Earlier this week, Facebook announced it is rolling out a new privacy center to help the company comply with Europe’s GDPR regulation that comes into effect in just four months. The company’s announcement comes just ahead of next week’s Data Privacy Day, and is a reminder of how slow U.S. companies have been in preparing for the May 25 compliance deadline.
Many companies have taken little note of GDPR, believing it only affects companies in the European Union — or perhaps waiting for big fish like Facebook or Google to make a move first before investing in big audits of their own data. To be clear: If you’re part of a U.S. company that handles personal information of EU citizens, the GDPR applies to you. Failing to comply will result in significant penalties of up to €20 million or four percent of a company’s global revenue, whichever is greater.
GDPR is a team effort, and everyone within an organization has a responsibility to protect data and understand the main points of the GDPR. So, whether you’re a board member, C-suite executive, or part of the legal, IT, or security teams at your company, here’s what you need to know. The clock is ticking.
The players: Roles and departments
While GDPR is a team effort, effective GDPR compliance requires well-defined roles and division of responsibilities, as well as strong interdepartmental partnerships. There are three key players to GDPR compliance that every organization should be aware of:
The Controller: This person or office determines the purpose, conditions, and means of processing data, but they don’t actually do the processing. This person or office is also responsible for ensuring that outside contractors comply with regulations and reporting data breaches to the appropriate authorities.
The Processor: This person or office processes the information on behalf of the controller. A processor could be a third party or an employee within the organization. The processor should follow the contract as set by the controller and adhere to confidentiality. Additionally, the processor protects data with technical and organizational controls, and provides documentation to prove compliance.
The Data Protection Officer (DPO): The data protection officer oversees compliance and communicates with data protection authorities. The DPO reports to the highest management and generally has experience with risk management. Note: the DPO cannot be involved in data processing, as this would create a conflict of interest. This office is bound by confidentiality.
Because the GDPR extends beyond cyber security, there are three core business areas — in addition to the aforementioned roles — whose integrated efforts are necessary to achieve compliance:
Legal: A majority of the GDPR heavy lifting from a legal standpoint involves defining what’s in the scope of the regulation, where a company has vulnerabilities, and whether data is being used properly. Legal also must make sure everything is in order from a contracts standpoint, such as ensuring third-party relationships have the appropriate model contract clauses in place to enable compliance.
IT: The IT team is tasked with the biggest burden related to GDPR: It must ensure IT systems, services, and technologies protect customer data and comply with outlined regulations.
Security: Given the hefty financial penalties associated with GDPR, cyber security programs must mitigate breach risk as much as possible. This is best achieved by concentrating efforts on the six cyber security pillars outlined below.
The game plan: A data-centric security program
Countries and organizations may define personal information in different ways, but the GDPR defines it as data that can be used to identify a person, such as a name, an email address, bank account information, social media posts, health information, and more. Because the GDPR is laser-focused on the collection, processing, and movement of this personal information, one of the best ways to achieve compliance is to take a data-centric view of your information security program and evaluate it against the following six pillars.
Data governance: Understand and meet your organization’s GDPR obligations. Knowing what data is regulated and why this data is used to support business functions is essential before any other activity can be taken toward classifying it, administering access, or defining specific protections.
Data classification: Analyze and classify relevant data for ongoing management. The data classification process entails locating data and assigning it a certain category (e.g., highly restricted, restricted, internal use, public), so your business can enable the right level of protections based on the associated business and regulatory risks.
Data discovery: Locate sensitive data within the organization and set up structures for ongoing management. Organizations must be able to clearly articulate where their regulated data is — regardless of whether it’s in the cloud or on-premises, internal or third-party, structured or unstructured — and how it’s used.
Data access: Determine who has and should have access to data and manage permissions accordingly. Knowing this vital information helps organizations defend the business need for the data and ensure data isn’t used outside of its intended purpose.
Data handling: Implement safeguards for information and prepare for a potential data breach incident. Organizations must understand the risks associated with data at rest, as well as data that moves throughout the company, between companies and between applications, and implement appropriate protection measures. Perhaps most importantly, proper data handling lets you determine when an incident becomes a breach, which is essential, as GDPR requires notification within 72 hours of a company becoming aware of a data breach.
Data protection: Protect sensitive information with an appropriate security program. The GDPR requires that organizations take technical and organizational measures to ensure a level of security appropriate to the risk, but it doesn’t outline how to do this.
The bigger benefits
GDPR is such an intimidating opponent to many U.S. organizations that they don’t even appear to be showing up for the competition, let alone trying to win. Rather than considering GDPR a problem too tough to tackle, view it as an opportunity to put the right building blocks (people, processes, and technology) in place for an effective security program. After all, when you have a well-run security program, regulatory compliance — including GDPR compliance — will be a natural side-effect.