Since the EU’s General Data Protection Regulation came into force in May 2018, we’ve already seen one major breach reported and there have been many smaller incidents around data privacy. Indeed, many companies still have to complete their GDPR preparations.
Surveys and research point to many organisations not being compliant ahead of the deadline – Deloitte found that only 15 per cent of organisations would be fully prepared ahead by the 25th of May, with 62 per cent having put steps in place around the most important compliance needs and agreed their approach to the remaining requirements. Neustar research into the charitable sector found that only 31 per cent of organisations thought they would be ready – despite this sector being one of the areas with the most sensitive personal data records saved. A month past the deadline, there are still many companies that have not completed their compliance requirements.
However, part of the problem here is that GDPR is not a single goal to meet. Instead, GDPR should be viewed as a set of ongoing requirements across the organisation when it comes to handling, managing and storing data.
Compliance – long-term roadmaps and short-term proof
Most organisations will have already carried out some forms of audit to help them prepare for GDPR. These would include assessments designed to identify key areas where operational changes will be required around data handling, through to more detailed analysis of the data processes that currently exist across the organisation.
This data inventory and mapping should have helped to identify, locate, classify and map the flow of GDPR-protected data across an organisation, from simple tasks like a report being shared through to large scale use of data for personalisation, marketing and recommendation services. At the same time, these initial efforts should have provided an accountability and responsibility assessment that could be used to demonstrate who was in charge of all these processes.
However, organisations don’t stay the same over time. New processes, new projects, changes in staffing and corporate developments can all mean that those reports become less accurate – and therefore less valuable - over time. Periodically reviewing those assessments for accuracy should therefore be planned out at regular intervals; these intervals should also be documented as part of a wider data protection and privacy plan.
These overall compliance management documents should have provided you with a roadmap around customer data privacy and how this will be maintained into the future. However there are another set of reports that you should be running on a more regular basis. These reports will deliver insight into what is taking place as well as providing evidence that rules and procedures are actually being followed.
These reports should focus on three areas: the operational measures that organisations should have in place; third party supplier management for companies that are entrusted with any personal data; and the data incident and notification process.
Regular checking ensures policies stick
The first area for regular reporting is to assess your operational frameworks for how data is being handled every day. This should go into the organisational and technical measures that are in place to protect EU residents’ personal data against loss, unauthorised access or disclosure.
This is the reporting requirement that is most focused on your IT security and data protection implementation and the processes that you have in place to manage how these assets are used over time. By looking at your existing IT assets and how secure they are, you can minimise the risk of any data loss, whether it is due to an individual laptop getting compromised or a wider attack on applications and infrastructure that host critical personal data. For many organisations, this will be a chance to ensure that all their IT assets are included in the inventory and that there are none missing.
This initial inventory of devices, software and other IT assets will evolve over time. Software installs will be updated, new devices will be added to the network, and older machines will be retired. However, all these assets may either hold or access personal data, so they all have to be kept up to date. By continuously tracking any changes in the IT inventory, you can make compliance around data privacy assessments easier.
The second area for regular compliance reporting is tracking your third party suppliers and their handling of the data you pass over to them. Many companies today rely on third party providers to work with their data; these suppliers have to be held to the same security and privacy standards as any internal team. While your suppliers are responsible for their own security, that does not mean that your own responsibilities lapse when any data is handed to them. In fact, any data loss involving your company’s collection of personal data by a third party supplier would equally apply to you.
Managing this requires a new approach to third party vendor assessment, covering how any supplier manages its security, policies and procedures around sensitive data. Auditing your suppliers on a regular basis is therefore a necessary investment.
All organisations should evaluate their contracts with each other and how they put official standards in place around data security. Looking at these contracts can provide a good opportunity to ensure that any supplier you are working with is already taking security and privacy seriously, and that they have the same standards in place as you expect. If they don’t have the right steps in place, then they can either let you know how they have filled those gaps or will invest to do so.
By discussing the contract side, you will have some ammunition to ensure that your requirements are being followed over time. If suppliers don’t take security seriously, then the relationship between the companies can be broken and another supplier used instead.
Alongside this legal and commercial discussion, it’s important to check that the steps are being followed in practice. Auditing third party suppliers and managing questionnaires on security processes can help identify and assess that all your requirements around security are being followed.
In the past, this would have been a manual process involving forms being completed and tracked over time. This can be a difficult area to manage, as it relies on suppliers carrying out their tests and providing the right information back to you. The development of GDPR means that more companies now have to carry out these kinds of audits, which has led to more technology services and automation of the processes involved. These services simplify auditing regularly at scale, while checking that all the required processes are being followed.
Planning ahead for success and failure
Alongside these regular procedures, it’s also important to prepare your response to a breach. With so many hacking attempts and human errors taking place every day, even the best prepared organisations will run the risk of an incident in the future. Preparing for this can help you be ready ahead of time.
Putting together a data incident and breach notification assessment will help to ensure that you understand and can follow the local interpretation of GDPR’s data breach notification and communication requirements. This will vary between locations in Europe – in the UK, there is a 72 hour period for investigation before the Information Commissioner’s Office (ICO) will have to be notified and affected individuals would have to be contacted. In the Netherlands, notification has to be immediate, while other countries have 48 hour periods in place.
However long you have, it’s essential that you have a process in place for managing the investigation into the data breach and the communication to stakeholders both internally and externally. Alongside understanding the scope of a data breach – from a simple website misconfiguration through to a full-scale database hack – you can ensure that everyone is kept up to date in timely fashion.
In the UK, the ICO has already stated that the deterrents and fines within GDPR are unlikely to be used for the majority of issues. As long as companies are proactive in their approaches to mistakes and able to demonstrate how they are actively trying to improve in their management of personal data, it’s unlikely that fines will be imposed. Instead, the ICO is encouraging more best practice and preparation around data management and compliance.
If you are responsible for GDPR and compliance in your organisation, then you face an ongoing challenge to ensure that rules are being followed and that policies are accurate and adequate as when they were created. Putting effective reporting together – that automates the information gathering process and makes it simple to report that data back to stakeholders – helps you demonstrate that compliance today, and how you intend to remain compliant for the foreseeable future. Using security questionnaires and automated services, you can even keep control over third party providers.
Darron Gibbard, Managing Director EMEA North, Qualys
Image source: Shutterstock/Wright Studio