Last May marked the beginning of the application of the General Data Protection Regulation (GDPR), which harmonized and unified the rules governing privacy in the European Union. Leading up to and following the adoption of the regulation, data protection has been in the focus of attention all around the world. Governments introduced new legislation, while supervisory authorities, the civil society, data controllers and processors publicly discussed rules, obligations and institutions set out in the GDPR, and campaigns have been launched to raise privacy awareness among data subjects and the public.
Despite all this, at the six-month mark after the compliance deadline took effect, only 30 percent of companies located in the EU could be considered GDPR compliant, a recent study showed.
Perhaps we should not be entirely surprised by that underwhelming statistic. GDPR compliance can be time-consuming and resource-intensive. It necessitates a strategic approach and a permanent focus on all activities related to data processing. Unfortunately, these characteristics might result in certain hazardous attitudes on the side of controllers and processors. Many of these actors are aware of the new rules introduced by the GDPR, yet they choose to ignore the relevant obligations, hoping to avoid inspections and further consequences. Others are reluctant to comply with the regulation and may consider other responsibilities as trumping privacy, for instance, assigning economic benefits more weight than protection of personal data. Finally, it is a common misconception that if the controller publishes its privacy notice or policy, its activities would be in line with all obligations deriving from GDPR.
Nonetheless, data subjects are becoming more conscious about their privacy and demand effective control over their personal data. Beside the heightened interest in the activities of controllers and processors, monitoring and enforcement mechanisms set out in the GDPR are operated by supervisory authorities around the European Union. Fines have been issued for non-compliance and, as a further consequence, the publicity of unlawful conduct further damages the reputation of controllers. Thus, the previously mentioned attitudes are harmful to the rights and freedoms of individuals; they violate provisions protecting privacy of data subjects, and may also lead to significant loss of income on the side of the controllers and processors.
Instead of demonstrating the previously mentioned attitudes, controllers and processors should realize that certain easy steps can promote GDPR readiness. First, they need to be self-aware concerning activities connected to the use of personal data. An updated record of processing activities and the designation of a data protection officer may be of great help in this respect. Application of data governance tools can also assist in setting the relevant internal policies. Furthermore, it is necessary to document every aspect of these activities, thus demonstrating compliance with the principle of accountability. Finally, controllers and processors should make their operations transparent to supervisory authorities and data subjects as well as to the general public, via data protection notices and other methods of providing information.
These are certainly not the overall conditions for GDPR compliance, but they facilitate controllers and processors in achieving it, and constitute valuable proof that an organization is willing to abide the rules of the regulation and respect the privacy of data subjects.
Nowadays, the term privacy echoes across boardrooms globally, where each country and enterprise races to update its laws and policies to keep up with the need for data privacy controls. This massive wave of interest is largely driven by the introduction of emerging technologies such as robotics process automation; Internet of Things (IoT) and artificial intelligence (AI), which are increasing the number of sources of personal data available to enterprises. This, in turn, is increasing data protection risk to enterprises.
A recent ISACA whitepaper, Enforcing Data Privacy in the New Digital World, highlights the fact that although many enterprises are focused on data privacy compliance, data breaches can also cause irreparable monetary and reputational damage. This is supported by a 2018 IBM study that reports the average cost of a data breach to be $3.86 million.
In addition, if we examine the global risk landscape recently assessed by the World Economic Forum, massive data fraud/theft comes in fourth place, followed by large-scale cyber-attacks. These reports confirm data privacy is now a significant risk that should be tackled immediately by enterprises since the benefits from implementing controls to address data privacy are beyond the costs.
After laying down the numbers and facts, in order to implement data privacy controls, enterprises should start from the top – by incorporating data privacy into the enterprise’s data protection strategy. This will set the direction in which the enterprise will move forward concerning the data privacy initiative. At this phase, careful consideration must be taken in harmonizing the data privacy strategy with the corporate strategy. In the end, data is flowing throughout the organization, and unlike many assumptions, it is not limited to IT departments.
