The GDPR Evolution: A Letter to the CISO
The long-term impact of the General Data Protection Regulation (GDPR) is on the minds of key technology leaders around the world — from Singapore to Ireland to my current home of Austin, Texas to everywhere in between. You can see this manifest in major tech publications like SecurityIntelligence (and, perhaps, in the day-to-day interactions occurring within your organization).
For me, these sentiments were echoed during a several-week, multi-continent business trip I took to visit with clients and partners in Europe and Asia. Nearly every leader we sat down with asked us how they should be shepherding their teams through the enforcement of this transformative regulation and who should lead this effort between the security and privacy teams.
This state of confusion is not surprising, especially given the hype surrounding GDPR. A recent IBM Institute of Business Value (IBV) survey found that 44 percent of executives responsible for GDPR compliance worried the regulation would be replaced or modified sometime in the near future. This perception undoubtedly muddies the waters and influences their approach to compliance.
Even with enforcement live, it’s still somewhat unclear what GDPR compliance truly means for organizations worldwide; how it will impact people, process and technology; and (even more importantly) how it will affect relationships with customers.
But one thing is abundantly clear: GDPR is here to stay.
Who Is Responsible for GDPR Compliance?
Let’s take a step back for a moment to reflect on where we started. GDPR originated as a means to help infuse a higher standard of privacy into global business practices and give data subjects from the European Union (EU) more control over their personal information — a sovereignty that was challenged somewhat by the digital data explosion of the past decade. While the regulation only technically applies to EU data subjects, it signals a shift in how we think about privacy everywhere.
This redistribution of control in favor of consumers is a good thing. As security professionals, this supports our highest calling, which is to protect personal data in the face of cyber uncertainty. Ensuring data privacy is a core component of this mission — and the spirit of GDPR supports this goal. Some organizations recognize the importance of data privacy. In fact, 59 percent of respondents to the IBV study said they see GDPR as an occasion for transformation. Still, challenges remain.
Some of the pain originates from the fact that ownership of GDPR compliance initiatives shifted between 2016 (when the legislation was passed) and May 25, 2018 (when the regulation took effect). Originally, legal teams bore the core responsibility for validating the internal processes and controls that would drive the progression toward supporting GDPR requirements. This has morphed into a discussion led by chief information officers (CIOs) and chief information security officers (CISOs) about the implementation of technical controls, the creation of special teams, the appointment of chief data officers (CDOs) and the reshaping of organizational privacy processes to support the stringent requirements, such as a customer’s right to erasure.
Today, the responsibility is shared among technical teams, as well as CIOs and CISOs, who serve as the establishers, enablers and enforcers of a comprehensive GDPR program backed by robust technical controls. This accountability will likely remain for the foreseeable future — no pressure, though.
Collaboration is a key component of GDPR success, but the transition of responsibilities between teams is a challenge. I saw this in practice when visiting Singapore several weeks ago when leaders repeatedly asked where to begin so they could be ready to answer GDPR audit inquiries, which they expect to receive very soon.
Yes, the structures were in place from the legal side to support GDPR readiness, but now it’s game time. Despite years of effort to prepare for this moment, many technology leaders are still left scratching their heads, unsure of what comes next.
What Solutions Should CISOs Invest in to Get on Track?
According to the IBV study, the number one struggle among the surveyed group was performing data discovery and ensuring data accuracy, which is a principal task of GDPR preparation (and the first step for many). This issue illustrates the complex nature of operationalizing all the plans that have been made to get us to (and, hopefully, past) this point.
This point is where technology solutions and services can provide support. Unfortunately, although many vendors might want you to believe otherwise, there’s no silver bullet to establishing GDPR readiness or enforcing the new requirements across your organization. This behemoth of a compliance regulation requires a programmatic approach, but it can often be difficult to see the forest through the trees.
My suggestion: Remember that you don’t have to reinvent the wheel.
There are countless industry frameworks — including IBM’s own GDPR framework, a continuous loop outlining five key phases for readiness — that can serve as your guide. The fact that these guidelines are based on the experiences of others can provide some peace of mind.
It’s also a great idea to leverage a trusted partner or adviser to guide you throughout your readiness and enforcement processes. Rather than going it alone, lean on the organizations that already have deep expertise in the privacy space and can use that insight to help your company avoid missteps as you implement processes and select technologies.
Finally, when it comes to implementing requisite technology controls, I would advise you to think about the regulation and follow a risk-based approach to conducting business with consumers. Consider the data you’re being asked to protect and how it relates to your customers: What personal or sensitive information does your organization hold? Where does it live? Is it actually vulnerable to compromise? Have you taken the necessary steps to put privacy and security protections into place?
As a first step toward gaining this understanding, you should investigate solutions that help identify and remediate risk, such as Guardium Analyzer, which can help you find and classify GDPR-relevant data, irrespective of where it resides (whether on-premises or in the cloud); identify vulnerabilities associated with that data; and, ultimately, prioritize existing risks and take action to remediate them.
The Secret to GDPR Compliance Is Collaboration
During my last customer visit on the trip, a CISO expressed confidence that her organization would be able to legally respond to GDPR demands. But she’s now setting up the technology teams with members from the privacy and security teams to assess and validate vulnerabilities without exposing the personally identifiable data that is deployed across multiple geographies and data center environments, both on-premises and in the cloud.
As you continue on your GDPR journey, don’t forget the importance of collaboration in making compliance happen — across teams, with business partners and even with your customers — so that you can best support the positive aims of GDPR today and in the future.
DISCLAIMER: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.