By now, most have at least heard of something called the EU General Data Protection Regulation (GDPR). If not, you may be in for a big surprise.
The EU Data Protection reform, adopted as the General Data Protection Regulation, has emerged as a seemingly unavoidable sweeping regulation that is getting the attention of organizations across the globe. Reactions to the GDPR have gone through a few phases in the last few years, from 1) “That is just another regulation that does not affect us,” to 2) “We will wait until we have to comply,” to 3) “That really might apply to us,” to 4) “Uh-oh, we should probably do something about this. Is it too late?” If any one of these sounds like something you have heard in your own organization, you had better get moving, because the deadline for compliance is 25 May 2018.
The need to protect personal information is not a new concept, and with the explosive growth of the cloud, information protection has become one of the most pressing responsibilities of any organization that collects, processes and stores private information. Just because this is a European Union regulation does not give organizations outside of the EU immunity. It does not matter where an enterprise is located—if it possesses or processes personal data about an EU citizen, it may be under the jurisdiction of the GDPR. At its core, the GDPR is composed of the following principles1 that apply to processing personal data:2
- Lawfulness, fairness and transparency—Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation—Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimization—Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy—Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
- Storage limitation—Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality—Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- Accountability—The controller shall be responsible for, and be able to demonstrate compliance with, the GDPR.
Governance of Enterprise IT
At first glance, this may appear as an overwhelming effort; however, for enterprises with a current governance of enterprise IT (GEIT) program in place that uses available industry standards and frameworks, the heavy lifting may already be done. For those without a GEIT program in place, there is some work to be done. Enterprise governance frameworks define a common language, provide a sharp business focus, and help meet compliance and regulatory requirements. Most importantly, they are focused on providing value to enterprise stakeholders by ensuring benefits delivery while optimizing risk and resources. There are many frameworks in the market today, so it is no surprise that most enterprises become overwhelmed and either make up their own or haphazardly pick parts and pieces of several, resulting in a fragmented governance system.
There is one framework that stands out as a great fit and appropriate tool for leveraging multiple frameworks, standards and bodies of knowledge under a single integrated framework. COBIT 5 is the only GEIT framework in the market that, by using principles and enablers, can be considered a sound model to not only provide the foundation for a solid governance platform, but also become a critical factor in achieving compliance with the endless requirements, laws and regulations in the environment, including the GDPR. This framework, if modified and adopted correctly, can be a great business framework to pull together benefits realization, risk optimization and resource optimization to support the overall governance objective of providing value.
What does this have to do with the GDPR? Simple. COBIT 5 is a great overarching framework that can assist in reaching compliance through the following principles:
- Meeting Stakeholder Needs
- Covering the Enterprise End to End
- Applying a Single Integrated Framework
- Enabling a Holistic Approach
- Separating Governance from Management
At the core of COBIT 5 principle 4 is a set of enablers. Think of these as ingredients to a holistic approach to governing and managing information. There are 7 categories of enablers that provide a holistic view of GEIT, and these are key to not only meeting enterprise governance requirements, but they can also be particularly useful in adopting the elements required to meet GDPR requirements. Figure 1 identifies the 7 enablers that are part of the COBIT 5 structure.
Figure 1—COBIT Enablers
Source: ISACA, COBIT 5, USA, 2012. Reprinted with permission.
Leveraging COBIT 5 for GDPR Compliance
Using the enablers to meet an organization’s governance needs can also assist in gaining a reasonable degree of compliance with the GDPR. Balancing performance and conformance is key here, because it is almost impossible to be overly compliant on all industry requirements while still performing. This is where the matter of risk comes in. These enablers allow organizations to apply appropriate governance and management practices across all aspects of the enterprise, with a focus on information. These enablers include the following benefits:
- Principles, Policies and Frameworks—Desired behaviors are translated into practical guidance and the flexible frameworks that manage the connections and modifications to those principles and policies. For GDPR, this ensures that the proper policies are in place that encompass scope, validity, consequences of compliance failure, means of handling exceptions and the ways GDPR compliance will be monitored and measured.
