May 31, 2018
May 25th marked the implementation deadline for the European Union’s General Data Protection Regulation (GDPR) across the European Union. This sweeping regulation impacts not only the operations of EU-based companies but also those of any company storing the personal information of EU residents. Failure to comply with GDPR requirements could result in fines up to €20 million or 4% of global revenue – whichever is higher. The regulation governs every aspect of the data life cycle: how personal information is captured, stored, transferred, processed,
protected, used, and retained.
With the May deadline looming, many organizations sprinted to assess their policies, processes, and technologies against the regime and adjusted their compliance programs, sometimes making significant changes. Indeed, it was not unusual in the second half of May to receive upwards of 10+ notifications per day from various companies regarding their updated data privacy and security policies in light of GDPR. Others, given the time pressure, put in place temporary solutions (such as the ad-free version of USAToday’s website for EU consumption) or manual stop gaps to achieve minimal compliance in their privacy, security, and third-party management efforts.
The next challenge for security and privacy leaders is maintaining vigilance and demonstrating ongoing accountability to the principles of processing personal data contained in GDPR – lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; and integrity and confidentiality. Although the GDPR implementation deadline may have passed, the flow of data privacy and security regulations is one-way; it should not be a surprise to anyone that U.S. states are beginning to adopt stricter, GDPR-style data protections.
In 2017, Ankura and Ari Kaplan Advisors surveyed information security leaders on emerging and evolving data privacy and security risks, culminating in the report “The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data.” A common refrain from participants was the challenge of advocating for investment in security and privacy programs beyond the initial push for implementation. “The biggest misunderstanding is that a company can throw a bunch of money [at data privacy and security] and the problem is solved; it is an ongoing business problem and is an annual cost of doing business,” advised a CISO in financial services.
The IT director for a healthcare company echoed that company leaders and financial decision makers may “react to what is in the media or concerns that are brought to their attention, but they forget quickly; they don’t realize that in order to maintain a certain level of assurance, it requires a sustained commitment.”
In addition to maintaining ongoing vigilance, many organizations will likely need to make additional investment in the coming months to achieve robust compliance programs in light of gaps that may have been exposed as part of their efforts to achieve GDPR compliance.
OPPORTUNITIES FOR IMPROVEMENT MAY INCLUDE:
A Deeper Dive
A more detailed data audit to identify personal information and a robust process to refresh mandatory data inventories may be in order. In our survey, only 77 percent of participants indicated that they had data inventories. Further, within those 77 percent, 30 percent also responded that their inventory was incomplete or out of date.
Bringing the Compliance Program to Life
There may be a real gap between the promise of policies and the ability of employees to fulfill them, particularly with respect to navigating the overlapping requirements to retain and destroy records. Organizations will need to focus on developing standard operating procedures and
training that are tailored to specific roles to ensure employees understand the rules and follow through. At the same time, organizations must have monitoring programs and internal audit processes (or other validation plans) to ensure efficient, effective execution of the compliance program and maintenance of required records.
Many companies still rely on manual, decentralized processes, despite the wide availability of automation technologies. In addition to the potential for increased regulatory risk and risk to data subjects, ad-hoc efforts can create bottlenecks for core business processes if they fail to scale.
Companies may not have conducted or updated third-party data privacy/security audits or extended
such audits to the partners of third- parties. 97 percent of survey participants indicated that while they formally evaluated the security of their vendors, but the GDPR requirements for the transfer of data also cover record keeping, privacy practices, and other administrative elements that go beyond the application of best-practice security controls. Further, 60 percent of respondents admitted that they did not extend any level of assurance to the partners of their vendors.
In the sprint to May 25, many organizations may not have had the opportunity to pressure test their incident response plans via tabletop exercise under the newly implemented 72-hour notification timelines of the GDPR. It is vital that companies not only plan for data breach incidents, but conduct fire-drills to ensure that such plans can be effectively executed in the tight timeframes required by regulation.