GDPR: information security red herring, cause for concern, or hidden opportunity?

The General Data Protection Regulation (GDPR) goes live in May 2018. The pending deadline is starting to cause alarm at some businesses. Yet others remain relatively unperturbed. Whichever camp you fall in, we see GDPR as a bit of red herring if considered in isolation. That is not to say that a business can rest on its laurels and do nothing – on the contrary, in fact…

Happy 2018 – GDPR is almost here!

2018 is finally upon us, and with it also GDPR is more than just looming on the horizon. This substantial piece of regulation will have significant impact on any business handling large amounts of personal customer data. Until very recently, few genuinely engaged with the issue, and even now it is not fully clear how this will work, how regulators will implement the rules – and how quickly and hard they will start pursuing and fining non-compliant businesses.

GDPR is a hot topic, with plenty of ink being spilled about it. It targets a very important set of data security issues relating to personal customer data. But in the end, it is part of the broader realm of information security. Amid for the impending deadline, this reality has become a little buried. Sensitive data and information should be secure and protected. Clear and robust processes must be in place to report breaches quickly (within three days from occurrence). Businesses should store and handle customer data so that it can be easily removed from their systems, upon request. People now worry about the potential fines that may stem from failing at GDPR. But this should not make forget that even without GDPR, the business cost of poor information security handling is steep.

One recent example of what-not-to-do is last summer’s handling of a massive breach by Equifax – a company whose business is predicated on holding personal customer data safe (its website asking “What Keeps Your Compliance Team Up at Night?”). It is conceivable that it would be the target of a cyber-attack. One would expect management to know exactly how to handle this. Yet the apparent lack of structured and timely response left the lasting impression that Equifax management was not prepared, had no established protocols on how to handle and communicate a response, as well as fix the issues. The result was one third (about US$6 billion) of market capitalisation wiped off overnight, significant questions about integrity of (now former) management and their practices. That is expensive – and may be just the start. Equifax came across as not really caring about its customers data. Reputation is in tatters, regulators and politicians baying for blood….

Note that the damage to the business was done in the absence of GDPR’s very steep potential fines. Thus, the fundamental fact has never changed: data protection and information security must be treated as a definite source of reputational (business) risk. The upside here is that, if handled correctly, it is also a potential source of competitive advantage, as it allows those with a mind for it with a great opportunity to really understand customer data and use it to enhance their business.

With this in mind, what should your company do next?

4 cornerstones of effective information security handling

Our view is that a successful approach to GDPR doesn’t differ from a broader approach towards information security. And the effective handling of information security should be built on four cornerstones:

1. Mapping data. Categorise data across systems based on clear classification policies. In particular, focus on categorising data on the grounds of its sensitivity (i.e. strictly confidential, public, prohibited), the criticality of the data, its consent requirements, how it is acquired, processed, stored and backed-up – especially in the context of personal information and privacy protection.

2. Strict access control and identity management processes. Clear and defined rules for who has access to what data, under what circumstances, and for what purpose. This must be paired with a strict and understood process for generating and managing user identity for every action performed by users on the network.

3. Creating awareness through continuous training and communication. Ensure employees are aware of information security issues and related risks throughout the organisation. This can be done using consistent communication and training, and regular reporting to senior management based on a clear and up-to-date risk register.

4. Proactive accident reporting, response protocols and plans. Having well defined and tested protocols and plans for reporting and responding to accidents means response management needs more than just planning. It must also be practiced and adjusted to the changing risk profile of the environment.

The quality of implementation in these four areas will really matter. Most companies have some of this in place, but implementation can be inconsistent and compliance patchy. Exception management is always an Achilles heel for IT systems, and in the GDPR case, several processes and procedures will require review and tweaking. A solid six-sigma/continuous improvement approach will help identify system weaknesses and establish quality improvement actions to make sure leaks are identified and plugged in time.

How to approach GDPR

Some requirements set by GDPR create a number of new compliance needs. Examples include setting up a Data Protection Office (DPO) and having specific processes to deal with the rights of ‘data portability’ and ‘right to be forgotten’. Most of these requirements have a business – not just an IT or legal – impact. They all require the set-up, testing and implementation of solid processes, procedures and organisational structures.

For those taking the strictly legal approach – in other words, simply asking ‘what’s the minimum action required to avert or reduce the economic impact of a fine’ – the answer may well be: ‘get a good insurance policy’. But this approach dismisses the real risk of reputational damage. The critical issue with GDPR is to be able to demonstrate that everything that could have been done to avoid an accident – and mitigate its impact – had been done, and in a timely manner. As such, not taking a robust and proactive stance on data protection is likely to be akin to business suicide.

Regardless of the legal framework your business operates in, we put together some questions below that any senior manager or company director should ask themselves to understand how GDPR-ready their business is.

A GDPR checklist

1. Have you hired a Data Protection Officer, and structured its role clearly within your organisation?

2. Is your data classified and mapped clearly? Have you adjusted or created the processes required to acquire, manage and erase data from your systems?

3. What are the biggest (by likelihood and materiality of impact) data security risks your business could face? What would happen if the data you have is lost?

4. Do you have a response plan and specific processes and procedures to mitigate their impact from an incident?

5. Is this response plan tested regularly? Are your employees aware of how to comply with it?

6. Do you have a clearly articulated exception handling process?

7. Do you have a full data lifecycle management process (from on-boarding, to storage, to removal)?

8. How watertight are your identity management and access and control processes?

9. Do you have up-to-date and ongoing training across the organisation on info security and data protection matters?

10. Is real time reporting available for senior management, producing regular updates and creating awareness of issues related to info security?

If you can answer these points positively and succinctly, then the chances are that your business is well positioned to deal with information security and data protection – come GDPR or high water. If not, there is clearly some work to be done, sooner rather than later.

Get in touch at hello@nestconsulting.net for a no-obligation chat to find out whether we can help your business with information security and to get GDPR-ready. We help companies develop a strong and resilient information security culture. We do this by creating and delivering targeted change management programmes that align your information security policies with how people carry them out in the everyday.