Once the data privacy strategy is defined, enterprises can move forward with translating it into their governance activities. Enterprises should begin with an examination of their current organizational structure. Data privacy acts and laws, such as GDPR, have introduced new roles to be implemented within enterprises to ensure compliance and proper implementation of data privacy. Some enterprises fall short of properly defining the responsibilities needed to implement the data privacy strategy, where such new roles may end up siloed and without proper reporting lines and involvement in the enterprise. Enterprises should also revisit or prepare policies and procedures with particular focus on data privacy. These guidelines must be formally written and enforced in the enterprise. An example of those policies is the definition of guidelines over data retention, information security, monitoring and reporting procedures, data disposal, etc.
As enterprises move forward with the data privacy project, they will begin to understand the types of data currently processed in their environment. This allows enterprises to also determine the challenges they need to overcome to be fully capable of applying data privacy controls. Following this, enterprises can work on establishing controls such as implementing tools to ensure data privacy within the IT environment, developing a privacy culture within all departments and ensuring periodic training and awareness sessions on data privacy.
An important point here relates to third-party involvement in data privacy. Typically, enterprises outsource certain functions within the IT department to third-party vendors in order to provide the needed skills and support to customers. Nevertheless, outsourcing does not remove the responsibility of the enterprise to ensure their vendors comply with data privacy policies and laws. Enterprises should revisit their third-party vendor contracts and service level agreements to ensure that data privacy compliance provisions are included.
In light of the growing importance of data privacy, enterprises that incorporate privacy compliance within their corporate strategy, role definition, policies and procedures, controls, and third-party management practices will be best positioned to reduce regulatory non-compliance penalties and reputational risk.
For those of us who work in information security, data privacy and governance, we seem to traverse daily from one headline to another. A new corporate victim announces they were breached to the tune of 100 million records. A regulatory body announces a financial and oversight settlement with a company for failure to adequately protect data. On and on we go.
Because of this constant onslaught, nobody was terribly surprised to hear about the €50 million fine leveled against Google by French data privacy regulators for violations of GDPR. We all knew a big enforcement was coming, and that the early, large fines would be against a social media or tech giant. Check and check. But what does this mean to organizations on a broader scale?
As I draft this post on Data Privacy Day, trying to find the larger meaning in this first-of-many large fines, I am faced with many possibilities. Could the message be about regulatory muscle-flexing, or is it about corporate arrogance and gamesmanship? Is this a legitimate assertion of individual rights against a corporate giant, or is it an attack against a successful tech company and its profit model? In GDPR, are we looking at the shape of tomorrow’s global data environment, or are we seeing a regulatory trend that risks stifling innovation and “free” service delivery? Of course, the answer is all of the above.
The regulatory authorities across the EU who are charged with enforcing GDPR must, at some point, exercise their authority. No regulation can be effective until it is applied, tested and, ultimately, proven or defeated in practice. At the same time, some organizations may look at the details of the regulation and make a risk-based assessment that they have done enough to comply with their interpretation of the regulation, reasoning “We have taken some [less-than-perfect] actions, let’s see what happens.” The rights to one’s personal data are becoming more widely accepted as a given, but many consumers still are willing to casually or selectively trade some of those rights for convenience or services. With data privacy and security laws and regulators proliferating and evolving, data-centric business activities and profit models must be more carefully engineered and scrutinized. All of the above.
This recent and highly publicized enforcement activity is likely to spur additional compliance efforts from many organizations. Few can absorb a fine with that many zeros in it. On a strategic level, however, it may well contribute to the gradual paradigm shift away from the whack-a-mole approach to security and privacy regulations, and toward a philosophy of intentional data governance and strategy.
There are many financial and organizational benefits to proper data governance, including lower infrastructure costs, better litigation readiness, smaller cyberattack footprint, and better visibility for regulatory compliance. But sometimes it takes a negative result occurring to somebody else to make us ask the right questions and do the right things. Time will tell if a hefty fine is enough to move the behavioral needle for Google, or for the rest of us.
