Compliance and Privacy in the GDPR Era
In the age of GDPR and CCPA, there seems to be more conjecture about compliance and personal privacy than there is about the weather. It’s understandable, as predicting the conditions outside seems a lot easier than devising and implementing an effective data protection strategy.
With headlines about data breaches being far too frequent and substantial fines for non-compliance becoming a growing reality, pleading naivety to the issues and impacts is neither sympathetic nor sufficient for organizations of any size or type. The good news is there are a number of tools and solutions available that can automatically detect risks and protect personal data while reducing exposure to legal and financial risks.
Begin With People, Not Technology
But before jumping into any technology solutions, it’s imperative to start with an understanding of how it will impact all organizational stakeholders. Start by circling the wagons and enlisting the cooperation and insights of your business leaders as well as legal and compliance teams. Too often, chief information security officers (CISOs) face growing compliance challenges due to a lack of cohesive efforts across their companies. Resistance from employees is a tough hurdle to clear, especially if they believe that complying with new security policies will make their jobs more difficult.
C-level buy-in is a prerequisite to successful policy implementation. Unless these important influencers see and feel the element of risk, it’s going to be difficult to implement any sort of program. Consider a two-phase approach as a best-practices tactic. Start by identifying the lowest-hanging fruit and implement something that is relatively easy for everybody in the organization to leverage and get behind.
Making changes where they are easiest to leverage is a good way to build confidence and momentum. Even if this reduces only 15% of your risk, you’re on the road—so stay focused on achieving steady, incremental progress. At times, the process can be daunting, at least at first, but don’t be sidetracked by analysis paralysis. Instead, continue holding meetings on what will be implemented next and move forward.
Putting the Proper Rules in Place
Rolling out plans and policies to employees requires a foundation of proper rules to guide the entire process. While a mandatory compliance course is an admirable start, it’s important not to overwhelm employees out of the gate. However, believing that a 20-minute session provides sufficient preparation is shortsighted. Instead, it’s highly recommended to implement a policy that includes catching and educating employees whenever inappropriate or risky activity is detected.
It’s crucial for everyone to understand—and embrace—the big picture. Rules and policies regarding compliance and personal privacy are not meant to restrict personal productivity. Instead, they aim to protect employees, the business and customers. In short, it’s crucial to drive home the credo that the company cares about its employees and customers and doesn’t want to put anyone at undue risk. The best and most effective way for everyone to participate is to know the rules.
As a cautionary tale, I’m reminded of a story shared recently by the CISO of a large, well-known bank. When a complex predictive algorithm flummoxed an intern, he shared his plight with some fellow students at school. While they came up with a reasonable solution for the bank, the intern had to be let go—despite his good intentions—because he violated the company’s privacy policy by sharing confidential information.
Think about this in the context that typical office workers send approximately 40 work-related emails and receive about 90, according to TechJury. Therefore, a company with 1,000 employees is dealing with 40,000 to 90,000 emails every day, many containing potentially private personal data. Bring the 80/20 Rule into play here: If 80% of the potential data risks are caused by 20% of the behavior, putting policies in place to safeguard personal data as it’s created in emails and files can deliver immediate and significant risk reductions.
Create a Technology Tool Framework
Once everyone knows and understands the rules, it will be easier to construct a technology framework of tools to help detect and mitigate risk. Balance is optimum, so avoid locking down too much data, as the result will stifle employees’ and customers’ ability to transact business. To minimize risk while maximizing reward, it’s important to select technologies and tools that balance the need to protect information with the ability to achieve widespread adoption.
Favor a crawl-walk-run approach, as it is not necessary to roll out the entire strategy on day one. Instead, identify the riskiest endpoints and focus initial efforts there. Then don’t be afraid to rely on test cases along the way. Tweak the process to align with how the organization functions and employees work. Going with solutions that have AI and machine learning capabilities can assist in training the solution to provide the best and most flexible fit while automating some processes to reduce the burden on employees.
Once up and running, continue the gradual rollout: “Walk” with a small group before you “run” with the entire organization. Remember, this is not a set-it-and-forget-it situation; expect to revisit and tweak policies and settings on a regular basis.
Think of your data protection solution as an engine. Once it’s in place, occasional tuning is required to maintain exceptional performance. It’s also important to choose an engine that permits interoperability with other solutions that may be worth adding and leveraging as business and company conditions, as well as regulations, emerge and evolve.
There’s No End and No ‘Compliance’ Button
A comprehensive and compliant data protection strategy is as necessary to businesses today as having a website. In measuring up to regulations such as GDPR and CCPA, as well as others, regulators aren’t expecting everything will be immediately perfect, but be assured they will be judging circumstances according to demonstrative and definitive steps taken. So get moving and keep moving—there’s no end and no easy button. Privacy and security are everybody’s business and everybody’s concern.