The looming deadline for compliance with the European Union’s Global Data Protection Regulation (GDPR) is weighing heavy on the minds of any decision makers whose enterprise is doing business with the EU. Not only does preparing for the GDPR initiative require careful planning and smart investment, but it also means IT, security and business leaders need to be tightly aligned.
Therein lies the dilemma.
Many organizations are still struggling to come up with a coherent, comprehensive approach to GDPR compliance, as born out in a recent roundtable discussion on the topic hosted by Palo Alto Networks in London. The roundtable, which included senior executives from major UK-based organizations, covered issues ranging from risk mitigation and data mapping to the sticky question of “what constitutes consent” from consumers that provide their personal information.
GDPR-related challenges can be summed up in the assertion of one roundtable attendee: “Too often, we’re looking at GDPR through different lenses,” he said. “The data privacy side of the house looks at it and wonders how long they should hold onto data and what their rights and responsibilities are. Meanwhile, on the cybersecurity side, they’re looking at controlling access to data, keeping it safe and determining how to respond when a breach occurs.” And, he added, the business executives and board members are obviously concerned about the business implications.
Non-compliance can have big consequences, so work together
Of course, organizations are becoming more aware of the critical nature of solving this problem because of the potentially severe financial implications of GDPR non-compliance. After May 25, 2018, a violation can lead to fines of up to 4% of global annual revenue or 20 Million Euros, whichever is higher. GDPR compliance, however, is far more than an EU concern. A recent study by global consulting giant PwC noted that complying with the Regulation is a top priority for nearly every U.S. organization.
Participants at the roundtable discussion expressed two divergent perspectives on getting the technical side of the house aligned with the business side—especially boards of directors. “You need to have the business buy-in first,” said one attendee. “Then, you think about the technology, because it ultimately revolves around taking a risk-based approach. Determine your key stakeholders and map their goals with potential risks to help prioritize your efforts.”
“When sponsorship comes in too low within the organization, it’s not effective enough,” said another roundtable attendee. “It needs to be lifted up to the board level so they can drive ownership as well as responsibility for implementation.”
Greg Day, vice-president and regional chief security officer in EMEA for Palo Alto Networks, related a telling story from the event. “I spoke to a data privacy officer, who said, ‘I spoke to my legal guy and the regulatory authorities to get agreement on the process and how to document it. But when I spoke to our security guys, they wanted to hit it more head-on, talking about controls, how to lock down the data and how to keep it safe.”
Making alignment happen
How should organizations go about trying to get everyone aligned? “First, get everyone educated,” said Day. “Learn what you need to learn, then learn it. Let everyone who needs to know that they have skin in the game. Assign the lead person who will own responsibility, and determine the working group members.”
“Second, remember that it’s easy to look at GDPR and be scared away because it seems very amorphous,” he added. “Third, communication has to happen more frequently and openly. The frequency of communication is likely to vary according to each specific article of the regulation.”
“Ask and challenge your privacy officers on the risks associated with various options, and discuss possible control mechanisms, such as whether we can restrict access to certain data,” said Naveen Zutshi, senior vice-president and chief information officer at Palo Alto Networks. “Ultimately, you have to balance security and privacy with the need for speed in innovation. The question becomes how you can achieve both and do them each very well.”
GDPR is deliberately vague
It’s important to remember that the previous EU data protection law lasted more than twenty years, and GDPR is likely to have a long life, as well. “GDPR can appear vague, because it is written for longevity,” said Day. “That’s very different from compliance requirements such as PCI, which are quite prescriptive at the level of specific controls.”
That means that organizations need to take extra care to gather input and perspective from all functional disciplines—not just IT or security—but also to seek out the advice and experience of third parties that can see the big picture.
Lack of appreciation of the regulation’s ins and outs can lead to the risk to dismiss internal questions about whether everything is being fully covered in the organization’s GDPR planning, development and deployment. “I spoke to a customer who went to his CISO and asked, ‘Are we safe?” “ said Day. “He said he was always told yes, and that concerned him. When it comes to GDPR, answers should be more nuanced because the regulation isn’t as clear-cut as many would like. Those running GDPR programs inside an organization need to be ready to provide enough specific insight into their challenges and be honest about whether they need more help or resources.”