Editor’s note: For more on this topic, read “Maintaining Data Protection and Privacy Beyond GDPR Implementation.”
The offshoring industry is at a turning point. There is a growing demand to further saturate offshoring hubs with a view to increase profits. The true value of offshoring can be realized when viewed as a relationship amongst parties rather than a mere delivery model.
Success of this relationship can be seen when:
- The offshoring units meet contractual metrics and produce deliverables of industry quality;
- Onshore units are successful in cutting costs and drawing profits, and are able to focus on critical tasks toward business expansion;
- People involved in the offshore and onshore units are satisfied, competent, and have synergy;
- Industry standards are maintained with due care to information security and privacy requirements.
However, in the real world, it seems companies struggle to manage this relationship, with security and privacy considerations becoming all the more challenging to manage.
So, the question is, offshoring: how to get it right? Or do we plan to offshore this task as well?
Below are key considerations that, when consciously applied by the onshore and the offshore teams, will help companies achieve talent utilization, value creation and profit realization.
Key considerations for the ONSHORE team
1. Change in mindset
The current patch in the mindset of onshore professionals in which offshore teams are flooded with work requests needs to be updated. Onshore professionals need to update and mature their mindset in the pursuit of achieving low costs and high quality. The offshore team must be viewed as an extension of the team, and team members should be encouraged to ask questions and build their expertise. The vision of the firm and the engagement should unite the teams with a shared purpose when geographic distance separates them.
Change is the only constant in technology. Based on changing laws and regulations, the onshore team must be aware of the information that is being dealt within onshore locations. According to chapter 5 of the General Data Protection Regulation (GDPR), which is related to transfers of personal data to third countries or international organizations, considerations must be satisfied while processing or intending to process personal data. As such, given the global impact, it is vital for onshore professionals to update their mindset from a security/ privacy lens and carefully scan the information that can or cannot be offshored.
2. Collaborate and share knowledge with offshore teams
Onshore professionals should be encouraged to share knowledge to offshore teams to help understand the objectives of the deliverables. Having structured periodic calls/updates helps achieve efficiency on both sides of the table. Training the onshore team on how to efficiently collaborate with offshore professionals, understanding the culture of communication and work management at the offshore site, and periodic checkpoints on technical learnings will meet these goals.
A strong relation requires both parties to complement each other. In this direction, it is important to train offshore teams with technical aspects of security and privacy considerations. Training can be based on a framework (like NIST or ISO) or focused training on areas such as access control, information risk assessments, network security, and system development. As such, collaborating and sharing such knowledge will make the offshore teams informed, enabling them to make sound decisions.
3. Invest in the right technology
Large firms that embrace offshoring usually have a file-sharing/instructions-sharing mechanism connecting the onshore and offshore teams. With time, it is noted that the tool or mechanism being used seems ineffective in terms of time, usage, and perhaps intent. While long emails and Excel trackers have been a thing of the past, firms must smartly invest in research and development of proprietary tools and automation techniques.
From a security/privacy lens, companies need to consider:
1. Technology being used to share the data
2. Actual content or data being shared
Automation brings its own risks, especially related to data security and access security. Wise implementation of automation, backed by constant monitoring of security measures, helps mitigate risks. When actual content or data is being shared, special care needs to be taken when dealing with personal data.
Key considerations for the OFFSHORE team
1. Build the right team
With cheaper costs at offshoring locations, the easy option would be to hire as many professionals and then distribute work amongst them. However, building the right team that has the required skillsets, educational background, and professional interests aligning to the services provided by the firm is critical. Hiring process at offshore locations should be based on standards that align with the quality represented by the firm.
The issue of data sent offshore and the risk to its privacy has shown that current laws (HIPAA, GLBA) do not adequately cover or protect US customers when information is sent abroad for processing. Offshore teams must have subject matter experts who engage in opportunities focused on regulations and are able to drive teams with their experience. Offshore teams execute best when they are led and trained by experienced leaders within the group. Industry certifications and periodic internal workshops on information security and risk management go a long way in building the right team.
