GDPR: Why it is time for the CIOs to be counted?
Much has been written in this publication about the EU’s General Data Protection Regulation (GDPR). According to PWC, CIOs are allocating millions of dollars from their budgets to GDPR. Yet Gartner’s Bart Willemsen says, “97% of companies did not have a definitive strategy as of late last year,” and “23% of companies actually expect to be sanctioned or to take remedial action.” I was not surprised by Bart’s numbers because in a recent conversation with the Executive Director of the Privacy and Big Data Institute, Dr. Ann Cavoukian, she said that “although most organizations expect a grace period after the regulation becomes effective, regulators believe enough time has been made available to comply and enforcement will commence on May 2018”. One CIO that I know said recently, “It is unfortunate that many are not studying up on GDPR because the impact of not doing so is so material to their businesses.”
While it is tempting to think the GDPR only matters for risk officers in European companies, this would be a mistake. GDPR demands the attention of multiple corporate functions for any business worldwide that processes EU citizen data. In terms of breadth, the regulation stipulates that EU citizens have the ‘right to be forgotten’. Google has already processed 1.7 million requests to be forgotten and over 760,000 links have been removed because of GDPR– think about the potential cost and havoc this volume of requests could create for traditional industries like a banking.
So, what are the impacts of the GDPR?
The regulation gives individuals more rights and control over their personal information and how it is processed. Organizations are required to, “implement appropriate technical and organizational measures to ensure security is appropriate to the risk.” GDPR mandates that organizations must know where and how the private data of European citizens is stored and accessed, then prove it is appropriately protected, “by design and by default,” throughout its lifecycle with, “the existence of appropriate safeguards.” Organizations are also required to create and certify the enforcement of “Codes of Conduct” for the appropriate use and protection of private data. In the event of data loss, brands who have failed to adequately protect the rights of individuals must provide breach notification, therefore penalties are not only financially steep at 4% of annual, global turnover, but also extremely public.
What is needed to comply?
Complying with the GDPR requires people, process, and technology. Organizations need to establish a team with shared goals and responsibility for achieving GDPR compliance. Chartering this team involves functions from business development, risk and compliance, privacy and information management, the emerging CDO office, and the appointment of a Data Protection Officer (DPO). Success is built upon this team working effectively together and utilizing established best practices such as the Data Governance Institute’s (DGI) Data Governance Framework and Dr. Ann Cavoukian’s principles of Privacy by Design (PbD).
The GDPR mandates the protection of personal data ‘by design and by default’, a right that closely aligns with PbD:
1. Proactive not Reactive
Meeting this mandate means privacy cannot be an afterthought. It needs to be a consideration during all possible uses of information and enterprise policies should govern data at all touch points. Organizations need to focus on privacy protection throughout the data flow, both internally and externally.
2. Privacy as the default
Enterprises need to compartmentalize data access, and set privacy protection as a default. They need to ask questions of data owners: What are the consequences if data is exposed? What are the financial liabilities of exposure? What are the reputational impacts? By asking these questions, IT and the business can share responsibility for the creation of privacy policies and developing appropriate GDPR compliant safeguards in answer to them.
3. Privacy embedded into design
Organizations must prove that the private data of European citizens is appropriately protected throughout its lifecycle, which means that privacy needs to be a requirement. Privacy protection is most effective and the least disruptive when it is built in rather than bolted on as an afterthought, so organizations need to systematically recognize it as integral during the design phase of all new projects.
4. Full functionality
Full functionality means that all legitimate interests should be accommodated in a “win/win” versus zero-sum manner. Privacy by Design aims to avoid the notion of pitting business ends against each other—e.g. privacy vs. security. It aims to demonstrate that you can use data and protect data at the same time.
5. End-to-end security
Data privacy is bigger than any single project or application alone; it needs to consider the use of information wherever it goes and the emphasis needs to be on the data itself as well as all its touch points. This means knowing where all data exist within an enterprise so it can be thoroughly accounted for and appropriately protected.
6. Visibility and transparency
Visibility and transparency are as essential to consumer trust that their personal information is protected from threat as well as misuse, as it is to GDPR compliance. Organizations need codes of conduct based privacy policies that hold business units accountable for information usage and processing.
7. Respect for user privacy
Organizations need to make data privacy and security business priorities integrated into enterprise culture and management. Part of this process is establishing explicit data owners and involving them in the implementation of policies that have at their core respect for data subjects’ and their personal information. This also involves giving data subjects the ability to actively manage their own data by offering consent, accuracy and access.
Achieving the above is impossible to achieve on an application by application basis in today’s complex, extended IT ecosystems. One CIO put the problem to me this way: “You know those flight maps in the airline magazines? Those are our data flow maps; we have in our environment data flying all over the place.”
The goal of an organization’s people, process and technology should be to enable holistic protection of all personal information within systems, which means determining what data should be protected and enforcing policies to consistently protect it as it flows throughout the enterprise, not just at the application level.
Dealing with the dataflow
Organizations need technology that enables them to achieve what Michelle Dennedy, Cisco’s Chief Privacy Officer and co-author of The Privacy Engineer’s Manifesto calls “data-centric and person-centric” data protection.
GDPR compliance needs to be built upon an all-encompassing discussion about protecting personal information ‘by design and by default’ that results in privacy protection as a corporate value, interwoven with everything the business does. This is a major shift for most organizations, requiring the shared development of data governance, privacy and protection policies within the community served, in combination with technical solutions for their enforcement.
For some, disk encryption may seem like an appropriate answer but it is a high risk, all or nothing approach – recent breaches have taken advantage of those with privileged access.
Organizations need data protection that enables differentiated rights of access to data, internally and externally, by context. GDPR mandates appropriate safeguards for personal data which, “may include encryption or pseudonymization.” Pseudonymization is defined by the International Association of Privacy Professionals (IAPP) “as the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.” IAPP says, importantly, pseudonymization may significantly reduce the risks associated with data processing, while also maintaining the data’s utility. For this reason, it says that GDPR creates incentives for controllers to pseudonymize the data that they collect. Although pseudonymous data is not exempt from the regulation altogether, GDPR relaxes several requirements on controllers that use the technique.
Data protection clearly needs to provide granular access control while creating minimal operational and performance impact for it to be fully embraced by business leaders. By governing and protecting data itself and controlling access to it based on the context of a user’s rights, role or need, privacy protection can be automated enterprise wide, regardless of where information flows, is used, or rests.
It is time for CIOs to get serious about protecting data and respond effectively to GDPR – the consequences of noncompliance are too great not to act today – further delays might even cost CIOs their job.