Handling data in the run-up to GDPR
The Stack speaks with Martin Hoskins, Associate Director of BRS at Grant Thornton, Darron Gibbard, MD of Northern Europe at Qualys, and Drew Nielsen, Chief Trust Officer at Druva, to discuss the upcoming GDPR legislation and what businesses can do to prepare…
We have board support, and we have started our data audit and updating security processes around customer records. But what are we missing when it comes to preparing for GDPR?
Darron: The data audit is actually one of the biggest challenges that companies face, simply because they don’t know all the company devices that exist and can potentially store data. Without that accurate list of assets, it’s very difficult to maintain security or control over where data is stored.
For teams that are responsible for data audits, the technical audit should be accompanied with interviews within each department to ask if there are any suppliers that might have access to customer records or be given them without the knowledge of the IT team.
This process can throw up some interesting problems where teams have made decisions in the past that lead to processes being less secure than they should be today. Resolving these problems can, therefore, avoid future problems further down the line. Running a data audit can quickly expand into how the team or department works in practice, rather than being specifically about data.
Drew: The biggest miss here is that data gets created everywhere today. Previously, data was created or accessed on company PCs from the company data centre. Today, that data can be held in cloud applications and accessed from tablets, mobile phones or laptops. Analyst firms point to more than 40% of enterprise data never hitting the corporate data centre. So will central data centre teams actually see this data as part of their audits?
Secondly, people work in the real world. While they may not be allowed to save data on their devices, people often do for reasons of convenience or timeliness. So how will IT teams be aware that these files have been created and that they contain personally identifiable information?
Keeping track of these activities on the whole mix of devices to track where PII data is getting re-used should not rely on individuals, or on IT manually tracking this activity. For enterprises, automating scanning for files that may contain PII should be in place.
I’m having trouble getting this seen as a business issue, not just an IT problem. The fines have sharpened the CEO’s mind, but how do we get this discussed by other teams?
Martin: Try working with your internal audit teams – if the business really is to face significant fines for failing to comply with the GDPR’s requirements, then the internal audit teams ought to be seeking assurance that the right data protection risks are properly recorded on the Risk Register, and that the right people within the business are accountable for accepting the risks.
Drew: Often, compliance and IT projects can run in parallel silos. Finance and legal teams may have prepared themselves but not thought to involve IT properly from the start.
Looking at contracts with suppliers can help flag issues, particularly where you are using suppliers that may have to comply with GDPR themselves. The big public cloud vendors like AWS and Microsoft Azure are preparing their services to meet the needs of GDPR, so talking to legal about any changes that might be coming up should help the conversation get started.
Some businesses already place more onerous requirements on data processors than is required
Darron: The business process and contract scenarios around GDPR will affect how each company works with others, whether they provide customer data to a third party for processing or whether they do this job themselves. I suggest that teams think of this as a ‘data supply chain’ as this helps those without technical backgrounds to understand how issues like provenance and security will work in practice.
Legal teams will want to ensure that the company’s terms and conditions are adequate to protect the business in its contracts, as well as ensuring that provider contracts are adequate too. This should ensure that the problem becomes more about the whole business, not just IT and security of data.
What will have to change over time around GDPR when it comes to contracts?
Martin: It depends on how comprehensive the current contracts are, as some businesses already place more onerous requirements on data processors than is required by current data protection legislation. The GDPR’s core requirements for contracts with data processors are set out in Article 28.
Darron: While companies can prepare for the initial compliance deadline, the rules around data protection will continue to evolve. So ensuring that processes are kept up to date and compliant is essential.
A big part of this is ensuring that processes are actually followed. You can have the best process for data security in the world but that won’t stop someone downloading a file and then losing their laptop. What is essential here is that processes stop this being a huge issue. If it does happen, then all the process steps should reduce the risk of customer data being exposed.
New approaches such as automation and cloud can help companies get back control of their data management
Managing data should be getting easier – why doesn’t it seem like this is taking place in practice?
Drew: Often, this is because companies don’t design their approaches to cope with the whole data lifecycle. In GDPR, the support for data deletion, data portability and privacy by design should force a wholesale adoption of information management best practices.
For those companies that already adhere to these rules, GDPR shouldn’t be a big concern; in fact, the IT teams at these companies are probably wondering what all the fuss is about.
For the majority of companies, information management has only got more complex. Using new approaches such as automation and cloud can help companies get back control of their data management and protection strategies, even as more information moves out to the edge of the organisation.
As data gets created on mobile endpoints and tablets, saved within cloud applications or stored in remote office storage silos, getting a better overview of all information will be essential. The role for cloud-based data protection will grow in the future.
Managing third parties is going to be difficult – what should we do to make this easier?
Darron: Looking at contracts is one thing – enforcing best practices and making sure that partners are sticking to their end of the bargain as well is another. Carrying out audits of third parties can help demonstrate that you are taking this matter seriously, both at the start of any contract and while it is going on.
Using security questionnaires to audit how the third party operates and that this provider’s staff follow their processes can provide a degree of surety around data protection, as well as managing potential risk.
Martin: Managing third parties need not be any harder than at present. Data controllers are already required to ensure that, when processing is carried out by data processors on behalf of the controller, they only use data processors who can demonstrate that they meet certain minimum requirements.
Without robust controls to ensure that personal data records are held securely and in compliance with data protection legislation, there is a risk that they may be lost or used inappropriately, resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.
Forward-looking businesses are carrying out third party reviews to assure themselves that their data processors are reliable, and are asking more detailed questions and are seeking greater assurance from those processors who carry out more “risky” types of processing.
Head of Enterprise Risk & Information Security Services, Risk & Compliance
Associate Director, BRS