradigm that is the digital economy. The GDPR will modernise existing data protection regulations and will harmonise the rules across Europe. As a result, EU data subjects will be able to engage digitally with private and public sector organisations and be confident that their digital identity and footprint is properly used and protected from harm. The core principles underlying the 200 pages of articles and recitals of the GDPR are that personal data should be used in ways which are fair, transparent and lawful, and used with consent.
Gibbard: The GDPR has granted the authority to enable EU citizens to have better control over their personal data. It is still the case that these modernised and unified rules will allow businesses to make the most of the opportunities of the digital single market by reducing regulation, and therefore benefiting from reinforced consumer trust.
Calder: The GDPR’s main objectives are to create a unified approach to data protection across EU member states, protect EU residents’ data, give people control over how their data is used and improve levels of compliance. The GDPR’s predecessor, the EU Data Protection Directive, was adopted in 1995 when only 0.4 percent of the total world population was using the internet. In 2017, this number has grown exponentially to 51.7 percent, confirming that the data protection legislation drawn up more than two decades ago can no longer cope with today’s technology and the incredible amount of information we share every day.
Trull: Broadly speaking, the GDPR is designed to provide greater control to an individual over the use of their personal data and ensure that companies storing and processing such data safeguard it accordingly. The GDPR is designed to strengthen personal privacy rights, increase the duty of companies for protecting personal data and require mandatory breach reporting. Internationally, there has been growing concern by governments and their citizens about the improper use and protection of personal data. Additionally, the growing number and size of data breaches raise concerns about the adequacy of data processors’ security practices and ability to protect consumer records.
Lamb: The general objective of the GDPR is to give European citizens control of their data. Historically, organisations have captured and acquired data by many means, and typically considered themselves to be the owners of that data. Few acknowledged that they were simply custodians and processors of the subjects’ data. The general trend which led to the creation of the GDPR was the increasing number of worldwide data privacy breaches. Cyber security has evolved from something that was niche outside of the defence and finance sectors; it is everywhere now and reflects how we use technology in increasingly more prominent ways.
White: Whenever you open a bank account, join a social networking website or purchase something online, you hand over valuable personal information such as your name, address and credit card number. Yet, few people appreciate what happens to this data, how it is protected and what rights they have once shared. Under the GDPR, personal data can only be gathered under strict conditions. It must be collected for a legitimate purpose and not used for any purposes other than those disclosed and agreed to. Furthermore, organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by the regulation.
Haq: The GDPR aims to harmonise data privacy laws across Europe and bring them up to date, given the rapid technological change that has taken place in the past two decades. Every so often, societies need to take a step back and look at whether existing legal frameworks are still up to the task of protecting people’s privacy and give businesses clear guidelines to do so into the future. The introduction of the GDPR follows extensive debate here in Europe on achieving the right balance between protecting personal data and enabling businesses to innovate to provide new products and services.
Pfeifle: In your experience, how proactively are companies that fall within the scope of the GDPR responding to its imminent arrival? Do any particular sectors need to move more quickly than others?
Douglas: Gartner predicts that by the end of 2018, more than 50 percent of organisations affected by the GDPR will not be in full compliance with its requirements. While some organisations began preparations for the GDPR early and are well advanced, others are feeling the pressure of the impending enforcement date. All sectors need to move fast. First, there are no signs that the GDPR start date will change. Second, the headline GDPR fines are eye-watering; but arguably the potential risk to an organisation’s reputation and brand can be more damaging than the potential fines for non-compliance. Third, in a complex digital economy, businesses that take a strategic approach to GDPR readiness will gain real opportunities to earn deeper customer trust, with both the market and the enterprise benefitting from better data management.
Gibbard: Based on conversations with chief information security officers (CISOs) and chief information officers (CIOs), most regulated organisations are almost complete and many other sectors are well down the path to being ready for GDPR. The challenge at the moment is for the small to medium businesses, as there are not enough resources with the relevant skills to be able to support their businesses.
Calder: According to our research, more than half of organisations have not updated their processes to comply with the regulation’s new data subject rights. This figure confirms that – unlike the early adopters of the GDPR – businesses worldwide still have a significant amount of work to do to achieve compliance. 2017’s WannaCry and NotPetya cyber attacks are proof that organisations, particularly in the healthcare and finance sectors, are not well prepared and lack the technical controls and procedures required to respond to current threats.
Trull: Global companies and those with significant operations in Europe are aware of the impending enforcement deadline for the GDPR and generally have compliance initiatives underway. That said, many companies are finding that they need to accelerate their activities due to the effort it takes to implement such changes in a large and complex enterprise. Large, complex organisations that routinely collect personal data to deliver goods and services need to be particularly focused on moving quickly as the effort to achieve compliance is greater and the scrutiny on their operations will be higher.
Lamb: Many organisations will not be compliant by the GDPR deadline. Yet if you look at what the GDPR is actually stipulating, it is basically good business practice. Many organisations ask whether they should put all their customers in scope, or just the European ones to meet the demands of the GDPR. In the interests of good practice, why would a company not scope all its customers? Additionally, there are organisations which believe they have the GDPR covered even though they have not carried out due diligence to identity the gaps. Other organisations are aware that they do not comply and have apparently decided to assess the potential fines, wait for test cases and then act.
