The European General Data Protection Regulation (GDPR) will come into effect in about one year. Some companies might already be in good shape for this, while others will need to initiate a complete overhaul with how they collect, store, use, and secure personal data.
But security experts say there’s one important question companies should be asking themselves before they do anything else: is personal data at the very core of your business?
Being “data driven” is a hot topic for many companies today, so there’s a good chance that businesses either can’t or don’t want to get along without personal data. And even if your organization can live without that data, this could change in the future, so companies need to assess their current and future needs before they answer.
It’s possible that companies that don’t want/need personal data can divest themselves of collecting, storing, and analyzing personal data themselves. That would make compliance much easier to manage.
F-Secure experts say that we might see “GDPR compliance providers” – companies that specialize in managing personal data using GDPR compliant procedures – established to help organizations process personal data in the future. Such a development would be similar to how many companies offering ecommerce services now comply with PCI DSS standards by outsourcing payment processing to specialized providers.
But there aren’t any companies marketing specialized GDPR compliance services at the moment, meaning most organizations using personal data will need to make preparations on their own. And underneath the GDPR, liability still lies with the organization using that data (although the monetary risks could potentially be contractually transferred to a third party).
While this may sound like an unwanted burden, F-Secure Risk Management Consultant Laura Noukka says there’s a real opportunity here for companies that see themselves as personal data driven that much of the “doom-and-gloom” reporting on the GDPR has missed.
“Companies need to start preparing for the regulation,” says Noukka. “The good news is that getting good at handling personal data now will help businesses leverage these capabilities in the future to drive growth. But they need to get it right, which means they need to make some upfront investments in improving how they collect and store personal data, as well as how they protect that data.”
So while the GDPR has widely been portrayed as a combination of costs and punitive measures, Noukka and others say that it provides good guidance on how businesses can manage personal data in a secure, responsible fashion.
GDPR Compliance isn’t a Risk – It’s an Approach to Risk Management
A lot has been written on how the GDPR will penalize companies that are non-compliant. But those penalties, according to Noukka, are only one side of the risk.
“There are two kinds of risks the GDPR addresses: the risk of a data breach, and the risk of abusing people’s privacy. In case of a data breach you have lost control of your data and the risk first materializes in the form of operational costs and damage to your image. The risk of abusing privacy rights, such as data erasure, are more manageable under the terms of the GDPR, as you’ll still be sitting on the data and you have some control of the situation.”
F-Secure CEO Samu Konttinen, citing Allianz’s 2016 Risk Barometer, said that cyber incidents are the third highest risk for businesses in a blog post published earlier in the year. The GDPR essentially forces companies to invest more in managing those risks. But where should companies start?
“The GDPR is a great starting point to create hardened, secure management processes for personal data. They won’t be foolproof, but they’ll be enough to improve the way companies prepare and react to security incidents. Complying with the GDPR will make companies more resilient against the risks posed by the modern threat landscape,” says Antti Vähä-Sipilä, Principal Consultant at F-Secure.
Compliance, much like cyber security in general, requires a commitment from companies to do more than just buy new security products. Here’s a few points companies need to focus on when preparing for the GDPR:
Enterprise Architects will play a key role in successful GDPR projects
Preparing for the GDPR will mean changing the way personal data is handled. Not just in a technical sense, but in how companies handle information as it moves through different processes and different parts of a company. It’s going to require some structural changes. Many departments will need to be involved, including IT and legal. But involving Enterprise Architects as drivers of a GDPR-compliance project, and not just an “informed party”, will help ensure the new processes and structures are reliable, sustainable, and cost effective, as well as compliant with regulations like the GDPR.
Security postures will need to address the privacy needs of individuals
A key goal of the GDPR is to protect personal data – “protect” being a key concept here. The idea of protecting personal data can drive both architectural work (subject access, individuals’ rights, being able to respond to data requests, data minimization) and security work (building things with a small attack surface, detection, response, etc.).
Accomplishing both of these will allow companies to manage the various risks that come with mismanaging personal data, as well as data breaches.
Incident detection and response capabilities will become more important
Many companies invest in protecting their perimeters (for example, by using firewalls and endpoint protection products). But this isn’t enough for the GDPR. In fact, detection and response capabilities, as well as basic network hardening, now play an equally important role in security postures. Being able to detect breaches in your perimeter, and managing the damage attackers can cause, will need to be prioritized in order to comply with the GDPR.
And more importantly, detection and response capabilities are vital for managing security incidents like data breaches. While there are many ways in which a company can be non-compliant with the GDPR, the risk profiles of data breaches and other types of non-compliance (like being slow to respond to subject access requests) are different. Prioritizing security measures that prevent breaches (which prevents a multitude of problems, including non-compliance) from occurring makes sense for companies.
GDPR compliance means being ready for when things go wrong
Enterprise Architects can help provide oversight and ensure agreed upon processes are being maintained and followed. But a key component of the GDPR is what happens when these processes break down, such as in a data breach. Managing such a crisis should, in principle, be prepared for in the same way you prepare for other disasters.
Here are a few suggestions for ongoing processes you can implement to make sure you’re ready for when things go wrong.
- Periodic Red Teaming tests that help organizations pinpoint weaknesses in their personal data handling processes and procedures, so they can be fixed before a breach
- A regular review of the company’s incident response plan. Under the GDPR, companies have 72 hours to report a breach once it’s discovered. Using those 72 hours wisely can help companies mitigate the damages caused by a security incident and get back to business as quickly as possible. That’s why investing in detection capabilities and a comprehensive, updated IR plan is indispensable.
- Crisis management exercises should be a regular occurrence. Table top exercises, where a crisis management team is presented with a scenario (such as a data breach) so they can practice their IR plans on a regular basis, are a good example. Exercises like these help the team maintain their preparedness for events that happen irregularly but could potentially cripple a business.
GDPR compliance is an ongoing process, not a one-time fix
Many people discuss GDPR compliance as something you do once and then it’s over. But that’s a mentality that treats the GDPR as an expense rather than an opportunity. And that mindset will undermine the benefits that the GDPR offers.
Categories