As we approach the May 25, 2018 implementation date of the EU General Data Protection Regulation (GDPR), the industry has been abuzz with worst-case scenarios and daunting edge cases. You must enable consumers to access and request erasure of all data you have about them! The need for “unambiguous consent” will force wholesale transformation of the way companies interact with consumers! And companies risk fines of up to 4 percent of annual global revenue for any violation! But these headlines risk obscuring a fundamental point about GDPR. Yes, the new regulation raises the bar for privacy and security compliance. But you’re not being asked to do many things that you shouldn’t already have been doing, particularly when it comes to securing data and systems.
For those involved with managing technology, the most significant change under the GDPR is its focus on accountability, a combination of operational controls over systems and data and transparency about those controls, including “data-protection-by-design” (taking privacy into account when designing systems and products), ensuring appropriate security for data, and performing privacy impact analyses and maintaining records of processing activities. Consider the context for the EU’s 2016 adoption of the GDPR:
- The prior EU privacy law, the 1995 Data Protection Directive, was implemented at the dawn of the consumer internet, three years before Google and a decade before Facebook.
- According to a recent McKinsey & Company report, global data flows grew 45x between 2005 and 2014, during which time global data flows had a greater impact on the growth of GDP than sale of physical goods.
- By 2020, the number of connected devices is expected to reach 50 billion. We’re creating and sharing more data than ever before, and the volume of data, rate of growth, and number of third-parties with whom we share our personal information continues to increase.
- According to Privacy Rights Clearinghouse, there have been over 8 thousand reported breaches, resulting in disclosure of over 10 billion records, since 2005.
Viewed through this prism — rapid growth of data, data sharing and data loss — it is easy to appreciate the GDPR’s focus on the need for systematic operational controls.
The GDPR’s emphasis on systems management represents a regulatory shift. Under the 1995 Data Protection Directive, companies were required to maintain “appropriate” security, but controls were largely left to companies and validation was overseen through registrations of particular processing activities with national regulators. By contrast, under the GDPR, you must be prepared to demonstratethat you have evaluated the risk posed by the data you manage, that you have designed the controls into systems to match that risk, and that you maintain processes for “regularly testing, assessing and evaluating” the effectiveness of the security of those systems.
However, the systematic controls GDPR requires across all of these areas are based on long-established, core security principles.Article 32 of GDPR, which addresses “security of processing,” calls for “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” This Article, and related provisions, lay out a set of controls for managing physical, logical, and administrative security, including:
- Strictly limiting access to necessary, authorized users.
- Ensuring that third parties with access to personal data meet core data processing requirements.
- Confirming that contracts in the “supply chain” for IT and data reflect GDPR requirements.
- Conducting reviews to understand how products and systems work, where data is being stored or processed, and where it’s being exported outside the company or internationally.
- Monitoring and overseeing systems throughout their lifecycle, including patching known vulnerabilities in a timely manner.
Privacy by design in action
Article 25 of the GDPR, which discusses “privacy by design” focuses on the need for technical and organizational measures that are designed to protect personal information.
Organizational, or process controls, include the appointment of a data privacy officer (or, in our case, a Chief Privacy & Digital Risk Officer); managing the supply chain of systems and data through appropriate contracts and reviews; developing policies and guidance concerning how systems manage data; launching company-wide awareness campaigns; and making sure you can respond effectively to customer requests for information about their data. Technical or systems controls include the use of a secure platform, well-designed applications, and strong mechanisms for control of access and authentication.
Following are three key areas where the right IT strategy and tools can make a significant difference in your GDPR compliance effort.
Access and authentication: know where your data is and who has it
The GDPR requires organizations to control and restrict access to personal data. In today’s distributed IT environments, companies should have systematic controls in place to manage identity and access. These controls should address questions like: is the request for access being made from a laptop, a mobile device, an automated system, or an IoT widget? Is the data itself stored on-premises, in a public or private cloud or in a partner’s database? What network is being used? What are the access and authentication mechanisms at play across systems and networks, and how are they controlled? Do the policies you apply take into account the real-time context of the person making the request—where and how they’re working? Do you have a way to keep all this manageable and sustainable over time?
Given the complexity created by the volume of the data and access requests that we’re generating and managing, a unified approach to access and authentication in any context, supported with the appropriate technologies, can go a long way to facilitate GDPR compliance.
Limit risk through data storage and movement
You can’t protect data if you don’t know where it is – a simple guiding principle for GDPR compliance. If your data is distributed widely across servers and endpoints, you’ll have to put significant time and effort into securing and keeping track of it. Instead, you may limit both your security risk and your inventory needs by keeping data localized as much as possible within your data center and by enabling remote access without actually allowing data to travel to user endpoints – just the pixels. Centralization also makes it easier to apply the latest patches and controls because everything is in one place.
Technology vendors can help you maintain compliance
A chain is only as strong as its weakest link—and your GDPR compliance effort will hinge in large part on the third-party technologies in your environment. If your vendors don’t provide appropriate security controls and contextual policy frameworks, you’ll end up doing a lot of the heavy lifting on your own. That’s time and money diverted from innovation and strategic execution without adding value for your business. Solutions built on the security-by-design principles required by the GDPR can make compliance far simpler and more sustainable even as your environment continues to grow and evolve. Make sure to check this box to get ahead of GDPR requirements, instead of having to back track.
It will take time for the full impact of the GDPR to become clear. EU legislators and regulators hope for significant reductions in security incidents and heightened industry attention to privacy as a fundamental human right. But if nothing else, the focus on accountability and operationalized privacy across industries will be a valuable legacy.