2. Invest in quality and project management:
With contractual metrics established between onshore and offshore teams, the need to rush and hand back deliverables to the onshore teams highlights a gap in the quality and project management practices. Offshore teams must check their deliverables for quality, voice opinions if they differ from those of the onshore teams, suggest innovative ways of accomplishing tasks and streamline quality processes. Offshore leadership must work with their teams to check if there are any gaps with respect to project management techniques, which affect resources or onshore stakeholders.
Low cost and high quality are traditional labels that sell offshoring. It is an investment of patience and continuous good practices to achieve high quality with offshoring teams. Techniques such as Six Sigma have been instrumental in streamlining quality requirements, and some companies have aligned Six Sigma to their security framework to derive security-driven return on investments. Offshoring teams should define, evaluate, and monitor their quality metrics, and present how they add value to onshore teams and customers.
The European Union’s General Data Protection Regulation (GDPR) commanded the attention of the business community throughout 2018. Thought leadership gatherings such as ISACA conferences and webinars attempted to answer questions like, “What does it take to comply?” and “What will enforcement look like?”
Answers were largely speculative, and the actual enforcement processes associated with the regulation are only now taking shape. We can, however, look back at 2018 and make some observations about what has been accomplished, the drivers of compliance activities, and the work left to be done.
At six months past the implementation deadline, many organizations have harvested the low-hanging GDPR fruit. Privacy policies have been updated, cookie notices added to websites, and mechanisms have been deployed to support opt-in, opt-out, and data subject requests. Those using third-parties to process data, or those who are the third-party, have defined commitments and expectations regarding personal Information. Training programs have been rolled out to educate about GDPR-related issues. Accomplishing these items has allowed organizations to mark a significant part of their GDPR checklist as complete and have a reasonable story to tell in case of an incident.
The desire to comply with GDPR and avoid any potential fines motivated much of this activity. Since GDPR, the regulatory landscape has continued to change and evolve. A proliferation of privacy and data breach regulations (such as the California Consumer Privacy Act, Brazil’s new data privacy regulation, etc.) has refocused the discussion from a single regulation to an overall issue of data privacy and business process. As recently explained by a business executive, “There is no way we can fund a new project to comply with each privacy and security regulation that comes along, so we must address these issues at a higher, more efficient level.” These conversations about compliance costs and efficiencies are driving the next wave of privacy-related projects.
Having addressed the basics, many of our clients now seek to reduce costs and lower their overall compliance risks. This often involves a deeper look at the role of data within business processes. Good information governance requires such things as accurate data and process maps, defined data lifecycles, security protections for data, and incident response plans. The ever-increasing risks related to compliance in a complex regulatory environment, and the standard benefits of good data governance, are causing many organizations to revisit some of these governance program elements. While 2018 saw a heavy focus on GDPR, 2019 may be a year of transformational governance projects as companies seek to reduce costs and compliance complexity by more precisely directing their use, management and protection of data.
The impact of GDPR has been significant, with more official guidance and enforcement decisions on the horizon. But the bigger story may be the pressures exerted on business processes by the combination of multiple data privacy and breach regulations, changing consumer expectations, and related B-to-B obligations. The next year may demonstrate how organizations are choosing to comply with GDPR while addressing these additional pressures.
The European Union General Data Protection Regulation (GDPR), which took full effect in May this year, solidifies the protection of data subjects’ “personal data,” harmonizes the data privacy laws across Europe and protects and empowers EU citizens’ data privacy, in addition to changing the way data is managed and handled by organizations.
The GDPR regulation affects people across the globe. The scope of GDPR is quite wide-ranging, and can apply to many global institutions with operations in Europe. Certainly, GDPR has created more power for data regulators, due to the severe potential financial penalties for non-compliance (maximum of 4 percent of annual global turnover or €20 Million, whichever is higher).
