GDPR: Achieving security for the right reasons
Fri 25 Nov 2016
While the legislation for the General Data Protection Regulation (GDPR) has already passed, businesses operating within the EU have until May 2018 to make the necessary changes, meaning less than two years. Although this seems like ample time, businesses need to do a variety of things to prepare for the regulation.
Firstly, businesses should take advantage of this space to re-evaluate their partner’s capabilities and their hosting arrangements to guarantee that they are able to satisfy the GDPR’s requirements. Unlike the preceding legislative system, both data controllers and data processors bear the burden of culpability under the new framework. This means that if a Cloud Service Provider (CSP) has the misfortune of being the victim of a data breach, it is the data owner [the customer] that will feel the exposure.
For this reason, companies will need to look closely at how they store their data, and at their supply chain. There won’t be any hiding places when it comes to data security and businesses won’t be able to quietly pass the responsibility for data protection over to another organisation.
Cloud offers an interesting example of how organisations can prepare. They have a choice – they can invest in skills in-house to boost their capacity to closely monitor cloud providers, or they can make due diligence and visibility a priority when looking for a CSP in the first place. The latter enables organisations to find CSPs that can provide the necessary resilience and security measures through the entire contract lifecycle. Either way, it’s never been more important for businesses to know the location of their data, and to understand how it is stored and who it is accessible to. Engaging the supply chain with these issues and ensuring third parties are auditable is key.
The role of the DPO
Secondly, businesses should begin the process of finding a Data Protection Officer (DPO). This role is complicated and demands a rare mix of specific skills and experience. The International Association of Privacy Professionals estimates that 75,000 DPOs will be required by May 2018 – and there are already doubts as to whether there is a large enough base of people with the necessary skills to recruit from, due to the digital skills shortage.
The first duty of the DPO is to untangle all of the GDPR’s complexity and to understand what implications these carry for their organisation. Expertise in data protection is vital, and many of the most appropriate candidates will have to lead the rollout of compliant solutions within an organisation, such as ISO frameworks or PCI DSS. As they will be executing in-depth risk assessments to pinpoint particularly vulnerable areas of the business that could be at risk of a data breach or non-compliance, the role will also require an exacting and precise attention to detail.
The prevailing attitude in many organisations is that security is seen as an inconvenience, something that prevents businesses from being agile and competitive
Any DPO seeking to successfully manage the transition to GDPR compliance will also need to have specific soft skills. As the GDPR could entail a significant financial investment as well as operational changes, the ability to influence leaders within the organisation will be vital. Correspondingly, the DPO needs to have a strong character to support these weighty changes. Organisations should begin looking for these scarce individuals as soon as possible to insulate themselves against the punitive financial penalties of the GDPR.
Adopting a new culture and pace
A major obstacle that any business working to comply with the GDPR will encounter is understanding its implications for their business. The GDPR is notoriously complex, and there’s a lot of different elements to unpack and subsequently relate directly back to one’s organisation.
Once businesses have got to grips with what they need to adjust in order to comply with the GDPR, it will become clear that it entails a major change to their everyday working culture. The GDPR essentially demands the adoption of a culture of information security and many organisations will find that their pre-existing culture will offer a significant obstacle. The prevailing attitude in many organisations is that security is seen as an inconvenience, something that prevents businesses from being agile and competitive.
In order to develop an information security culture that enables seamless GDPR compliance, organisations will have to evolve rapidly. This culture has to come both from the top-down, and from the ground-up; it’s a form behaviour that flourishes due to your people believing it is the right way of doing things and due to everyone adjusting their processes together. It derives both from values and processes, and this is particularly challenging and will be an on-going process for many companies. The risk of not doing so is that security remains an afterthought, with no one taking full responsibility and endeavouring to make the right checks – which could easily lead to non-compliance.
Barriers to enforcement
A concern from some quarters is that many organisations don’t quite understand the gravity of the GDPR and its implications for them. The grace period, whereby the regulations only come into full effect in May 2018, could potentially make many complacent. Considering that non-compliance could cost a company up to 4% of annual turnover, or £15.8 million, there should have been more publicity around the GDPR, aimed both at IT professionals but also at the wider organisation.
Correct information security behaviours shouldn’t just be motivated by fear, but also by the benefits of taking the right approach
However, the lack of a clear set of standards to accompany the GDPR have already made them tough to follow, and could also make the regulations tough to enforce. There is currently no standard that specifies if what organisations have enforced can be deemed as appropriate Technical and Organisational Measures (TOMs), to satisfy the terms of the GDPR when scrutinised in a court of law. The non-prescriptive nature of the new regulations means that these theoretical clear standards will be required to bring clarity to the market and help organisations and providers to comply.
The subsequent issue is then raised of who should be in responsible for drawing up this standard. It should not be delegated to the lawyers and policy wonks. It’s a job that requires an understanding of the on-the-ground reality of information security practice.
Moreover, the standard should promote the notion that correct information security behaviours shouldn’t just be motivated by fear, but also by the benefits of taking the right approach to security. This is an invaluable opportunity for information security professionals to advocate a different way of doing security – however, without this clear set of standards, effective enforcement of the GDPR could be a challenge.