White: Most large to mid-sized companies are taking GDPR compliance very seriously and are motivated to meet their compliance obligations as best they can. Companies are scrambling to document their internal data flows, policies and procedures, and to understand the basis of cross-border data transfers. While all sectors that collect and process personal data need to move with due speed, certain sectors do need to move a bit faster than others.
Haq: For those large companies that already have a robust approach to data protection, for example those that adhere to world-class standards like ISO 27018, the importance of GDPR and the process toward compliance is well understood. For companies, many of which are in the tech sector, which act as data processors, as well as data controllers, this is especially critical and preparations have been underway since before the legislation was even adopted. The compliance journey will, of course, be more challenging for smaller businesses which have fewer resources to dedicate to it.
Lehmann: In Germany, a recent survey found that a majority of companies have already begun to adapt their processes to the new data protection regime. There were differences as to how far these companies had achieved compliance with the GDPR, but all of them were, at least, busying themselves with the GDPR and had initiated compliance projects. However, 13 percent of those surveyed stated that they deliberately did not want to pay attention to the GDPR, for whatever reason. It is foreseeable that this will lead to trouble because there are reliable rumours that regulators in Germany are currently preparing for comprehensive monitoring activities this year.
Pfeifle: Are there any particular aspects of the GDPR which you believe will place a significant burden on companies, in terms of meeting their obligations?
Gibbard: In addition to identifying the assets in ownership across the company and where data is stored, businesses must also be aware of their data ‘supply chains’. This involves knowing where data comes from and where it is being shared. According to EU GDPR regulations, “the responsibility of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established”. In other words, businesses will remain responsible for customer data when a third party has it. Collaboration with suppliers on their security procedures is therefore necessary. Any of these endpoints can be vulnerable to a security attack, and without understanding where or how the data is shared, a business is fighting a battle it simply cannot win.
Calder: A significant number of organisations lack the right level of competence and resources to understand the requirements of the regulation and implement the necessary processes and procedures for data processing activities. The GDPR requires organisations to identify a lawful basis for processing and provide evidence of compliance. To meet these requirements they will need to review their current processes, policies, privacy notices, subject access requests (SARs), consent and much more in order to make the necessary changes and address any operational challenges that could impact processing activities, product development or any other areas of the business.
Trull: For large, complex organisations, it will be challenging to maintain a current and accurate inventory of the systems processing and storing personal data, along with the third parties that either have access to the data or are integral to the processing of such data. This has always been a challenging area for companies and will continue to require significant effort. Also, unlike previous privacy regulations, the GDPR suggests the kinds of security actions that may be considered appropriate, including the pseudonymisation and encryption of personal data, and processes for regularly assessing the effectiveness of security controls.
Lamb: The GDPR’s biggest burden relates to privacy. Companies may struggle to identify what data they hold and where it resides. Where is data stored? Is it replicated in the cloud? Answering such questions can get complicated very quickly. One area of concern is Bring Your Own Device (BYOD). Although the BYOD trend can be a good thing, the idea of personal data existing on unmanaged devices, particularly from a GDPR perspective, is deeply troubling. So there is an opportunity for organisations, particularly service providers, to try and make BYOD work effectively.
White: The biggest obstacle thus far seems to be understanding exactly how far the new obligations under the GDPR go and how to operationalise them across the entire enterprise. Data is highly ubiquitous in large organisations, and it can be very difficult to ferret out all the places it is stored and all the ways it is being used. This is especially true when commingled with data from other sources that may be subject to an entirely different set of regulatory protections and obligations, such as the personal information of individuals from Asian or North or South American countries, each of which have their own data protection laws.
Lehmann: There is, first and foremost, the documentation obligation of the GDPR. That particular obligation requires that everything that is relevant for data protection in a company is not only implemented but sufficiently documented. This so-called accountability approach is dangerous because failure to comply could be punished with a fine of up to €20m or 4 percent of the worldwide turnover, according to the GDPR. Companies could find themselves thinking that they have done everything right, but get punished for insufficient recordkeeping which is not easy to explain and understand.
Haq: The extent of the work needed to meet GDPR obligations will vary greatly from company to company. It is important to remember that GDPR builds on and updates the existing data protection framework and many provisions are not entirely new. Where there are new requirements under GDPR they will require specific attention. For example, the concept of privacy-by-design is enshrined in legislation for the first time, requiring companies to design their services in a data-minimising way and embed privacy protections from initial conception to the end of the data’s lifecycle. This will involve significant mindset and procedural changes for companies that do not already work this way.
Douglas: The practical challenges are demonstrably acting to fulfil individual rights, tracking and governing an evolving picture of how and why personal data is being used in their organisations, protecting personal data in collaboration with a shifting set of third-party suppliers, and orchestrating decisions and determining appropriate actions to meet the 72-hour breach notification obligations. Perhaps the toughest challenge, however, is the culture shift. Leaders are working hard to enable ‘privacy by design’, so that everyone in the organisation is engaged proactively to keep personal data confidential, protected and minimised to what is needed by the institution with the consent of the individual – not easy when many business cultures are used to ‘hoarding’ data just in case it is needed or could be useful in the future.
Pfeifle: What initial steps do you recommend companies take to assess their unique personal data universe, audit the relevant data assets they hold, and identify any compliance gaps?