A few of the key things to know about GDPR are:
- The regulation governs how institutions collect, record, use, disclose, store, alter, disseminate, and process the personal data of individuals in the EU.
- If a breach involves personal data, the Data Protection Authorities must be notified within 72 hours.
- It governs the rights of data subjects, including rights to access, rectification, erasure, restricting processing, data portability, and rights in relation to automated decision-making and profiles.
How do I assess my GDPR compliance?
All these are essential reasons for institutions to ensure that the proper governance and tactical steps are taken for compliance with GDPR regulation. The GDPR Audit Program Bundle developed by ISACA does just this by helping provide institutions with a guide for assessing, validating, and reinforcing the GDPR regulations by which institutions must abide. The audit program was developed to provide enterprises with a baseline focusing on several key areas and their respective sub-processes, that covers all key components of GDPR, including:
- Data governance
- Acquiring, identifying and classifying personal data
- Managing personal data risk
- Managing personal data security
- Managing the personal data supply chain
- Managing incidents and breaches, create and maintain awareness
- Properly organizing a data privacy organization within your institution
Also included are key testing steps involving control category types and frequency to help facilitate the effective discussion and analysis as it fits your institution. The important thing to remember is that there is no absolute right way to go about becoming GDPR-compliant. However, a robust and thorough review of your GDPR environment as it pertains to data processing for your institution is required to ensure a proper baseline is used to assess compliance and successfully execute a GDPR compliance program.
Editor’s note: ISACA has addressed both general and particular audit perspectives for GDPR through its new GDPR Audit Program Bundle. Download the audit program bundle here. Access a complimentary white paper, “How To Audit GDPR,” here.
NIST conducted a workshop on 16 October in Austin, Texas, USA, to discuss plans for a voluntary privacy framework, and attendees had the opportunity to have a robust discussion about what such a framework should entail. The workshop was attended by individuals from industry, academia, and government.
The need for a framework, according to NIST, is because we live in an “increasingly connected and complex environment with cutting-edge technologies such as the Internet of Things and artificial intelligence raising further concerns about an individual’s privacy. A framework that could be used across industries would be valuable in helping organizations identify and manage their privacy risks.” It would also assist an organization in preparing and maintaining a comprehensive privacy plan.
“I think being able to have guidance at a federal level that takes into consideration key other privacy legislation and regulations as well as standards will be important,” said Paula deWitte, computer scientist, author, and privacy attorney. “The comment at the workshop about relentless interoperability of standards and the framework will be key to its usability.”
NIST discussed how the process for creating the privacy framework was largely aligned with how its Cybersecurity Framework was created, with collaboration from the public, and iteratively. NIST envisions the privacy framework as being “developed through an open, transparent process, using common and accessible language, being adaptable to many different organizations, technologies, lifecycle phases, sectors and uses and to serve as a living document.”
“The Cybersecurity Framework is more about critical infrastructure. Privacy is a different beast, and frankly, a bigger lift. We don’t even have a clear definition for privacy. On top of that, privacy is multi-dimensional. One must look at privacy from its impact on the individual, groups, and society,” said deWitte.
“The major elephant in the room identified at the hearing is that we don’t have a grip on what data needs to be protected and where the company’s data is. By that I mean, we don’t fully understand what data must be kept private and we must consider that organizations must be in complete control of data throughout its entire lifecycle including from procuring it, to storing it, to sharing it (as appropriate) to disposing of it,” said Harvey Nusz, Manager, GDPR, and ISACA Houston Chapter President.
With more work to do on the general strategic front, the group determined the overall approach for the framework would be enterprise risk management, a focus both Nusz and deWitte applaud, while offering words of caution.
“I agree that we need to fit the framework into an enterprise risk management approach, but how do we actually define and conduct risk management? Risk management encompasses all types of enterprise risk, so there is the issue of how one defines risk. Is anyone using a good methodology for risk management we can all get behind?” said deWitte.
