[BreachExchange] GDPR – Why it’s Time for the Board to stop Passing the Buck

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 10 20:30:44 EDT 2017


http://www.itsecurityguru.org/2017/10/09/gdpr-time-board-stop-passing-buck/

The General Data Protection Regulation (GDPR) comes into effect in the UK
on 25 May 2018. Yet, many organisations remain in denial, with a typical
mindset being: ‘if I ignore it long enough, it will probably go away’, or
even, ‘I don’t think it really applies to me’.  Ultimately though, any
business that holds personal data about their customers, employees or that
runs a payroll is going to be impacted by the regulation. That’s because
GDPR clearly applies to all companies worldwide that process the personal
data of EU citizens.

There is a world of difference of course, between understanding that your
business needs to get ready for GDPR and making it happen. There are likely
to be a raft of challenges along the way. Many leadership teams immediately
baulk at the need to put policies in place. Organisations, and particularly
their directorial boards, often feel that they don’t have the time,
manpower or the feel the necessity to do this. But what other options do
they have?

We are beginning to see legal departments take on some of the strain. The
data protection officer (DPO) role that for many organisations will be a
mandatory requirement after May 2018 is increasingly finding itself housed
within legal teams as another thing on their ‘to do’ list. In some
businesses, the legal department is even formulating policy for the rest of
the business to follow.

Many boards, however, still try to shift the problem to the domain of the
IT department. There are far too many CIOs attempting to abdicate their
responsibilities in this area. The rationale is often that they are simply
too busy thinking about the future strategy of the business to spend time
considering what they see as essentially IT-focused legislation, so there
it should lie. That’s a mistake. GDPR is  a business issue just as much IT
one. It shouldn’t simply be offloaded to network engineers and made a
technology problem – it is a business opportunity, where technology can
help.

There is often greater traction in looking outside the organisation for
help. But again, the key question is where to look. Firstly, there are a
host of companies in the marketplace that are making a lot of noise –
saying come and speak to us – we will make you GDPR compliant. However, it
is unlikely that a single company operating alone could ensure a customer
will meet all the demands of this new GDPR legislation. So, businesses
should be very wary about taking this supposedly catch-all path to
compliance.  It is likely to turn out to be anything but.

The Right Approach

It is clear that businesses can and should be doing today to make sure they
are ready in time, especially with regards to good data management.  For
many organisations, ensuring their data classification processes are up to
scratch is one of the very first actions they should take. Every business
should know what data it has; where that data resides – (and that means not
just the primary data stores but what information is held on laptops and in
off-site back-ups for example), and how they manage, control and audit
access to it.

They should also, in the context of GDPR, be aware of the CIA triad,
(Confidentiality, Integrity and Availability), with the emphasis on the
first two of these. When it comes to managing personal data,
confidentiality and integrity need to be high on the agenda. Businesses
must restrict access to just those people who need to view the data, and
they need to ensure that the data is accurate and any relevant updates have
taken place. Other key technological measures that can be taken to help
protect sensitive personal data include data loss prevention and
encryption, whether that is of data held in a data centre, on-premise, in
the cloud, or elsewhere.

In a sense, much of this is simply about adopting a best practice approach.
The IT industry has long tried to educate businesses about risk mitigation
and cyber-security by espousing compliance and reputational protection.
GDPR is, however, only the start of a journey, the minimum standard that
organisations should be aiming for.  It’s about enforcing a decent baseline
of security – however organisations that fail to act appropriately and in a
timely fashion will find that it’s a  regulation with teeth.

By January 2018, we foresee many organisations starting to panic about the
25th of May. They will suddenly realise that time is short and they need to
act immediately in order that they are adequately protected procedurally as
well as technically. By then, however, it may be too late.  The message for
the boardroom is a simple one; If you are not already running a best
practice approach where you know what you have, where it is, and who has
access, it can take more time than you have to be fully prepared.

Put this on the boardroom wall; Stop passing the buck – if you have not
already got your GDPR house in order, you better start doing it right
away.  Tempus Fugit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171010/ff2b48d5/attachment.html>


More information about the BreachExchange mailing list