Calder: The first step is to understand the requirements of the regulation in order to allocate the necessary resources. It is also important that a director or a member of the senior management team is accountable for the project. The second step should be conducting a data audit or a data flow mapping exercise to build a complete picture of the data that the organisation stores and processes. Personal data can reside in many locations and can be stored in various formats, including paper, electronic and audio. A data audit also helps identify the types of data processed, where that data originates, who and what has access, and who is accountable. The challenge is to decide what information needs to be stored, identify compliance gaps, and implement appropriate technical and organisational safeguards. Finally, organisations should implement both an Information security management system (ISMS) and a personal information management system (PIMS) to ensure they have the correct documentation and appropriate controls to manage compliance with the GDPR.
Trull: Companies must first identify the personal data they collect and where it resides. This process is made easier if there is a data governance programme already in place, and data has been tagged and classified according to an enterprise taxonomy. If not, companies can work backwards from those business processes that collect and use personal data and then identify the IT resources, suppliers and contracts that are associated with the processing. Once that mapping is done, an audit of the security, privacy and legal controls should be performed and gaps identified and documented. The GDPR mandates certain requirements but suggests others and leaves it to the discretion of the company to decide the right measures to take based on risk.
Lamb: Companies should obtain legal advice to understand what the GDPR means for their business. They should understand the consequences of non-compliance and then undertake a ‘root and branch’ analysis of what data they store, its purpose and the rules governing its use. This will of course vary from company to company. Companies need to evaluate all the processes and procedures connected to the flow of data through their organisation and devise a plan to build awareness. At the same time, however, they should avoid getting carried away with the details in one area and neglecting others. Adopting a risk based approach to ensure the correct level of rigour is essential.
White: The most important things companies can do right now is data mapping. They must spend the time to fully understand exactly what personal information they collect, manage and process, from whom, for what purposes, and where and how it is being used. If they are unable to do this, they cannot even begin to understand their compliance obligations and what they need to do to close any gaps in this regard. This exercise should also look at international data flows and seek to understand what the legal basis is for legitimising transfers. It should also map out all the third-party service providers that are processing data and ensure that the proper contractual protections are in place.
Haq: It is helpful for companies to structure their preparations around a series of steps. An essential starting point is to understand how personal data is handled, shared and used within the organisation. Determining ownership and accountability for data protection compliance is also a vital early task. Other key steps in the compliance journey include ensuring there are appropriate legal bases for processing different types of data, understanding and accommodating the new rights that people have in relation to their data, ensuring that privacy by design is embedded into business processes, reviewing and updating breach management policies and procedures, and reviewing privacy policies and notices to ensure that essential information is communicated.
Douglas: If a business has not already undertaken a GDPR gap assessment then it should. However, most businesses have some level of gap analysis in place and are now focused on their ‘personal data universe’. There are two steps that organisations can take to assess the personal data that they hold – first, identify how and why you use personal data in your organisation. This will form the basis of your record of data processing activities under the GDPR. Second, prioritise work to ‘discover’ or scan across systems to locate exactly where actual personal data is stored so you can begin to take remediation action in the areas where it is most needed.
Lehmann: Companies should start with what they already have. Most of the time, companies already have a procedure index under German data protection law that is taken care of by the data protection officer. The next step is to update the index’s current status so that it covers all data protection activities. Following this, procedures should be adapted to the GDPR and, importantly, those processes should identify the procedures that require special attention in the context of the data protection impact assessment.
Gibbard: The first step toward being successfully compliant with GDPR is to understand where all your personally identifiable information (PII) is and what it contains, including sensitive data. This has been the problem for many a CIO and CISO, as many organisations have rogue departments that set up websites without any IT involvement. In most cases, these rogue areas are collecting PII and are sidestepping internal approval processes as they believe it takes too long for ‘IT to help’. This will involve an audit of all data held by the organisation, by all departments, to collate the data and analyse the responses. This is the most time-consuming task that needs to be completed to prepare for GDPR. Time is the one thing that everybody does not have with months left.
Pfeifle: Is the GDPR likely to cause companies difficulties in terms of adapting their existing data protection systems to the requirements of the new legislation? How important will it be for companies to bring all their data into one centralised system, for example?
White: Data protection is a necessary component of the GDPR, but it is only a small subsection of its overall obligations. Most of the GDPR has little to do with data protection itself. The regulation is primarily focused on protecting the rights to privacy of EU citizens. As such, it is certainly concerned with inadvertent information disclosure and loss, and requires data controllers and processors to ensure they take reasonable measures to protect against this, and to disclose data breaches involving certain thresholds of protected personal information. But most countries already have rather strict data security regulations and laws in place, which far surpass the data protection measures required by the GDPR, such as Germany’s IT Security Law.
Douglas: The GDPR is different in significant ways from current local data protection regulation, regardless of jurisdiction and so far, we have not come across an organisation which did not have plenty of work to do to adjust current processes and systems to be GDPR ready. We are not aware of one centralised system or tool that will ‘solve’ the GDPR. With the short timescales and limited change capacity before May 2018, organisations are focused on making policy and process changes. We recommend parties do not rely on policy and process change alone. This is often catalysing organisations to conduct a review of their existing security controls and remediating any gaps that they find.
Lehmann: Adapting data processing activities may cause trouble because companies have to adapt their own procedures to the new regime, as well as having an approach that limits processing to what is actually necessary to achieve a certain objective. It is apparent that suppliers are often not able to meet companies’ needs and supply requirements, such as software that is tailored to a limited use of data and which allows for the timely deletion of data. As for centralised databases, the problem will be to distinguish between data that needs to be stored for a long time and that which is no longer necessary.
