With all the hype around the Global Data Protection Regulation (GDPR), which comes into force in less than a year, many organisations that hold Personally Identifiable Information (PII) are extremely worried about achieving compliance. They understand the principles of what is required but are struggling with the practical details of implementation. They are right to be concerned – as well as resulting in a large fine and reputational damage, a serious breach could shut an organisation down because it will be forced to stop all data processing, from paying its employees to receiving electronic payments.
The hype itself has increased the risk; the public now know what to do if they suspect a breach of privacy has occurred, and know how to use Freedom of Information (FOI) requests to obtain information. Any organisation which fell victim to the recent WannaCry ransomware attack, for example, experienced a data breach which would have had to be notified to the Information Commissioner’s Office (ICO) under the GDPR.
However, organisations could use the situation to create business advantage. Clearly achieving GDPR compliance is going to require spending – in which case, why not use the opportunity to bridge towards a recognised data security standard at the same time? And turning the issue of compliance on its head, could we turn the ICO’s list of companies who notified them of an incident within their well-managed data protection system from a roll of shame to a roll of honour for their honesty?
Moving towards industry standards
Industry standards such as ISO27001, ISO20000 and ISO22301 provide a good base for GDPR compliance. Compliance with a standard demonstrates both organisation operational processes and company board commitment in these areas to the relevant security authority. It also supports the audit requirements between data controllers and data processors.
Organisations who have already met these standards and have a good underpinning security system will still need to make a few changes: improve data mapping, data classification and the associated governance around processing of data and confirm supply chain contracts in respect to controller and processor responsibilities. There also may be requirements for small tweaks to their security incident processes to cover GDPR’s requirement for privacy breach notifications. However, their existing risk assessment and treatment processes and underlying IT platform should accommodate the new requirements.
If your organisation is not currently aligned to an industry standard, you will have to build compliant processes and procedures from scratch anyway to avoid fines and reputational damage that would result from a breach. So why not implement GDPR in a way that bridges towards these standards? As well as enabling your organisation to become compliant, this will give you new business differentiators and potentially open up new markets where these standards are mandatory.
GDPR does not meet the full requirements of industry standards such as ISO27001 (and the standard does not cover all the needs of GDPR). However, with the appropriate business case GDPR can be implemented in a way that aligns with industry standards and provides a good base for achieving certification in the future if required by the business for its market development and growth.
A roll of integrity, not shame?
One aspect of GDPR that organisations will have to address is the requirement to define how their processes work to store and use data in advance. For example, if a medium-sized or small organisation thinks its employees may have emails containing PII on their mobile phones, they can use technology to tackle the issue. Software tools such as Druva inSync can scan files and data as part of the device’s backup and recovery process to identify potential PII and other sensitive data. Once located, the data can then be protected or deleted in line with company policy – a capability available as a service from organisations such as Fordway.
However, where data records are amalgamated (e.g. in back-up copies) and cannot be deleted immediately on request, the organisation needs to provide the security authority with a statement explaining this. It may even be better to speak to the ICO first to clarify the restrictions and define the response with them to ensure everything is on the correct legal footing. The underlying principle is that organisations can obtain prior ICO approval for things that are not technically possible for them, provided that they show technically why they cannot be done and demonstrate that they have made all reasonable efforts to comply with the legislation.
The logical extension of this is that we should applaud those organisations which ‘fess up’ in advance about any breaches in data protection or the restrictions in their systems. They are behaving with integrity, and so should have nothing to fear.
In contrast, consider the recent IT meltdown at British Airways – a large organisation with considerable resources. It is not clear exactly what happened, but the resulting ‘explanations’ appear to be smoke and mirrors to cover up business continuity that was not fit for purpose.
Taking the first steps
The GDPR will clearly require major changes for many organisations. The first and most important piece of advice is don’t panic but begin planning now. Take a deep breath, look at your organisation’s existing processes for handling PII and identify areas where you may need to make changes. Then consider whether it would be strategically advantageous to obtain other compliance standards such as Cyber Essentials, ISO27001 and ISO20000. If so, look for ways to use the changes required for GDPR to align with these standards and consolidate the costs of compliance. A full security review and analysis, either internally or using a third party specialist, will then enable you to scope the changes require and make an informed decision on how to proceed.
Neville Armstrong, Service Strategist, Fordway
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.