GDPR: Whose problem is it anyway?
With the GDPR deadline looming on May 25, 2018, every organization in the world that transmits data related to EU citizens is focused on achieving compliance. And for good reason. The ruling carries the most serious financial consequences of any privacy law to date – the greater of 20 million EUR or 4 percent of global revenue, potentially catastrophic penalties for many companies.
Compounding matters, the scope and complexity of GDPR extends beyond cyber security, requiring equal involvement from legal and IT teams. For many security executives, this is causing significant consternation about the organizational borders of GDPR. Specifically, “Who owns It?” and “Who does what?”
Effective GDPR compliance requires well-defined roles and division of responsibilities, as well as strong interdepartmental partnerships. Above all, it’s a team effort, and clear communication is the key. Here’s a snapshot of the three core business areas where integrated efforts are necessary to achieve GDPR compliance, and the distinct challenges of each.
It’s a legal thing
At first glance, it would be easy to attribute many of the GDPR rules to cyber security policies, but there are a staggering number of components of GDPR that fall outside the purview of a typical cyber security program. Take, for example, Chapter 5, which contains stipulations for determining adequacy of protection for third countries, binding corporate rules, safeguards and international cooperation regarding personal data. And that’s just scratching the surface.
A majority of the GDPR heavy lifting from a legal standpoint involves making sure everything is in order from a contracts standpoint, such as ensuring third-party relationships have the appropriate model contract clauses in place to enable compliance (e.g., Privacy Shield Frameworks.)
In successful field cases, the internal and/or external council are leading the charge around the contracting, privacy and legal components of GDPR. And as they work to develop the appropriate contract language to enable compliance, they are relying on close coordination with the cyber security team to address questions related to the effectiveness of safeguards, the security of processing, and the risk assessment aspects of GDPR.
It’s an IT thing
The IT team is undoubtedly tasked with the biggest burden around GDPR. This stems primarily from Chapter 3 – Rights of the Data Subject, commonly referred to as the “right to be forgotten,” but it contains far more data subject rights than the right to erasure, such as the right to correct info, the right to portability and the right to object. Enabling these data subject rights is a massive undertaking that entails a substantial amount of work on IT systems and an enormous amount of effort for IT teams – mainly because most legacy systems, from CRM and EHR to ERP and customer web portal systems, were not designed to support these data subject rights.
Based on the sheer volume of raw IT work required to support these data subject rights, achieving GDPR compliance by May 25 will be out of the question for most organizations. While there seems to be a moderate degree of comfort around meeting GDPR requirements in the legal and cyber security realms, there’s no question that CIOs and application architects are facing a grueling – and expensive – task.
It’s a cyber security thing
If GDPR could be boiled down to a one-sentence law, it would likely state, “Don’t get breached; if you do, it’s going to cost a lot of money.” Given the hefty financial penalties associated with GDPR, it’s critical for the cyber security program to mitigate breach risk as much as possible.
This is best achieved by concentrating efforts around six key cyber security pillars – data governance, data classification, data discovery, data access, data handling and data protection. Particularly since IT teams face the most overwhelming mission, this is an opportunity for cyber security professionals to step up and provide air cover for their IT and legal partners as they work together to pursue full GDPR compliance.
The question of the DPO
As part of Article 37 of the GDPR, companies must appoint a Data Protection Officer (DPO) to ensure compliance with the regulation. However, a divide is emerging as many organizations appoint someone from inside counsel while others look to cyber security leadership, such as the CISO or VP of Information Security. There is no right or wrong answer as to ownership of the role, but it’s an area that’s causing a fair amount of confusion.
One of the reasons for this is the unique duality of the role. Article 39 of the GDPR assigns very specific technical tasks to the DPO, related to the monitoring of compliance with the regulation and interpreting the results of data protection impact assessments (DPIAs). Additionally, the GDPR requires that the DPO report to the highest level of management in the company. As a result, the DPO role is somewhat different from both the typical CISO and the general counsel, as it is expected to combine significant technical wherewithal in and around privacy and privacy technology, with the independence and neutrality normally found in general counsel.
In some cases, such as with smaller organizations, appointing a third-party virtual DPO may be the ideal answer. Articles 37 and 38 of GDPR specifically enable organizations to leverage a DPO through a service contract, provided the DPO is readily accessible to the client.
While it’s likely we’ll begin to see coalescence around where the DPO sits and who they report to, the most critical factor is having strong relationships between the legal, IT and cyber security teams – particularly because there are elements in GDPR around reasonableness of controls, the “state of the art” and the cost to implement controls (as defined in Article 32 and mentioned again in Article 25) where cyber security expertise is crucial.
According to Forrester, more than 80 percent of companies affected by GDPR will not comply by the deadline – of these, 50 percent will fail in their efforts to comply, while others will do so willingly, as the result of a cost-risk analysis. However, organizations don’t need to panic. Forming a cohesive union between the legal, IT and cyber security teams is a critical step that can lay the foundation for developing a roadmap for success and showing due diligence in complying with the spirit of the law. This could make an important difference in the event of an incident between May 25 and becoming GDPR compliant.