Gibbard: The difficulties are not just GDPR related. As boundaries and networks expand into cloud services, outsourced partners, remote locations and mobile workforces, the challenge for legal and security teams is ensuring that data protection is met across all environments, wherever the data is kept or used. Data is moving outside of the typical ‘walled garden’ approach. Organisations need to expand the use of the systems they use to track and monitor the usage, but this now needs to ensure that all access is logged and kept for audit purposes going forward.
Haq: The GDPR is based around the principle of accountability. It requires companies to be aware of and protect all personal data during its lifecycle and ensure that their suppliers are compliant. It calls for a more proactive and holistic approach which permits flexibility to suit different business models. It also means that there is no one-size-fits-all approach to compliance. Whether and how companies need to adapt their systems will vary depending on multiple factors, including the types of data they process, how they process it and the nature of their existing processes and protections.
Lamb: In an ideal world from a compliance perspective, a company would store all of its data in one place. It would then be able to categorise that data, then apply appropriate security and monitoring controls. But this is probably not the reality for most organisations. We hear about breaches where millions of records are compromised from stolen laptops – why should anyone be carrying around millions of records? The reason, typically, is because they can; data storage has become vast, compact and inexpensive. It makes much more sense for individuals to only have access to the data they need for the job in hand. The mindset of giving everyone access to everything needs to change.
Trull: The more widely dispersed the personal data the more difficult and costly it will be for organisations to implement the appropriate procedures, processes and technical controls. Technologies that allow processors to automatically identify and catalogue in-scope data and then centralise the enforcement of controls should be prioritised, as this will result in greater efficiencies and effectiveness over the long term.
Calder: Organisations that have an ISMS or PIMS in place have already minimised the risks of a breach and completed at least half the work required to achieve GDPR compliance. ISO 27001, the globally recognised best-practice standard for information security management, provides an outstanding starting point for achieving the technical and operational requirements necessary to prevent a data breach under the GDPR. It also focuses on ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services. Many organisations will have to adapt existing systems to reflect the six data processing principles set out in the GDPR and consolidate databases to deploy encryption of data at rest and in flight.
Pfeifle: What methodologies, such as demonstrable controls, can be utilised so that data-related processes are as robust, maintainable and defensible as possible?
Haq: There are many different approaches to demonstrating that data controls are robust and well-maintained, but the framework that is used most widely in the industry was developed by the International Organisation for Standards (ISO) to help companies deliver innovative products and services. For example, the ISO 27018 standard defines how cloud providers which process personal information should approach data protection and privacy.
Gibbard: The best approach would be for the security teams to adopt the Center for Internet Security (CIS) top 20 security controls as a baseline. These will ensure that the appropriate controls are in place for any GDPR audit. If organisations have these in place and they are understood and well documented, it means that they can be tested by internal and independent parties.
Lehmann: The first step should be a structure of databases that makes it possible to tailor single slots to different kinds of data, so that a commingling of data for different needs can be prevented. The next step would be an access structure that matches the different purposes the different kinds of data will be processed for. And every access has to be sufficiently recorded. Moreover, it has to be possible that single sets of data can be altered or deleted in order not to fall foul of the rule that data shall only be kept as long as necessary.
Lamb: Data minimisation is critical, an immediate measured informed breach response is critical, as is having a clear, informed up-to-date understanding of what data the company handles. Under the GDPR, a company can only have strong privacy if it has effective security. Many frameworks are available to provide security, such as those based on the SANS 20 Critical Controls, payment card industry (PCI), the Health Insurance Portability and Accountability Act (HIPAA) or the National Institute of Standards and Technology (NIST).
Douglas: We typically recommend applying a GDPR specific, demonstrable control framework which will enable the firm to not only understand and track operational and compliance risk, but also, in terms of longer running remediation activities, links to the achievement of measurable milestones. We do not expect the GDPR timeline to change, but given that many firms will not be ready, the regulator will likely want to monitor progress in a clear and measurable way. For this reason, some companies are developing business control based dashboards which link operational management with remediation progress.
Trull: Companies must be prepared to demonstrate that the proper controls were selected and operating effectively, and that the controls selected were appropriate for the risks involved. Companies should strongly consider the implementation of the suggested controls mentioned within the GDPR, unless there is a strong, risk-based decision that is thoroughly documented and supported.
Calder: To protect personal data, organisations need to understand the threats and take a systematic approach to determine how data can be exploited. Risk assessments consider regulatory, legal and contractual requirements, and are an excellent process for identifying risks against a set of defined criteria, determining a response based on those criteria and then selecting appropriate controls to treat them. Risk assessments tie into data protection impact assessments (DPIAs) and data protection by design and by default. An effective risk management process will help organisations recognise the risks of non-compliance and apply risk treatment ‘appropriate to the risk’ through demonstrable controls.
White: Businesses will need to significantly beef up their record keeping activities. Under the current Data Protection Act which the GDPR will replace, controllers are often required to notify their local data protection authorities (DPAs) of their data processing activities. Member States all have different notification requirements however, which has been troublesome for multinational controllers. Under the GDPR it will no longer be necessary to submit data processing or transfer notifications or registrations to each relevant DPA, nor will it be a requirement to obtain approval for certain transfers.