“Every organization should at a minimum create a risk register,” said Nusz. “That needs to be part of privacy planning.”
The workshop attendees discussed that the risk-based approach represents the reality that privacy has moved beyond a compliance, checklist mentality. It is now a viable business model with data considered an asset. The key is identifying the acceptable level of risk and owning responsibility if something goes wrong.
“This creates legal questions because our laws are written for the physical world, but if my identity is stolen, it can encompass legal issues of including jurisdiction, standing and damages. Who has jurisdiction in the cyber world? Law always lags technology, so all of this has yet to be determined,” said deWitte.
“We have an opportunity to build trust with consumers through the way we handle their privacy,” said Nusz. “I look forward to this challenge and working with NIST to see it recognized.”
Some of the ideas for how to put the framework in practice to improve trust with consumers included: incorporating human-centered research in work done to protect privacy, attempts to de-identify information and be as transparent as possible with the process, as well as leveraging privacy enhancing techniques.
NIST will take the feedback from the hearing and build an initial outline, which it will present at a workshop in early 2019. To stay current on the privacy initiative, please visit the NIST Privacy Framework website.
The last two years have taught us that conventional wisdom and knowledge around privacy and security needs a makeover, in particular as it relates to the EU’s GDPR and the California Consumer Privacy Act. Data controllers and businesses, the entities responsible for what happens to personal data under GDPR and CCPA, respectively, are subject to new obligations that place significant organizational risk squarely on their shoulders. Though compliance issues can come from many places, one often-overlooked impact is managing processor/third-party risk.
Third parties (aka processors in the GDPR or information recipients in California law) are critical to organizational operations, from cloud hosting to payroll administration and processing. They hold customer, partner, employee, and confidential data that is the lifeblood of organizations, and we can’t run without them. While many third parties strive to be good stewards of their customers’ data, we find ourselves in a time where trust and good-faith efforts aren’t going to pass muster anymore.
Under the GDPR, CCPA, and other regulations, controllers need to hold their vendors contractually responsible in regards to specific obligations for how data is handled through data processing agreements and other measures, and as always, “trust but verify” that the vendor is acting accordingly. By extension, this includes our vendors’ partners as well, when fourth parties are involved.
Along with contractual measures, controllers need to assess, test and review a vendor’s ability to adequately safeguard the data they are transferring through product, personnel, and organizational protection mechanisms. This also requires that they pass the same data protection expectations downstream.
All of this due diligence should, at all times, be centrally documented and maintained. In the event of an incident or breach, controllers must be able to demonstrate a reasonable and defensible process for vetting third parties, including providing results of their assessments of vendors' practices and commitments to data protection, to help mitigate risks of liability. This also includes identifying potential risks of doing business with a particular vendor, taking actions to mitigate those risks, and continually managing vendors based on the scope and sensitivity of the data they process.
Now, chances are your organization has already taken steps to ensure proper actions are taken. For organizations looking for continual process improvement (CPI) and formal action plans, here’s a sample Vendor Risk Management lifecycle to consider:
This lifecycle is a roadmap to operational Vendor Risk Management that includes:
- Establishing a baseline for new vendors to benchmark associated risks (done during the evaluation and procurement process);
- Mitigating risk down to the lowest possible level and using that analysis to set a cadence for vendor review frequency;
- Documenting all aspects of vendor due diligence, including services agreements, privacy and security risk analysis, data processing agreements, vendor contacts, and internal owners; and
- Reviewing all vendors periodically to ensure agreements and relationships are maintained with appropriate controls in place, including based on regulatory guidance, as renewals or new services may be rendered.
Organizations should also incorporate privacy/security by design into vendor onboarding practices by integrating with procurements processes to take advantage of work being done today. This could include an early screening to determine if further privacy and security due diligence will be required – based on what services are being rendered – and how they’re delivered.
Editor’s note: For more resources related to GDPR, visit www.isaca.org/gdpr.
