The European Union General Data Protection Regulation (GDPR) has been years in the making, but finally comes into full effect in May 2018. GDPR has global reach because companies with a specific European presence will be subject to its requirements.
Additionally, the broad terms of the regulation mean that any company with a website offering goods or services to citizens of the EU and cloud services developed by U.S.-based companies may be subject to the regulation. This is merely because they are available to EU-based individuals, even if the company is not “established” in the EU. GDPR also imposes significantly greater fines for data breaches (up to 4% of annual global revenue), and requires Privacy Impact Assessments.
It also requires Privacy and Security “By Design”, Inventories, and Data Mapping of personal information across your business systems, mandatory appointments of Data Protection Officers, and evidence that you are doing these things. This is not a small undertaking. It will require a major shift for many companies, even those that already have a privacy program.
GDPR creates many new (and not new) obligations where more connection between the CPO, CISO, IT and CIO will be needed. The IT obligations are some that may cause the most impact for companies around the world, because they may require a fundamental shift in operational processes for IT and Business Process Optimization and program management. Here are a few worthy of deeper consideration, as they will carry a significant budgetary and operational impact (particularly on your IT department.)
- Think Privacy and Security by Design-Anyone who has been a part of designing a home — or building anything — understands that it’s always better to get your plans right in the beginning — change orders become expensive! By implementing a standardized and repeatable process with your colleagues in IT and the business as a project “begins” rather than when it is waiting for your sign-off to go “live”, you will be able to help provide advice, guidance and review at every step in the process. Consider using automation to allow your colleagues to request a “privacy impact assessment” of the systems they are “planning” to build and deploy so that you can provide them with a reasonable estimate and timeline. Your involvement early on will save them from having to make last minute design changes or decisions with the clock ticking. The GDPR requires not only privacy and security by design, but also “by default”. This means that what was formerly considered to be a “best practice” will now be a mandate and one that will need to be operationally demonstrable.
Speaking of Privacy Impact Assessments, if you are not doing privacy impact assessments (or “Data Protection Impact Assessments”), there is no time like the present. PIAs or DPIAs are a systematic process to “assess privacy risks to individuals in the collection, use and disclosure of their personal data. DPIAs help identify privacy risks, foresee problems, and bring forward solutions.” (www.iapp.org). Many organizations already conduct PIA’s as part of a statutory or regulatory obligation, and the European General Data Protection Regulation will also mandate PIAs. Impact Assessments, like Security Assessments, provide a good foundation to assess the potential and ongoing risk of systems and data flows within them so that privacy and data security teams can recommend and monitor appropriate controls. The International Association of Privacy Professionals exclusively distributes a “free” PIA tool available from AvePoint (https://iapp.org/resources/apia/) with a newly announced GDPR-focused template, built by AvePoint with assistance from Microsoft Corporation. https://www.avepoint.com/about/news-releases/detail/avepoint-launches-the-latest-release-of-the-avepoint-privacy-impact-assessment-system-with-newly-integrated-microsoft-gdpr-detailed-assessment-at-the-iapp-privacy-security-risk-conference-2017
- Know thy Business-The GDPR requires that companies utilize a “risk-based approach” to manage their privacy and data protection programs. While this sounds like a bit of legalese, and may make IT professionals squirm at the idea of lawyers measuring shades of gray, its relatively simple to find meaningful ways to operationalize this requirement. Start by taking the time to understand what kinds of data your business handles and uses, as well as how your co-workers are using your internal systems in their day-to-day jobs. Understanding the “day in the life” of your colleagues will help you understand why and how they need to handle this protected data during their daily work. The time you invest in understanding their requirements will pay off in spades, as you will be able to craft solutions that meet their needs and your obligations.
- Know your Data- What are your “Crown Jewels”? What kinds of data are you trying to protect? Many companies worry about “dark data”, or data that exists across their enterprise systems (file shares, SharePoint, social systems, and other enterprise collaboration systems and networks) as “dark data”, or data that is not properly understood. Understanding what and where this data is and properly classifying it will allow you to set the appropriate levels of protection in place. For example, many companies apply their security protocols in broad terms, using the same security procedures for everything. But logically, do you need to put the same security protocols around protecting pictures from your company picnic as you do towards protecting your customers’ credit card information?
- Demonstrate Accountability — Set enforceable policies. Your General Counsel’s office and compliance team are tasked with understanding your statutory and regulatory obligations and helping your business to comply with these requirements. However, be sure that any policies you set internally can be measured, monitored and enforced. Broad statements such as “we do not allow PII data in SharePoint”, without the ability to enforce this policy or measure its effectiveness is not a sound data protection strategy. Rather, it’s like setting a curfew for your teenagers and going away for the weekend. Don’t leave your policies to chance or luck. The EU GDPR requires that you not only create policies that meet its mandate, but that you operationalize those policies and can prove that you’ve done so. I’ve talked for many years about a best practice approach that requires that you Measure, Report and Monitor. That which is not measured cannot be improved. Don’t have a policy that sits on a shelf. Policies should be living, breathing documents that reflect and direct the flow of your business. The new obligations will mandate an overarching system across all information gateways that will allow organizations to “Say what they are going to do (to achieve compliance)”, “Do it” and “Prove it” – internally, for your auditors, regulators, or as part of your data protection best practices. (There are some great resources on “risk based accountability” through the Centre for Information Policy Leadership, a global privacy Think Tank (https://www.informationpolicycentre.com/)
It almost goes without saying that companies must be vigilant in designing both privacy and security protections into their design and quality assurance practices. However, outside of protecting systems from the “bad guys” that could steal our information, companies have an additional obligation to behave as good corporate citizens. This includes not only protecting the information of their customers, but also communicating clearly with them about how they will use, store and protect customer information. Around the world, regulators have taken the stance that “giving is not the same as taking.” In other words, just because a consumer gives you their private information, that does not mean that the company has a right to then take that information and use it any way they see fit.
Rather, companies have an obligation to clearly communicate what they will do with private information provided to them. Furthermore, if they change those practices, they must notify consumers and provide them with the ability to choose to participate or not.
Enterprise organizations must be vigilant in creating policies, training programs, and automated controls to prevent and monitor appropriate access, use, and protection of sensitive data, whether they are regulated or not. Doing so will not only mitigate the risk of regulatory and statutory penalties and consequences, but will also go far in preventing an unnecessary erosion of employee or consumer confidence in the organization as the result.
In an age where information is precious and every information worker is responsible for protecting that information, it’s important to create a culture of compliance where you make it easier for your end users to do the right thing than the wrong one. Just like a castle is designed with multiple lines of defense, it’s vital that you provide a multi-layered approach to information access and data protection. Additionally, it’s critical to provide the constant enforcement of data privacy policies to ensure that the information being utilized is compliant, accessible, and manageable.