- Processes—A process is an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of overall enterprise goals. The COBIT process reference model identifies 37 processes in 5 domains (1 governance domain and 4 management domains). Fortunately, there is an enabler guide, COBIT 5: Enabling Processes, which is a great asset. The applicability to GDPR compliance is significant. For each of the GDPR elements mentioned earlier, 1 or more COBIT 5 processes can be applied to assist in meeting those requirements. For example, Appointment of Data Protection Officers can be supported by EDM01 Ensure Governance Framework Setting and Maintenance, APO07 Manage Human Resources and APO13 Manage Security
- Organizational Structures—This enabler is often the easiest to identify but the hardest to document, and it is much more than just creating organization charts. It assists GDPR compliance by defining key decision-making entities, determining span of control, assigning level/delegation of authorities and documenting escalation procedures in an enterprise.
- Culture, Ethics and Behavior—Often underestimated as a success factor in governance and management activities, this enabler refers to the set of individual and collective behaviors in an enterprise that support the overall goal of providing value. This enabler assists in GDPR compliance by documenting and understanding good practices such as communication, awareness of desired behavior, incentives, and rules and norms.
- Information—This enabler may be considered the lifeblood not only of COBIT, but GDPR as well. Pervasive throughout any organization, this includes all information produced and used by the enterprise. The nature of information can be better understood through defining and clarifying its properties, including all information generated and processed by business or IT processes through its life cycle of data, from information to knowledge to value. A more in-depth description of the information life cycle and key attributes can be found in COBIT 5: Enabling Information.
- Services, Infrastructure and Applications—This enabler includes all technology that provides processing of information and services. This is significant to GDPR compliance because the service life cycle produces, processes and requires information to deliver value to stakeholders. Therefore, understanding how the components of this enabler relate to each other leads to the creation of value while ensuring that private information is secure and compliant.
- People, Skills and Competencies—People are required for successful completion of activities and decision-making; therefore, defining the right roles and competencies for GDPR compliance is crucial to enterprise success. Good practices for this enabler include determining objective skill requirements for each role, which are different for each skill level and category.
Although the GDPR contains nearly 100 articles that define rights granted to EU citizens, there are multiple ways that COBIT can help. For a more in-depth view of how the COBIT 5 principles and enablers can assist, take a look at the ISACA white paper Adopting GDPR Using COBIT 5.
Whether or not your organization is within the scope of the GDPR, it is still a good idea to consider achieving the requirements. Think of this as an opportunity to enhance enterprise governance practices instead of just trying to be compliant. Although gaining and maintaining compliance if you are not required to appears burdensome, it is the right approach and could help avoid potentially painful future events.
For more information, ISACA has an informative collection of articles, white papers, tools and perspectives to help in achieving GDPR compliance:
Of course, the information here does not offer every specific item needed to achieve compliance, but it should, at a minimum, offer a unique perspective. Remember, good compliance is largely dependent on having a solid GEIT program in place and leveraging COBIT 5 to achieve this is the place to start.
Mark Thomas, CRISC, CGEIT
Is an internationally known IT governance expert and the president of Escoute Consulting. His background spans more than 20 years of professional experience including leadership roles from chief information officer to management and IT consulting. Thomas has led large teams in outsourced IT arrangements, managed enterprise applications implementations, and implemented governance and risk processes across multiple industries. Additionally, he is a consultative trainer and speaker in several disciplines including COBIT, ITIL and IT governance.
For more information and resources on GDPR readiness, assessment and compliance, go to www.isaca.org/GDPR.
1 PrivazyPlan, Article 5, EU GDPR “Principles Relating to Processing of Personal Data”
2 ISACA, Adopting GDPR Using COBIT 5, USA, 2017