Over the past two years, many IT security teams began working closely with their business unit colleagues on implementing new security solutions, or upgrading existing ones, to help ready their enterprises for complying with the EU’s General Data Protection Regulation (GDPR).
As the May 25 enforcement deadline nears, organizations are finalizing their compliance strategies to protect the privacy of their customers, partners and employees while avoiding potentially powerful fines associated with a privacy breach. Much has already been written elsewhere about the many steps enterprises are taking to achieve regulatory compliance. Now, it’s time for cybersecurity professionals to turn to their GDPR countdown checklists, including the following strategic action items.
Action Item 1: Prepare to Educate
Although many enterprises will establish a dedicated Data Privacy Officer (DPO) to meet GDPR requirements, regardless of who is tasked with the responsibility at your company, it’s highly unlikely a technologist is filling the role. In addition, if you work at a large enterprise, your DPO may even oversee a data privacy staff comprised of non-technologists who execute GDPR compliance activities.
By definition, such individuals will lack sufficient technical knowledge of security—and security solutions—to truly evaluate GDPR readiness. Consequently, cybersecurity professionals need to learn what level of understanding their DPO possesses around the language of security and the solutions you already have in place. Then, develop a plan for educating your DPO using a vocabulary that bridges the gap between what the GDPR requires and the types of security technologies that support compliance.
Further, expect such education processes to occur continuously, as security considerations, threats and solutions evolve. Savvy cybersecurity professionals will build a framework for the needed ongoing education of the DPO to reduce internal frictions and, more importantly, minimize the risk of misunderstandings that can lead to sub-optimal product acquisitions.
Action Item 2: Conduct Compliance Self-Assessments
As your DPO is unlikely to have the technology expertise to say, “We need X solution to address Y compliance requirement,” it’s imperative for IT security teams to conduct regular self-assessments for uncovering gaps and determining options for remediating them.
This entails continuous examination of compliance needs identified by your DPO and assessment of whether existing cybersecurity mechanisms are right for the job. Then, provide your DPO with feedback on where investments are required and what types of upgrades can be pursued—along with the incumbent pros and cons. As no budget is infinite, close collaboration with your DPO can help set priorities.
Also, if you don’t have one, be sure to develop a methodology for helping your DPO understand whether personal data is involved in a particular IT system, what controls are in place and how the controls are being used. This will assist your DPO with developing and maintaining an appropriated Data Protection Impact Assessment that is part of the DPO’s portfolio of responsibilities.
Action Item 3: Address Cybersecurity Governance
While it’s one thing to invest in security solutions that help address personal data protection, it’s another to use them in a manner that is also GDPR-compliant. Here are three key governance matters your team should address.
- Access Policy Governance – Having robust access controls isn’t good enough to comply with GDPR. Instead, you also need a set of policies that can be defined, implemented and enforced around how your enterprise controls access to personal data. In addition to governance around individuals who can access personal data as a requirement of their job function, pay attention to privileged users, such as systems administrators, who can circumvent standard controls inside of an application or a database. It’s imperative to identify these users, establish governance controls and implement enforcement mechanisms through technology solutions such as network access control.
- Breach Management Governance – Beyond implementing advanced systems for quickly detecting breaches by internal or external actors, GDPR compliance requires notifying regulators within 72 hours of breach awareness and, without undue delay, the affected individuals. Thus, breach management governance involves specifying the information needed for understanding the breach (what happened, who was affected, how widespread, etc.), what mechanisms you’ll use to collect it, the impact assessments required, how you’ll assemble remediation recommendations and who you’ll report to internally—typically, your DPO—all within 72 hours.
- IT Acquisition/Update Governance – As your enterprise’s entire IT ecosystem essentially touches personal data, supporting privacy needs and GDPR compliance will be a key factor in almost every category of IT acquisition or update your company makes going forward. This requires shifting your company’s IT acquisition governance to accommodate data privacy. It includes specifying roles and responsibilities for cybersecurity professionals to assist with identifying and addressing the security and privacy concerns, regardless of what type of solution is being evaluated.
In the coming weeks, your DPO will have myriad GDPR-related tasks to accomplish as they work to comply with 261 pages of dense legal reading. By proactively addressing the forgoing strategic cybersecurity action items, you’ll let your DPO know that you have their back.