In an industry steaming of buzzwords, GDPR ticks every box. Acronym? Check. Experts galore? Check. Filling marketing banner at trade shows? Definitely check. Behind the noise, hype, and misunderstanding is a substantial piece of legislation that will change how organizations operating in Europe approach data protection.
Set to come into full effect on May 25, 2018, GDPR marks a significant update on the existing 1995 EU directive (95/46/c). It also harmonizes data protection across 28 EU member states, replacing the need for national legislation. The headlines are naturally around data breach fines of up to €20 million (or 4 percent of gross annual turnover), as well as mandatory security notifications, new rules around user consent, a clearer definition around what could be personal data (such as IP addresses, for example), and greater rights for people to access — or request deletion of — the information companies hold on them.
As such, GDPR transcends IT and spreads into areas like sales and marketing, but this complex legislation carries numerous misconceptions. For example, it’s often believed consent must always be explicit, that the 4 percent fine is for all data breaches (it isn’t), and that it’s mandatory to appoint a data protection officer (the DPO role is largely reserved for those processing “special categories of data”). The ambiguity over data processors and controllers — not aided by the controversial Google Spain court case of 2015 — has also caused headaches, especially around data stored in the cloud.
This confusion has had consequences: A recent study from WatchGuard revealed that one in three global organizations weren’t sure if they needed to comply with GDPR, while similar studies have indicated that numerous U.S. firms think the regulation wouldn’t affect them (it does if processing EU personal data). At a conference in July, one speaker revealed that four FTSE 100 companies had yet to start moving toward GDPR compliance — a sign perhaps that fear is stopping progress.
A common reality though is that GDPR isn’t really far removed from existing data protection regulations — it’s just that organizations weren’t overly prepared with them either. “The big shock everyone has with GDPR is that they weren't operating in compliance with current data protection legislation,” says Christian Toon, CISO at legal firm Pinsent Masons. “A lot of businesses are now holding back full implementation for compliance because it's hard to determine what compliance looks like, and are putting faith in a clear plan of action will be enough to deter the regulator.”
The big shock everyone has with GDPR is that they weren't operating in compliance with current data protection legislation. — Christian Toon
Jon Baines, DPO at Network Rail, agrees that GDPR isn’t such a departure from the past. “GDPR marks an evolution in data protection law, not a revolution,” he says. “Most of the core principles around fairness, transparency, purpose-limitation, data-minimization, and security are largely unchanged from those in the 1995 Directive.”
Yet Baines notes that GDPR does introduces some pivotal changes to “enable people better to control their personal data” while “introducing modernized and unified rules across the EU to enable a digital single market. So, data subjects are given rights to make it easier to access their own data, a right to data portability (to transfer their data between service providers), a clearer "right to be forgotten" (meaning that data must be deleted on request if there are no legitimate grounds for retaining it), plus a right to be informed if your personal data have been subject to a serious breach.”
“Businesses are now subject to general rules which apply across the EU consistently, and which require the adoption of a risk-based approach to the processing of personal data,” Baines adds. “Rules on accountability and transparency are strengthened, and they will have to embrace concepts such as ‘data protection by design and default.’ They will also face the potential of significantly increased fines for serious contraventions of the data protection law.”
GDPR readiness: Where business are today
So where are businesses today with the GDPR? At the RANT conference in London, a straw poll of CISOs and privacy experts revealed that almost all in the room didn’t classify themselves as ready, but Baines says it depends what 'prepared' really looks like. The regulation, after all, stipulates companies must provide a “reasonable” level of protection. “If we mean ‘in a position broadly to be able to comply with people's rights under GDPR and in a position to resist regulatory and legal challenges,’ the number is going to be much higher [than reported].”
Some, though, are well underway on the way to compliance, with Toon saying Pinsent is tackling the regulation “head on.” “Like many, we've taken a risk-based approach for the implementation of controls; we're identifying where our data is, how it's protected, and ensuring our supply chain has agreed to new terms.”