Pfeifle: In a world of growing cyber threats and data vulnerability concerns, how important is it for companies to establish a secure system in order to stay compliant with the GDPR?
Gibbard: As has been demonstrated by recent ransomware and cyber attacks, vulnerability management is important. Once vulnerabilities have been identified across the infrastructure and applications, organisations must ensure that critical patching occurs and systems are rebooted. The need for good threat intelligence that supports and works with the internal risk management and governance bodies is vitally important. Once decisions have been taken about the level of threats and risks, organisations need to understand potential business impacts so that the CIO, CISO or CRO can articulate this to the board. An anonymous security researcher who provided a quote on the Equifax breach is quoted as saying “it would have taken five minutes to stop that attack” – does your organisation want to take that risk?
Lehmann: From a German perspective, data protection and data security were always regarded as separate but equally important pillars of privacy. However, violations of data security were not dealt with as severely as problems with data protection in terms of attention by the regulators and fines. Now, security is on an equal level and, with respect to ever growing cyber threats, all companies will have to invest much money and put a lot of effort into security. While under current German law only sensitive data and bank or credit card data is subject to notification obligations and there is no fixed deadline, it will apply for all kinds of data under the GDPR and the deadline will be 72 hours.
Lamb: Companies need to analyse every area where personal data is held. This should be all encompassing, not just concentrated in the obvious places such as file servers, database servers and Big Data farms.
Douglas: The GDPR brings an obligation to notify the supervisory body in the event of a breach of personal data that represents a risk of harm or the restriction of freedoms of the affected individuals. The company may also need to notify the affected individuals. This presents two risks – first, a significant breach, or repeated breaches, may encourage the supervisory body to take a closer look at the affected company, and second, such a notification would be made public, with the potential for negative impact on brand.
Trull: Protecting the personal data entrusted to companies is a key aspect of the GDPR and is no easy task. It is critical that companies implement a strong set of controls that not only meet industry best practices and legal due diligence but that can also evolve quickly as the techniques and tactics of the adversaries change over time. If a breach occurs, it will be important for companies to demonstrate that they have properly assessed the risk associated with internal and external attacks against their data processing systems, and have deployed the right people, processes and technology to protect it.
Calder: Security systems are crucial to identifying and preventing cyber threats and managing operational risks. With new vulnerabilities identified and exploited by cyber criminals every day, many organisations will not be aware when their defences have been breached and need to take a proactive approach to data security before it is too late. A way to identify security weaknesses is through penetration testing. Organisations can use penetration tests to accurately evaluate their ability to protect networks, endpoints and users from cyber crime, identify vulnerabilities and prioritise remediation through controls and security patches. Penetration testing allows organisations to prove due diligence and implementation of risk-based controls.
White: Data security is but a small part of the GDPR and is eclipsed by the security requirements already imposed on most companies under different laws. However, one significant area of risk will be complying with the mandatory data breach notification requirements. Under the GDPR, data controllers must provide notice within 72 hours of first having become aware of any breach that is likely to “result in a risk for the rights and freedoms of individuals”. Data processors will also be required to notify controllers, “without undue delay”, after first becoming aware of a data breach.
Haq: A highly robust approach to security is an essential prerequisite to ensuring that data is properly protected. System security is just one element of a company’s overall security strategy. Traditionally, security teams took a systems-security centric approach to risk, focusing on tools like firewalls, anti-virus software and intrusion detection. While these are still necessary, the GDPR promotes a data-centric approach to data protection, one that looks at the whole lifecycle of personal data, including where it lives, how and when you store and process it, how it flows around the organisation and between different entities, how subjects can access it and how it is destroyed.
Pfeifle: How would you characterise the role that senior management teams have to play in achieving GDPR compliance? How can they ensure that the process is rolled out efficiently and effectively?
Douglas: There is real value to be won or lost in the way a business implements the GDPR, so it is critical that senior leadership takes the initiative. The digital economy is increasingly pervasive, complex and risky for individuals, and there is a real opportunity to reinforce brand values with customers and employees through demonstrable trust and protection in the digital market. The GDPR is also a catalyst for better data management and governance across the enterprise with related benefits for risk and compliance, financial management and operational effectiveness. Successful GDPR readiness requires active sponsorship at board level, not only to support operational and technical change across the business, but also in support of the culture shift that is required.
Lamb: Senior management teams must be committed to ensuring their business complies with the GDPR. Privacy and security are business risks hence need to be treated with the same degree of board engagement as traditional risks they are familiar with. The key to success regarding the GDPR for senior management is to have people around them who can talk business and technology while not getting lost in the detail of just one area. In relation to the GDPR, legal departments quite often take the lead, which may not be ideal if they get bamboozled by technology jargon, but gives a good alternative perspective to the technical people in the business. The board needs to talk in terms of risk and technology. They should also be asking for effective processes, procedures and awareness, not just technology.
Haq: How seriously a company takes data protection is dictated by the tone from the top. Senior leaders must understand and communicate the importance of GDPR compliance within their businesses and must facilitate it by ensuring appropriate resources, priority and senior level attention are placed on it. Just like security, data protection is the responsibility of every employee and will be successful only if it is championed and embedded within the practices of the organisation. By now, companies should be having regular status reviews of GDPR preparations with senior management in order to drive compliance.
