GDPR and the new world order in Information Security
Our world has become increasingly hyperconnected where IoT, big data and the digitalization of everything is creating an almost borderless world. People and things are increasingly connected, collaborating with each other to reveal new insights that can potentially transform business and society. By 2020, it is expected that over 50 billion number of things will be connected to the internet. While this sounds exciting in terms of its potential to create value, it can also cause great harm if used detrimentally. In a 2013 report, the World Economic Forum states that one of the biggest threats facing the world is that of “digital wildfire”, where misinformation spread over the Internet leads to real-world danger. Cyber-attacks were ranked as the sixth most imminent threat, but in its three case studies of major risks, digital wildfire was noted as a big concern.
One of the most noteworthy data breaches in 2017 will perhaps be the one in the second half of the year, where an attack at Equifax, one of three major US credit bureaus, reportedly compromised data of more than 140 million people. A report by the World Economic Forum states that data subjects must invest 250 working hours, or 30working days each year, just reading privacy notices in order to provide informed consent. Balancing privacy rights and national security has become an ongoing concern, coming into prominence when the department of justice seeking a backdoor for the FBI to bypass iPhone encryption.
In several ways, the European Union is leading the way, with their new set of rules and standards relating to data and privacy protection that harmonizes European data protection laws. This regulation called GDPR (General Data Protection Regulation) intended to seek a balance between privacy and security goes into effect on May 25, 2018 and has strict norms relating to impact on non-compliance which could turn out to be very expensive for enterprises. GDPR violations can result in fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater. Its provisions apply for all enterprises which does business in the EU, offers goods and services to EU citizens, or processes EU citizen data. The new regulation significantly strengthens the privacy rights of EU citizens regarding transfer of personal information and has strict norms laid out for privacy principles of access, consent, enforcement, security, integrity, accountability and notice for onward transfer of information. Another GDPR requirement is that public organizations and certain types of private enterprises must appoint data protection officers who are monitoring compliance and advising the controllers and processors. The old escape of “Safe Harbour” is no longer going to work. GDPR has entrenched privacy by design thereby “appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” With IOT, this equation only gets more complicated, given that a variety of information collected could infringe on privacy, and could make the compliance of GDPR that much more difficult.
The old approaches of information governance policies and practices is therefore not going to work in this new world order. Enterprises need to accurately align security policies along-with information governance. Enterprises must first put together a plan and a roadmap to make their enterprise GDPR compliant. This includes creation of a team to tackle GDPR as well as engaging with the taking care of the things that enterprises are accountable for – privacy, consent that must be explicit, Pseudonymisation (such as encryption), right to erasure and data portability. Amongst the various steps that enterprises need to take to meet GDPR compliance, the following are the first few things that are imperative:
- Initial Analysis: The first thing that enterprises will need to do is to start with an analysis phase where they identify what structured and unstructured content / data that they really have, where they are, in what format, which ones are electronic and which ones are physical etc. Close to 80% of any enterprise data is typically unstructured. Such content includes Microsoft Office files, images, text, web pages and physical documents that are rapidly piling. Most of such content will fall under the GDPR jurisdiction. The other part of the discovery is to have a full understanding of what kind of infrastructure and IT assets exist and how the current architecture is put in place to support the management of enterprise information. A part of the analysis phase must also include having a clear and unambiguous understanding of what kind of personally identifiable information is collected, how are they being used by the enterprise, which document captures such information and how is that being provided to the customer.
- Information Policies and Governance procedures: This requires a thorough review of the existing policies and procedures and setting a higher bar to tighten them based on everything that is required to protect confidentiality, integrity and availability of personal information. Retention policies must be reviewed to suit regulatory requirements and made applied to the specific content.
- Information Technology to lock the security of data: Enterprises will need fool proof technologies which control access to content within workflows and protect what is scanned, routed, printed or disseminated to internal and external stakeholders. Classification of content should be automated, and rules based. The system should be able to classify and apply compliance policies to information. It should be able to automatically read, tag, find and analyze documents without relying on people. There should be very strong controls put in place around information management systems to ensure no compromise on compliance. Enterprises must also identify the right technologies that identifies any place or document that contains personally identifiable information and provide that to the customer if required. Information should be tamper proof and records management policies must be properly enforced on these documents.
- Change Management: Change management requires continuous investment of time and effort to ensure compliance. Enterprises must focus on investment in training so that policies, procedures and operating guidelines are known to everyone in the company. There should be immense executive commitment to make this change happen. Regular audits, monitoring and reporting ensures that there are no surprises at any time. Above all, there must be employee discipline to make this change happen.
GDPR is not about legal, compliance, technology or strategies to manage information assets. While all these are important, it is far deeper involving commitment from the line of business to take charge and understand its implications in their day to day operations. It needs immense support and commitment of people to get the compliance going on this front. As Vincent Lombardi said. “Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” GDPR is in fact the movement enterprises make from compliance to commitment. Commitment with regard to the way employees conduct business in a safe and well-informed way.