Personal Data and the European Union’s General Data Protection Regulation

The massive Equifax data breach once again hammered home the importance of protecting personal data from hackers. Some critics are calling for Equifax and other consumer credit firms to be taken over by the government in light of the breach. The point here is that failure to protect personal data from prying eyes can result in catastrophic problems for a business including loss of consumer confidence and government investigations. Companies holding personal data and doing business in Europe have little time to ensure personal data is protected. In May 2018, the EU’s General Data Protection Regulation (GDPR) will start being enforced. Martin Doyle (@DQMartinDoyle), CEO and founder at DQ Global, insists the GDPR will “not only disrupt the data industry but all business’ that hold customer data.”[1] He adds, “GDPR should no doubt be on every business’ radar. … The clock is ticking to clean up your data, protecting yourself from substantial fines. The fines for non-compliance will be up to 4% of global annual turnover or 20 million euro, whichever is higher.”

Personal Data: Asset or Liability?

The World Economic Forum has declared data is a valuable resource as important to the international economy as oil. Many companies have found ways to monetize data and most businesses could not function without access to data. Facebook became a unicorn company primarily because it had access to the personal data of millions of people. Google’s and Amazon’s primary asset is data. The bottom line is that data is a valuable asset. Marc Hochstein (@MarcHochstein) points out, however, that data can also be a liability.[2] He explains:

“It is painfully clear that the more information a company has about its customers, the bigger the prize for hackers. The year 2016 set a record for data breaches [in the U.S.]. There were more than 900 nationwide as of late November, according to the Identity Theft Resource Center, up from the previous peak of 783 in 2014. The financial services sector had the smallest share of breaches, 4.5%, compared with 7% for government and military, 8.5% for educational institutions, 36.2% for medical and health care and 43.9% for all other businesses. The toll for businesses goes well beyond paying for a year of credit monitoring. A company can get fined by regulators and sued when customer information is compromised, and a 2015 federal appeal court ruling made it easier for consumers to bring class actions. Estimates of the average cost of getting breached range from $200,000 to $4 million, and that’s to say nothing of the blow to a company’s reputation. … Apart from tightening up cybersecurity — which regulators are also demanding — this environment calls for a new mindset. A simple option would be to collect only what you absolutely have to in order to run the business and be compliant, and dispose of it as soon as you safely and legally can. And for heaven’s sake, encrypt it all, no matter how strong your vendors tell you their security software is.”

Heidi Shey (@heidishey), a senior analyst at Forrester, writes, “The intersection of privacy and customer experience reminds us of the importance of collecting and managing consent, whether that involves collecting data to personalize an experience or marketing or another initiative we aim to pursue.”[3] Whether you do business in Europe and are, therefore, subject to GDPR, Shay insists there are three things every company collecting personal data should do. They are:

  1. Develop core capabilities for privacy oversight and accountability. “Designating an individual in compliance or legal to decide what you can do with customer data based on regulatory requirements is insufficient,” insists Shey. “Instead, your firm will need to develop a set of capabilities to create, enforce, and assess policies and practices and thus manage consumer data privacy cohesively. This not only helps with efforts to meet compliance requirements, but also helps you build internal standards for privacy and data usage that align with corporate culture and values to balance data use innovation and risk.”
  2. Adopt contextual privacy practices to deliver desired customer experiences. She notes, “One customer’s terrific, personalized experience may feel deeply creepy to another. Individual interpretations of privacy matter. The new privacy is all about context. This means that your firm must allow customers to dynamically negotiate the collection and use of their personal data. As your firm designs its desired customer experiences, you must practice a ‘no surprises’ doctrine (be transparent) regarding data collection and use, give consumers meaningful opt-in and consent options, and treat more data types as personally identifiable.”
  3. Align functions and procedures to follow through with privacy policies. “Your firm’s privacy policy is useless — and a liability — if you lack enforcement mechanisms,” Shey asserts. “You must document internally how your firm achieves what your privacy policy promises, and ensure that security and operations pros responsible for implementing controls understand your data use and handling policies.”

Those suggestions are a great start to ensure your firm can comply with the EU’s GDPR.

Preparing to Comply with the GDPR

Shey’s Forrester colleague, analyst Enza Iannopollo, conducted a webinar discussing the major GDPR changes and how they impact your organization. He also discussed how to prioritize your initiatives to meet the new requirements on time, and how to build a compliance strategy that pleases regulators and your customers alike. You can listen to the webinar by clicking on this link (registration required). Once GDPR takes full affect, notes Javvad Malik (@J4vv4D), a security advocate at AlienVault, “Organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance.”[4] He suggests organizations take nine steps to ensure they are in compliance with GDPR. Those steps are:

  1. Implement a Security Information and Event Management (SIEM) tool with log management capabilities. He notes, “Article 30 of GDPR states that every controller must track and record all processing activities under its responsibility. … Organizations with data stored in the cloud should ensure that their SIEM tool can record activity not only on-premises but also across the public and private cloud infrastructure, as personal data held there also falls within the scope of GDPR.”
  2. Create an inventory of all critical assets that store or process sensitive data. “Because GDPR covers all IT systems,” he writes, “networks and devices, organizations must maintain an ongoing inventory of where personal data is stored across the entire infrastructure.”
  3. Undertake vulnerability scanning to identify weaknesses. “New vulnerabilities arise almost daily,” he notes, “whether they’re in software, system configuration, business logic or processes. Therefore, organizations must stay on top of these with regular vulnerability scanning.”
  4. Conduct risk assessments and apply threat models relevant to the business. “Organizations must identify and evaluate all of their security risks, not just vulnerabilities. Article 35 of GDPR mandates data protection impact assessments (DPIAs), and Article 32 requires companies to ‘implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk’.”
  5. Regularly test your systems to gain assurance that security controls are working as designed. Malik notes, “It’s important to note that ensuring that systems are secured as intended is not a one-time effort; rather, it must be an ongoing, repeatable process.”
  6. Put threat detection controls in place to ensure reliable and timely notification when a breach has occurred. Note that Malik didn’t write “if” but “when” a breach occurs. He adds, “GDPR requires that organizations report a breach to the appropriate regulatory body within 72 hours of becoming aware of it.”
  7. Monitor network user behavior to identify and investigate security incidents in a timely manner. Malik writes, “It is imperative that organizations maintain an understanding not only of external threats but also of potential internal threats.”
  8. Have a documented and practiced incident response plan. Plans that are not exercised never work. Malik insists organizations need “a data breach response plan that allows them to quickly and accurately determine the scope of impact.”
  9. Have a communication plan in place to notify relevant parties. Nobody wants to be the bearer of bad news, but Malik notes, among other things, GDPR requires organizations to inform any affected EU citizens of the incident in question when personal data has been impacted.

Malik concludes, “Preparing for GDPR can seem like a daunting task, but organizations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security.” Doyle adds, “The introduction of GDPR may seem like a pain in the backside. However, the introduction of GDPR will give businesses a long overdue nudge to clean up their data.”

Footnotes
[1] Martin Doyle, “Is your Data ready for GDPR?” Datafloq, 11 September 2017.
[2] Marc Hochstein, “Customer data is a liability,” American Banker, 5 January 2017.
[3] Heidi Shey, “2016 Privacy Lessons Learned And Looking Ahead To 2017,” Forrester, 26 January 2017.
[4] Javvad Malik, “Opinion A 9-step guide to prepare for GDPR compliance,” Information Management, 21 September 2017.

Follow me on Twitter