On 25 May 2018, the world did not stop simply because the General Data Protection Regulation (GDPR) became enforceable. For many organizations, however, the enforcement date became a distraction, an unofficial deadline. In reality, there was no finish line.
We all recall the panic-driven deluge of marketing consent emails from companies this past summer – some we engaged with, many we forgot about and others we never even noticed. That deluge has now slowed down to a trickle.
Also, noticeably quieter are the salespeople peddling “GDPR-compliant” and “one-size-fits-all” solutions. Foreboding news headlines no longer scream about fines of up to 20 million EUR or 4% of total worldwide annual turnover for the slightest misdemeanor.
Three-plus months on from the enforcement deadline, here are a few observations and reflections on how organizations are adjusting to life under the new European privacy and data protection regime.
#1: Business as usual for some?
It would be inaccurate to say that organizations have quickly thrown off the restraints placed on them by the GDPR regarding the processing of personal data. However, it would be equally inaccurate to claim that poor data protection practices have been fully discarded and that we are now living in an era where organizations treat our personal data appropriately.
For Europeans at least, there is evidence of some change in behavior from large technology and global marketing companies, some of whom are already under scrutiny by regulators. For some other organizations, however, GDPR fatigue has begun to set in and organizational priorities are shifting from expensive programs to other hot-button enterprise risk issues.
GDPR compliance initiated a rush of activity that led to the creation of (or updates to) policies, procedures, system inventories and contracts. Some organizations brandished these new shiny documents as their evidence of being “GDPR-ready.”
However, having controls by themselves without a plan to assure that their design and operating effectiveness achieves the desired control objectives is half-hearted. Weak governance and the absence of privacy assurance programs increases the risk of a return to the past.
In reality, control effectiveness cannot be fully determined until after a designated cycle of operation. It may take at least one year before we start to see true changes in organizational attitudes toward data protection.
#2: Integrating privacy into enterprise risk management
Forward-thinking organizations saw GDPR compliance as an opportunity to return to the drawing board and, in some cases, revisit their approach toward enterprise risk management.
Far from simply fulfilling a checklist of requirements, some organizations used their GDPR compliance programs to test the alignment between their operational risk, information security, IT governance and privacy functions.
This also was an opportunity to embed privacy risk into enterprise risk management frameworks, check the health of three-lines-of-defense models, adjust risk tolerance levels and develop new key risk indicators (KRIs) to provide end-to-end assurance.
Where new privacy risk management processes (such as steering committees) have been implemented, they will need time to develop traction. In the long term, the right approach could see organizations improving the maturity of their data protection controls while also improving their overall enterprise risk posture.
#3: The “SAR-pocalypse” did not happen
It just didn’t.
Depending on who you spoke to, the increased public awareness of privacy rights enshrined in the GDPR would unleash an avalanche of data subject access requests (SARs) from incentivized or incensed data subjects.
Executives feared that customers, disgruntled employees and coordinated activists flexing their new regulation-enabled muscles would bombard their service desks with requests seeking to enforce rights of access, erasure and others.
The term 'SAR-pocalypse' (a hypothetical denial-of-service scenario caused by an organization’s inability to manage an excessive volume of SARs) was whispered in hushed tones with real concerns that failing to deal with requests within the required period could attract penalties.
In the weeks just before and after the enforcement deadline, many organizations did in fact see a sharp rise in the number of data subjects requests they received. However, many of those requests originated from people annoyed with the panic mass mailing campaigns in the weeks prior to the enforcement date. Understandably, many of the requests were for erasure and account deletion.
A retail organization I spoke with noted a higher-than-usual volume of requests in the weeks leading up to 25 May. Requests to be erased reached an all-time peak in the weeks following. However, by mid-June, those numbers had begun to drop. By the end of August, request volumes had returned to pre-25 May levels.
I am yet to hear of any organizations admitting that their service desks have toppled over due to a flood of SARs. However, organizations should not trivialize the need to keep their personal data flows up-to-date and to keep testing the effectiveness of their process for responding to SARs and other GDPR-related queries.