Trull: Senior management must take an active role in ensuring GDPR compliance. I would expect a member of the senior management team to act as an executive sponsor for the compliance project and to provide regular status reports to the rest of the management team. Senior management should also remove any blockers to implementation that cannot be resolved by line managers and help reprioritise efforts that may be challenging implementation. Creating the right governance structure will help tremendously to ensure an efficient and effective process.
Calder: Accountability and genuine top management engagement are essential. The GDPR will require a shift in culture for many organisations, not least by introducing accountability as a principle of data protection. This principle says that the controller is responsible for demonstrating compliance with the regulation. This means that a member of the board or management team will need to oversee GDPR compliance by allocating and training resources, appointing a data protection officer (DPO), and ensuring a data protection by default and by design approach is incorporated into development.
White: From a practical perspective, one of the most notable novelties of the GDPR are the various requirements to make businesses more accountable for their data practices. Brand new responsibilities range from the implementation of data protection policies and data protection impact assessments, to mandatory data protection officers. To ensure compliance, mandates must come from the top down and have the full support of both the senior executive teams and the company’s board members. The GDPR’s effects on board-level corporate governance are extensive. Fines for non-compliance can reach 4 percent of global revenue and damage to a corporate’s reputation could also be considerable.
Lehmann: Senior management has two main roles. The first is to be the ‘motor’ of efforts to be compliant with the GDPR. If senior management is not committed to achieving compliance then staff will not support the project. It is the senior management who will have to show that this is a really serious issue and not just another fashionable but cumbersome thing. Second, senior management must function as the centre of a reporting chain that ensures the notification of every incident and every potential problem surrounding data protection and data security.
Gibbard: Senior management support is vital for the success of any regulatory programme, from GDPR to the Payment Card Industry Data Security Standard (PCI DSS). GDPR collaboration requires the legal, regulatory and compliance, IT and information security teams to manage the compliance on a day-to-day basis. Communication and awareness across the organisation will ensure that everyone understands their responsibility for protecting PII. This communication and understanding must be demonstrated by the C-suite and a top-down approach will have greater results. The responsibility for GDPR ultimately lies with the CEO; the size of the fines are massive, so accountability to the board will be his or her responsibility.
Pfeifle: Are the costs associated with GDPR implementation likely to pose a significant challenge for businesses? In what ways can they manage these costs, both upfront and ongoing?
Lamb: There will be upfront costs associated with the GDPR, in terms of in-house resource and external counsel. But there will also be benefits. The nirvana is to know where all of your corporate data is, to know where all the personal data that you are custodians for is, to know exactly what you are allowed to do with it and that effective controls are in place. Clearly, communicating with customers, partners and suppliers with regard to the steps to be taken to comply with the GDPR will help build trust and engagement. The road to GDPR compliance should lead to a place where organisations move clearly away from the chaotic data environment in which many currently operate.
Lehmann: Compliance will be costly for any company which fails to be compliant under current rules. However, these costs are not so high as to endanger a company and the money is well invested. Not investing will surely be more expensive at the end of the day as regulators will impose fines on those who were too thrifty. Add lawyers’ fees and the threat to the company’s reputation, and you will find that being compliant can be a bargain.
Trull: Cost will not be the primary challenge for most businesses. The majority of the costs for companies will be in the staff resources and personal services needed to perform the necessary gap assessment, modify service terms and contracts, and implement the technical and operational controls that may be lacking. To minimise costs, companies should focus on building documented and repeatable processes into their existing compliance and security programmes.
Calder: The costs depend on the complexity, scope and size of the project, which will be heavily influenced by the type of data processed. Large corporations with subsidiaries in multiple countries will be required to allocate significant budget for GDPR compliance, compared to small businesses. The GDPR has a far-reaching impact on businesses, so allocating a budget can be challenging. A starting point is to identify existing resources and skills that can support a compliance project. Performing a gap analysis and DPIA can also help determine your compliance priorities and help allocate resources and identify costs.
White: As well as putting new obligations on companies and organisations collecting personal data, the GDPR also gives individuals a lot more power to access the information that is held about them. Certain Member State’s laws currently allow businesses and public bodies to charge reasonable amounts to be given what is held about them in response to a SAR. Under the GDPR, companies will no longer be able to charge for responding to these requests and will have to absorb the costs themselves.
Haq: For many businesses there will be costs associated with compliance. There may be a need to increase personnel to manage or expand a privacy programme, for example, or a requirement for additional external legal advice. Again, this depends greatly on the nature of the business and the types and volumes of data that it processes, among other factors. For larger businesses, and those whose core business involves data processing, this is an essential investment that demonstrates not only the high priority they place on privacy and data protection, but also a strong commitment to the importance of the European market.
Gibbard: Most of the operational costs can be absorbed by the organisations as the processes and day-to-day management of the controls will already be in place. The challenge on costs is whether organisations choose to listen to vendors that are promoting their solutions to address their GDPR concerns. First, get the organisation prepared for GDPR, which is most important, and then look at any additional tooling to address gaps in your approach.
Douglas: The GDPR budget competes with other major digital initiatives and regulatory obligations. This, combined with the limited number of budget cycles, means that funding can be a strain. Many organisations are managing this by taking a practical remediation approach, which shies away from major transformational spending ahead of the May deadline. Practical, however, is different from tactical. In a tactical approach, where the focus is on policy and process change only, there is real risk that post-May 2018, operating costs can start to spiral out of control. Costs may rise because businesses are far from static.
