A CISO Perspective on GDPR
There’s much talk about the General Data Privacy Regulation (GDPR) taking effect on May 25 and its impact on US companies with European operations. As more and more information has been collected electronically over the years, it’s become necessary to mandate that companies better protect this information from being breached. With this mandate, the days of collecting and storing personal information are gone. Every company’s journey to GDPR is unique, but we can learn from each other. As a CISO who has been actively involved in AlienVault’s journey, I’m sharing my perspective on how to approach GDPR and what I see happening after the regulation is enforceable.
While some companies may be done with their GDPR journeys, others may not be. According to a recent study, 60 percent of US companies weren’t ready for the new regulation to take effect. I get it. With 99 Articles to absorb, it takes time to understand what GDPR means, develop a plan, and put processes in place to ensure compliance.
If you’re in the majority of companies that haven’t fully complied yet, don’t panic. After May 25, if you show regulators good faith and keep moving your company’s process forward to improve your data protection posture, you may avoid a fine. Here’s how sanctions will work:
6 Steps to Improve Your Odds of GDPR Compliance Success
- In approaching GDPR, the first step is to create a data inventory that includes where data is stored and why you are collecting/processing that data. Think about all the data that comes in and out of your business; this might not be as easy to do as you think.
- Categorize the data into personal, non-personal data, and special category. In doing so, it’s important to know how the European Union (EU) classifies personal data. Their definition is broader and includes location data such as IP addresses.
- Keep the data inventory process simple and remember to continuously update the inventory to ensure compliance with the 72-hour breach notification expectation in GDPR.
- Compile a Risk Register to understand what assets and vulnerabilities exist. Work with third-party experts (legal and risk management) to create a gap analysis of what security and legal controls are needed to minimize risk.
- For high-risk data, conduct a Data Protection Impact Assessment (DPIA) to help you find and fix problems. Your Supervisory Authority should have a list on the kind of processing operations which require a DPIA.
- Consult a law firm to determine if you need a Data Protection Officer to manage data audits, train employees and act as a point of reference with European Regulators.
Image source: https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-role-edpb_en.pdf
As I look ahead to this summer, I expect individuals or “Data Subjects” to invoke the “Right to be Forgotten” under GDPR with various companies. The companies must act on those requests or individuals can file a complaint with the Supervisory Authority or “complaints officer.”
I also foresee class action lawsuits, likely against the bigger social media companies. However, every company should prepare for “Right to be Forgotten” requests, which could present operational and compliance issues. Individuals will want proof their data has been deleted. Determining how this will work takes time.
Finally, I believe the EU will produce “clarifying” information to the Articles, which will be much appreciated!
For additional guidance on GDPR, these webcasts may be helpful:
Also, if you need help with Asset Discovery or Threat Detection, try USM Anywhere
