Navigating Privacy and Compliance
As the recent data breach by Facebook has made clear, meeting strict GDPR guidelines is difficult. Cory Cowgill, CTO at Fusion Risk Management, discusses GDPR requirements and their impact on data retention and security.
If you are part of nearly any enterprise organization, then May 25, 2018 is likely burned into your memory forever. That was the date when a new landmark privacy law, the General Data Protection Regulation (GDPR), took effect in the European Union (EU). Many articles were written leading up to the law taking effect, and many have been written since. Nowadays, most articles have headlines like, “Taking Ownership in a Post-GDPR Age,” and, “Solving the Remaining Challenges of GDPR.”
Quite clearly, GDPR remains top of mind for business leaders all over the world – and meeting the strict guidelines for compliance remains a struggle.
GDPR consolidated all privacy laws in the EU into one consistent regulation. It expanded the privacy rights granted to individuals in every EU country and placed many new obligations on organizations that market to, track or handle personal data of individuals residing in the EU, no matter where the organization is located. The last bit is key: even if you are a U.S.-based company, if you are storing or have access to the personal data of individuals who live in the EU, GDPR regulations hold your business responsible.
The Post-GDPR Landscape
The sheer breadth of GDPR’s reach has made it extremely difficult for even the largest companies in the world to become compliant, and lawsuits totaling billions of dollars have been filed due to GDPR breaches. This is not a surprise to the many who tracked how companies were preparing for the regulation.
One survey, conducted by law firm McDermott Will & Emory and the Ponemon Institute during the weeks leading up to GDPR going into effect, found that 40 percent of respondents said their companies would not be compliant until after the deadline, while 52 percent of respondents said their organizations would be ready by that date. The remaining 8 percent said they weren’t sure when their organization would be compliant.
These stats prove just how behind many companies continue to be for a GDPR-enforced world. On September 12, during the Confederation of British Industry’s Cyber Security Conference, the U.K.’s Information Commissioner’s Office (ICO) Deputy Commissioner James Dipple-Johnstone revealed that his office currently receives 500 calls per week related to data breaches. While he added that one-third of those calls are generally unwarranted, that leaves well over 300 legitimate complaints each week.
While companies have certainly struggled to become fully compliant with the GDPR during the first months of the law’s existence, it is also clear that consumers and customers believe strongly in the need for the privacy and protection it provides. In fact, you can expect to see laws similar to GDPR being introduced in other places throughout the world. For example, a Janrain survey found that 69 percent of American consumers would like to see privacy laws like GDPR enacted in the U.S. When asked which of the GDPR provisions they’d most like to see enacted, 38 percent responded with the ability to control how their data is used while 39 percent favored the “right to be forgotten” rule, which allows individuals to make a written request to have their data deleted by companies that are storing it.
This desire among consumers to control their data and how it is used actually makes GDPR an opportunity for organizations. While there have been a multitude of reports and articles expressing the downside of GDPR (massive fines and penalties, negative media coverage, the damage to a company’s reputation, etc.), the regulation should be embraced rather than feared. It is a matter of adapting to this new reality and recognizing that data can be both an asset and a liability. In its Top 6 Security and Risk Management Trends for 2018, Gartner notes, “digital business plans must weigh both [the asset and the liability] and seek innovative solutions to lower costs and potential liabilities.”
“Leading organizations are focused on how a compliance program can act as a business enabler,” explained Gartner Research Vice President Peter Firstbrook. “The message SRM (Security and Risk Management) leaders must communicate to CEOs is that data protection has both costs and risk but can also be used as a business differentiator.”
As GDPR is such a new element of the business world, a good deal of attention will be paid to it over the next year – particularly when it comes to how the regulations are interpreted. The language is very broad, and business leaders will look at what courts rule when GDPR-related cases are brought. Facebook, for instance, was famously sued as soon as the law went into effect. That demonstrates that regulators are taking the opportunity to set the regulatory bar and establish new case law that will be used as precedent moving forward. By this time next year, organizations will have a much fuller understanding of what is expected of them, and they will have implemented more robust data protection plans.
Managing the Risk
GDPR requires that companies have a more comprehensive understanding of where and how their customers’ data is stored, what it consists of and what it’s being used for. Most importantly, they need to verify that it is secure. Risk management plays a key role in these efforts by creating a comprehensive platform containing all of an organization’s data privacy and management protocols to ensure GDPR requirements are monitored via a unified display known as a “single pane of glass.” This ensures that organizations meet the privacy requirements of GDPR on an ongoing basis, as the regulations oblige an ongoing commitment to individuals’ privacy.
When companies implement a secure risk management solution, it provides the necessary visibility to ensure all GDPR requirements are met for the proper storage of and access to company data. Risk management also plays a key role in ensuring organizations have the correct security controls in place by providing the tools to create and implement a data privacy impact statement. Using the right solution ultimately allows for agility and long-term compliance – it makes it much easier to meet current GDPR requirements, while also creating the ability to pivot when the law is updated or revised (or when new laws similar to GDPR are passed in the U.S. or other countries). GDPR is not a one-time commitment; it requires ongoing vigilance.
GDPR is only the first wave in a new world where privacy legislation and the commitments required of enterprises will continue to evolve. For example, in the United States, the California Consumer Privacy Act of 2018 passed in June 2018, which takes many of the protections in GDPR and applies them in the state of California. Other states and countries will soon follow with their own privacy regulations. To address this risk, the bottom line is that companies need a solution to manage all of their data and to assign that management to various departments and individuals while maintaining visibility across an organization. The proper risk management solution serves as an internal tracking repository for the storage and processing of all personal data.
Of course, most organizations do not exist on an island – they have multiple third-party partners such as vendors, suppliers and contractors who must be included in all privacy protocols. A solid third-party management tool allows for a way to mitigate threats to data and incorporate partners into broader risk management strategies. Beyond that, data is often compromised – either purposely or inadvertently – by an enterprise’s employees. They might click on a link containing malware or even maliciously steal confidential information. A good risk management solution will offer a portal that engages everyone in the organization and makes them accountable for knowing all security protocols.
With GDPR now a reality, more privacy legislation on the horizon and companies continuing to learn exactly how to meet all the requirements that come with it a risk management solution makes it much easier to organize and manage the processes needed to stay compliant. When an enterprise can assure customers and prospects that there are safeguards in place to monitor how their data is handled and stored, it enhances that company’s reputation, as well as its ability to keep pace with constantly evolving regulations.