Elsewhere, Gilbert Verdian, CISO at payments company Vocalink, reveals how his company has approached the EU regulations, even if he admits that the firm’s personal identifiable information (PII) is limited to staff info in HR systems. “We established a cross-departmental team to understand the scope of the new legislation, assess the processes and controls we have in place, and identify any gaps we had, before then addressing them. We then implemented a mechanism to automate the identification and searching of data stores across our systems and tied it to data classification technology that tags data based on its confidentiality. This is linked to data loss prevention controls that only allow certain data types to travel between networks.”
Verdian says Vocalink jointly developed the firm’s strategy for GDPR among the legal, operations, and security teams, analyzing their environment against the EU regulations and drawing up a roadmap to quickly address any gaps.
Other organizations have approached the regulation proactively. In a recent interview with advertising publication The Drum, UK-based Lloyds Banking Group revealed how GDPR had enabled it to look at digital marketing in a new way — putting the customer at the center — while the CIO of telco O2 spoke of how GDPR was an “opportunity to get our customers’ trust.” In a more drastic measure, UK public house chain Weatherspoon’s deleted its entire customer email database, reportedly in a bid to adhere to the new EU regulation.
For all the fearmongering, GDPR can bring some positives to business, such as improved data management and customer loyalty. “Better information management is one clear benefit, but the principle of privacy by design can deliver products and services that, cannily marketed, could be very commercially successful,” says Baines.
...the principle of privacy by design can deliver products and services that, cannily marketed, could be very commercially successful. — Jon Baines
The reality is, though, that they are not the norm. Most organizations are falling behind, only now appointing DPOs and steering committees, and fighting for boardroom buy-in. Others are progressing slowly with information audits and generally developing company-wide awareness. At RANT, Ticketmaster’s head of information security Nick Green called for firms to appoint “GDPR warriors,” but many still don’t know who these people should be.
Perhaps the fear is getting in the way, and in particular concerns around the data breach fines and “the right to be forgotten,” which has already been a logistical nightmare for behemoths like Google. Both Toon and Verdian say that companies should not worry too much about the fines, especially as most data protection authorities — like the ICO — rarely have the resources or inclination to hand out mega fines. “We have seldom seen the full extent of the penalty,” says Verdian.
“What companies should be concerned about is the power to impose other penalties beyond fines on the organization. Such things as contacting every single customer over the last few years to notify them, or remedying each victim individually by imposing additional requirements or controls (for example, providing credit scoring monitoring for every single customer).
There’s the risk of additional penalties if you don’t meet any of these within the timeline given. “Such penalties can cause a huge administrative burden and even cost the organization more than the fine,” he says, further highlighting that such tasks take staff away from doing duties that drive business performance and innovation.
Toon is similarly unconcerned by a 72-hour mandatory security window, perhaps a surprise given most organizations have breaches unrecognized in networks for months at a time. Under GDPR, the "destruction, loss, alteration, unauthorized disclosure of, or access to" people's data must be reported to a country's regulator within the given timeframe. “Mandatory notification in 72 hours is clearly achievable. This isn't about a full diagnostic and report into what happened. This is the cursory notification to the regulator that something is afoot. Share what you know; your plan for further investigation and triage along with and anticipated timeline.”
Other experts have chimed into this effect, too. Burberry’s recently departed head of information security, John Meakin, suggested that speaking to the regulator is key for transparency and avoiding costly fines.
How do companies accelerate their GDPR initiatives?
Baines recommends that organizations work closely with the DPO and their teams. If they don’t have a DPO, CISOs and CIOs should be lobbying their board hard to introduce one on the basis that “data protection isn't and shouldn't be, the sole responsibility of an information security lead.”
Toon recommends organizations get some “validated and authentic” advice, and entrust a person or group of people to manage all aspects of GDPR, from delivering company-wide training to ensuring the supply chain is up-to-date (contract updates are recommended). At the heart of it, he says, is good data management. “Work out what personal data you have. Where it is? How did you get it? Get rid of it if you don’t need it,” he says, and adding a DPO could be considered good practice.
Verdian agrees that organizations must understand the type of data, its location, and how it is being used. This should then be compared versus regulation requirements. “You have to maintain this level of compliance throughout your organization. Embedding privacy-compliant thinking into projects and programs, using tools like a privacy impact assessment, to understand the risk of each activity.”