[BreachExchange] GDPR: Why it is time for the CIOs to be counted?

[Audrey McNeil]

http://www.cio.com/article/3206187/regulation/gdpr-why-
it-is-time-for-the-cios-to-be-counted.html

Much has been written in this publication about the EU’s General Data
Protection Regulation (GDPR). According to PWC, CIOs are allocating
millions of dollars from their budgets to GDPR. Yet Gartner’s Bart
Willemsen says, “97% of companies did not have a definitive strategy as of
late last year,” and “23% of companies actually expect to be sanctioned or
to take remedial action.” I was not surprised by Bart’s numbers because in
a recent conversation with the Executive Director of the Privacy and Big
Data Institute, Dr. Ann Cavoukian, she said that “although most
organizations expect a grace period after the regulation becomes effective,
regulators believe enough time has been made available to comply and
enforcement will commence on May 2018”. One CIO that I know said recently,
“It is unfortunate that many are not studying up on GDPR because the impact
of not doing so is so material to their businesses.”

While it is tempting to think the GDPR only matters for risk officers in
European companies, this would be a mistake. GDPR demands the attention of
multiple corporate functions for any business worldwide that processes EU
citizen data. In terms of breadth, the regulation stipulates that EU
citizens have the ‘right to be forgotten’. Google has already processed 1.7
million requests to be forgotten and over 760,000 links have been removed
because of GDPR– think about the potential cost and havoc this volume of
requests could create for traditional industries like a banking.

So, what are the impacts of the GDPR?

The regulation gives individuals more rights and control over their
personal information and how it is processed. Organizations are required
to, “implement appropriate technical and organizational measures to ensure
security is appropriate to the risk.” GDPR mandates that organizations must
know where and how the private data of European citizens is stored and
accessed, then prove it is appropriately protected, “by design and by
default,” throughout its lifecycle with, “the existence of appropriate
safeguards.” Organizations are also required to create and certify the
enforcement of “Codes of Conduct” for the appropriate use and protection of
private data. In the event of data loss, brands who have failed to
adequately protect the rights of individuals must provide breach
notification, therefore penalties are not only financially steep at 4% of
annual, global turnover, but also extremely public.

What is needed to comply?

Complying with the GDPR requires people, process, and technology.
Organizations need to establish a team with shared goals and responsibility
for achieving GDPR compliance. Chartering this team involves functions from
business development, risk and compliance, privacy and information
management, the emerging CDO office, and the appointment of a Data
Protection Officer (DPO). Success is built upon this team working
effectively together and utilizing established best practices such as the
Data Governance Institute’s (DGI) Data Governance Framework and Dr. Ann
Cavoukian’s principles of Privacy by Design (PbD).

The GDPR mandates the protection of personal data ‘by design and by
default’, a right that closely aligns with PbD:

1. Proactive not Reactive

Meeting this mandate means privacy cannot be an afterthought. It needs to
be a consideration during all possible uses of information and enterprise
policies should govern data at all touch points. Organizations need to
focus on privacy protection throughout the data flow, both internally and
externally.

2. Privacy as the default

Enterprises need to compartmentalize data access, and set privacy
protection as a default. They need to ask questions of data owners: What
are the consequences if data is exposed? What are the financial liabilities
of exposure? What are the reputational impacts? By asking these questions,
IT and the business can share responsibility for the creation of privacy
policies and developing appropriate GDPR compliant safeguards in answer to
them.

3. Privacy embedded into design

Organizations must prove that the private data of European citizens is
appropriately protected throughout its lifecycle, which means that privacy
needs to be a requirement. Privacy protection is most effective and the
least disruptive when it is built in rather than bolted on as an
afterthought, so organizations need to systematically recognize it as
integral during the design phase of all new projects.

4. Full functionality

Full functionality means that all legitimate interests should be
accommodated in a “win/win” versus zero-sum manner. Privacy by Design aims
to avoid the notion of pitting business ends against each other—e.g.
privacy vs. security. It aims to demonstrate that you can use data and
protect data at the same time.

5. End-to-end security

Data privacy is bigger than any single project or application alone; it
needs to consider the use of information wherever it goes and the emphasis
needs to be on the data itself as well as all its touch points. This means
knowing where all data exist within an enterprise so it can be thoroughly
accounted for and appropriately protected.

6. Visibility and transparency

Visibility and transparency are as essential to consumer trust that their
personal information is protected from threat as well as misuse, as it is
to GDPR compliance. Organizations need codes of conduct based privacy
policies that hold business units accountable for information usage and
processing.

7. Respect for user privacy

Organizations need to make data privacy and security business priorities
integrated into enterprise culture and management. Part of this process is
establishing explicit data owners and involving them in the implementation
of policies that have at their core respect for data subjects’ and their
personal information. This also involves giving data subjects the ability
to actively manage their own data by offering consent, accuracy and access.

Achieving the above is impossible to achieve on an application by
application basis in today’s complex, extended IT ecosystems. One CIO put
the problem to me this way: “You know those flight maps in the airline
magazines? Those are our data flow maps; we have in our environment data
flying all over the place.”

The goal of an organization’s people, process and technology should be to
enable holistic protection of all personal information within systems,
which means determining what data should be protected and enforcing
policies to consistently protect it as it flows throughout the enterprise,
not just at the application level.

Dealing with the dataflow

Organizations need technology that enables them to achieve what Michelle
Dennedy, Cisco’s Chief Privacy Officer and co-author of The Privacy
Engineer’s Manifesto calls “data-centric and person-centric” data
protection.

GDPR compliance needs to be built upon an all-encompassing discussion about
protecting personal information ‘by design and by default’ that results in
privacy protection as a corporate value, interwoven with everything the
business does. This is a major shift for most organizations, requiring the
shared development of data governance, privacy and protection policies
within the community served, in combination with technical solutions for
their enforcement.

Technology choices

For some, disk encryption may seem like an appropriate answer but it is a
high risk, all or nothing approach – recent breaches have taken advantage
of those with privileged access.

Organizations need data protection that enables differentiated rights of
access to data, internally and externally, by context. GDPR mandates
appropriate safeguards for personal data which, “may include encryption or
pseudonymization.” Pseudonymization is defined by the International
Association of Privacy Professionals (IAPP) “as the separation of data from
direct identifiers so that linkage to an identity is not possible without
additional information that is held separately.” IAAP says, importantly,
pseudonymization may significantly reduce the risks associated with data
processing, while also maintaining the data’s utility. For this reason, it
says that GDPR creates incentives for controllers to pseudonymize the data
that they collect. Although pseudonymous data is not exempt from the
regulation altogether, GDPR relaxes several requirements on controllers
that use the technique.

Data protection clearly needs to provide granular access control while
creating minimal operational and performance impact for it to be fully
embraced by business leaders. By governing and protecting data itself and
controlling access to it based on the context of a user’s rights, role or
need, privacy protection can be automated enterprise wide, regardless of
where information flows, is used, or rests.

Parting thoughts

It is time for CIOs to get serious about protecting data and respond
effectively to GDPR – the consequences of noncompliance are too great not
to act today – further delays might even cost CIOs their job.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170710/3fbafc1c/attachment.html>