Pfeifle: As the countdown to the GDPR continues, have many companies been slow to recognise the amount of work involved? As far as current preparations go, do you believe widespread non-compliance is likely among businesses to which the GDPR will apply?
Haq: There have been various surveys suggesting that companies are not adequately prepared for the GDPR. In reality, there are probably hugely varying levels of readiness dependent on company size, sector and operations. We have seen very significant increases in interest and enquiries about GDPR in the past six to eight months. These range from very basic enquiries to in-depth discussions on the extraterritorial effect of the new legislation.
Trull: Unfortunately, many controllers and processors will not be prepared to meet the GDPR’s requirements by the enforcement deadline. For others, panic is definitely setting in as they realise the amount of effort still needed to close the remaining gaps by May 2018.
Calder: Surprisingly, there are companies still learning about the GDPR and a significant number of businesses are only getting started. A compliance project can take between six months and two years depending on the complexity of the project, which means that a large proportion of businesses will not be compliant when the GDPR is enforced on 25 May 2018. There also seems to be a misconception that the GDPR will not apply to businesses in the UK after Brexit. Irrespective of Brexit, UK-based organisations processing EU residents’ data will be required to demonstrate compliance with the regulation, not least because its requirements are being written into UK law via the new Data Protection Bill currently under review by the House of Lords. In addition, the Information Commissioner’s Office (ICO) has been clear that companies need to be compliant by the deadline or sanctions will be applied.
White: The GDPR introduces new accountability obligations, stronger rights and ongoing restrictions on international data flows. Overall, the new framework is ambitious, complex and strict. So businesses operating in Europe or targeting European customers need to get their act together and start preparing for the new regime. When faced with such a complex and strict framework, an inevitable question is: what is the risk of non-compliance? This question seems to acknowledge the fact that 100 percent compliance is unachievable and that getting things right is going to involve a degree of prioritisation.
Gibbard: Organisations have known about the regulation for over two years, so there is no excuse as they have had plenty of time to prepare. The problem will be with the smaller organisations that believe if they keep quiet they will not get found out. I believe that at least 80 percent of organisations are prepared already or are finalising their plans to be compliant in time for the May 2018 deadline.
Douglas: It seems likely that some organisations will not be ready for the GDPR enforcement date. Companies that expect to be in that position are showing their desire to catch up fast. This might include updating privacy policies and notices, appointing a data protection officer, conducting a GDPR impact assessment, such that gaps have been identified and planned and tangible progress is being made to address those gaps. No one really knows how the supervisory body will act in such circumstances, but it makes sense to have a defence in place.
Lehmann: Most companies were reluctant at the beginning but have now understood the importance of being compliant and are on the right track now. It is to be expected that progress will be made until May 2018 and that a majority of companies are nearing compliance. Experience shows that these companies may expect some leniency from German regulators given that they tried to fulfil their duties. However, those companies that were reluctant or even unwilling to comply should be prepared for heavy fines as they had enough time and, given the press coverage the GDPR has received, have no conceivable pretext not to comply.
Lamb: Anecdotally, a number of large companies have admitted privately that they perceive some areas of the GDPR as too painful for them to comply with, and therefore will take the calculated business risk of not complying. While this is surely not the right thing to do by customers, clients, suppliers or partners, a business may decide not to comply because it believes the process is too costly or too complex. Moreover, they believe it is only a problem if their company is breached and instead ramp up security without addressing privacy issues. Common sense needs to prevail in this area. Complying with the intent of the GDPR is good for business, the costs of taking privacy more seriously will be well worth it even without focusing on avoiding the potential fines.
Pfeifle: In your opinion, to what extent does the process of transitioning to compliance with the GDPR offer companies the opportunity to actually improve their systems, build trust and take advantage of other benefits?
Trull: Trust is the cornerstone of the digital economy. Consumers conduct business with the companies and brands that they respect and trust. The GDPR is yet another opportunity for companies to demonstrate their commitment to the privacy rights of individuals and to the protection of their personal information.
Calder: Part of the GDPR’s purpose is to make the costs of non-compliance greater than the costs of achieving compliance. The larger fines and the reputational damage associated with a data breach should be sufficient incentive for organisations to place the GDPR at the top of their agenda, and improve their information security and data protection systems. From a reputation perspective, the GDPR can also be considered a business opportunity. By achieving compliance with the GDPR, organisations can demonstrate that data protection is treated with the level of attention it deserves and that clients, stakeholders and suppliers can place their trust in the organisation.
White: Fundamentally, the GDPR aims to make businesses more accountable for their data practices. The problem for IT is that compliance demands a single view of all customer information. This means pulling together data from multiple diverse systems. This task can easily be deemed too expensive and too complicated to be justified only for a compliance exercise. However, this single view is something the business has been demanding for years; a trusted, accurate information resource that can underpin all digital transformation initiatives.
Gibbard: Transitioning would be of strategic importance to a CIO or CISO as one of the basic principles of GDPR is privacy by design. The best definition I have found comes from the UK Information Commissioner’s Office (ICO) website, which states that privacy by design is an approach to projects that promotes privacy and data protection compliance from the start. Unfortunately, these issues, including security, are often bolted on as an afterthought or ignored altogether to speed up delivery of a project. GDPR and local data protection laws encourage organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle.
Douglas: Huge opportunities await firms that choose to embrace the core tenets of the GDPR, in spirit as well as for compliance purposes. Applying lawfulness, fairness and transparency to the way that you use the personal data of your customers, colleagues and third parties can only enhance your brand in an increasingly crowded and competitive market and uncertain digital economy.
Lehmann: Although it might seem surprising at first, a wholehearted effort to comply will turn out to be a benefit in the end. Companies will not only have less reason to fear sanctions by regulators or actions by consumer protection agencies, but will also face less threats to data security and probably even be in a position to advertise their compliance. Also, internal procedures should be more stable and streamlined by then, and not be cluttered by superfluous data. This would be another benefit of compliance. Finally, staff awareness of data protection issues will be considerably higher, thus reducing risks.
Lamb: I believe the GDPR is a positive development. Organisations that take the GDPR at face value and do the bare minimum will most likely be breached. Cyber attackers know this fact well. Whether the attack is through automated or targeted malware, or something else, cyber criminals only need to get it right once. They have no rules to follow. They can be opportunistic, persistent, do whatever they choose and be completely unreasonable. The defender, of course, faces the opposing reality of maintaining impenetrable cyber defences indefinitely yet still doing business efficiently. Companies should use GDPR as a means to upgrade privacy and security across their organisations. Awareness is critical.
Haq: The GDPR presents a very clear opportunity for organisations to revisit their approach to both data protection and security. In particular, in relation to this move from a systems-centric approach to security and data protection to a much more data-driven approach. The former was based on thinking first of the organisation and its needs; the latter is focused around the lifecycle of the data and the rights of, and responsibilities toward, the data subject. For companies that truly embrace the accountability principle and demonstrate excellence in their data protection standards, there is definitely an opportunity to build trust in their company, products and services.
As publications director, Sam Pfeifle oversees everything from the Daily Dashboard to the monthly Privacy Advisor to the International Association of Privacy Professionals’ (IAPP’s) various blogs, books and resource centre items. Mr Pfeifle came to the IAPP after stints overseeing a number of B2B publications, including titles in the physical security, workboat and 3D data capture industries. He began his journalism career with the alternative newsweekly, The Portland Phoenix. He can be contacted on +1 (603) 427 9209 or by email email@example.com.
David J. White specialises in information lifecycle governance, with a focus on electronic discovery, data privacy and security, litigation analytics and regulatory compliance. He is a former Am Law 100 commercial litigator, holding both US and UK law degrees, and with more than 20 years of experience in assisting companies in complex litigation and regulatory investigations in the areas of electronic discovery, data analytics, compliance audits, data breaches and forensic investigations. He can be contacted on +1 (646) 428 9186 or by email firstname.lastname@example.org.
Gazala Haq is director of EMEA public policy and government affairs at Dropbox. She has worked in the public policy sphere for 18 years and spent the last decade concentrating on technology policy. Her particular focus is on privacy, data protection and security policy. She can be contacted on +44 (0)20 3770 4876 or by email email@example.com.
Dr Jochen Lehmann has been a partner at GÖRG since 2007 and specialises in IT matters, with a particular focus on data protection and data security. He has built his expertise in this particular field of law since he began working for GÖRG 17 years ago. Dr Lehmann is a regular speaker on the subject of data secrecy and data protection in various contexts, such as data secrecy and directors’ liability or data secrecy and insurance. He can be contacted on +49 221 33660 244 or by email firstname.lastname@example.org.
Jessica Douglas leads IBM’s market and client response to the General Data Protection Regulation (GDPR) for the UK and Ireland. She and her team of privacy, security, data analysts and customer experience experts are working with clients to address the GDPR imperative. She is a partner in IBM’s digital strategy practice and her primary focus is on transforming customer experience with clients in banking, insurance, wealth and financial markets. She can be contacted on +44 (0)20 7202 3000 or by email email@example.com.
Alan Calder is the founder and executive chairman of IT Governance. He is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. Mr Calder is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert commentary to a wide range of trade, national and online news outlets. He can be contacted on +44 (0)333 800 7000 or by email firstname.lastname@example.org.
Jonathan C. Trull leads Microsoft’s team of worldwide chief security advisers in providing thought leadership, strategic direction on the development of Microsoft security products and services, and deep customer and partner engagement around the globe. Mr Trull joined Microsoft in 2016 as an experienced information security executive bringing more than 15 years of public and private sector experience. He can be contacted on +1 (720) 528 1838 or by email email@example.com.
Darron Gibbard is chief technology officer at Qualys. He has spent more than 25 years working for a variety of payment services, media and telecom organisations providing cyber, IT and information security thought leadership and subject matter expertise. His early career was spent working in the vendor marketplace for start-ups and major security vendors in both a pre and post sales capacity. He can be contacted on +44 (0)78 4102 0691 or by email firstname.lastname@example.org.
Steve Lamb is a cyber security expert with 23 years of experience helping clients take control of their security posture. Mr Lamb has worked for start-ups (including Rapid7 and Mimecast), mid-sized organisations (including RSA Security) and multinationals (including Microsoft and HPE). He loves public speaking, analysing complex scenarios and providing practical advice. He can be contacted on +44 (0)750 800 8864 or by email email@example.com.
© Financier Worldwide