#4: Waiting to see what the regulators will do with penalties
‘Data Breach Scapegoats Wanted!’, wrote one satirical industry commentator on social media.
While Europe’s regulators adjust their oversight machinery to be able to effectively police the GDPR, there is a collective holding of breath by organizations waiting to see what precedents will be set with post-25 May financial penalties.
Perhaps the most high-profile data privacy related incident to hit the headlines since the GDPR enforcement deadline was the one involving the infamous Cambridge Analytica. For its part in the scandal (which preceded the 25 May enforcement date), the UK Information Commissioner’s Office (ICO) fined Facebook £500,000 (the maximum fine under the old UK Data Protection Act 1998).
Data privacy breaches continue to be reported, and post-25 May, the UK regulator has continued to take enforcement action against erring organizations. For example, British Telecommunications plc (BT) was fined £77,000 (hardly 4% of their global annual turnover) for sending nuisance emails to customers.
When scrutinized through the lens of Article 83 (“Each supervisory authority shall ensure that the imposition of administrative fines...in respect of infringements...shall in each individual case be effective, proportionate and dissuasive”), it might be a while before a “GDPR-scale” maximum penalty is imposed on any organization.
The absence of scapegoats may be because Europe’s regulators are either overwhelmed with data subject complaints or simply biding their time until they find the right opportunity to set a dissuasive precedent.
Rather than waiting for precedents and second-guessing regulators, organizations should continue to improve their incident prevention, detection and response procedures while maintaining a state of readiness for potential data breaches.
#5: After the hype, what comes next?
As the GDPR hype starts to wane, organizations should not lose sight of the wider benefits that can be derived from an improved attitude toward data protection.
For example, there will continue to be opportunities to improve data governance and unlock business insights from the personal data they lawfully process if organizations maintain their discipline around personal data collection and processing.
As informed consumers continue to exercise their enhanced consent rights under the GDPR, available inventories of user data are likely to come under pressure. By focusing on data quality (including processing data that is “adequate, relevant and limited to what is necessary”) rather than scale, organizations can improve engagement at different points within the customer journey.
The Privacy & Electronic Communications Regulations (soon to be ePrivacy Regulation) remains a hot topic and the next keenly anticipated regulation from Europe. Correctly implementing GDPR requirements should have placed most organizations in a good position to adopt the requirements within the ePrivacy regulation.
While senior executive support for GDPR remains warm, Data Protection Officers need to test their newly minted powers and ensure that their independence (including avoiding conflicts of interest with other tasks and duties) goes beyond qualities and responsibilities listed in a job description.
There is no turning back
The reality for many organizations is that GDPR program funding and resources will move elsewhere. Data privacy champions will change roles. Vendors will come and go. Applications will be developed and retired. Meanwhile, more countries and jurisdictions (like California) are likely to strengthen their own data privacy laws. The journey never ends.
Somewhere in all of this, care must be taken to avoid the slow erosion of data protection controls arising from negligence and poor governance and a return to the old ways. Seeing the GDPR not as a checklist but as an opportunity to transform corporate attitudes and embed good data protection practices will help organizations thrive under the new privacy regime in the long-term.
Editor’s note: For more GDPR insights and resources, visit www.isaca.org/gdpr.
GDPR: An acronym and a buzzword that has set many of us into “alert mode.” Since it was set in motion more than two years ago, thousands of people worked hard to ensure their organizations were prepared by the set enforcement deadline of 25 May, 2018, and continue doing so. But among the good guys and gals, there were also some “louche” (a French adjective that means “shady” characters, and was used in CNIL’s video on GDPR. These are people who had no ethical problems in providing misleading guidance and wrong answers to the many questions concerning GDPR).
Unfortunately, Poland was among those countries where this phenomenon grew to be a danger to the whole idea of protection of personal data. Here are just a few examples of the consequences of the created havoc:
- Hospitals refused to inform parents whether their children were admitted after a serious bus accident with many schoolchildren injured;
- Teachers started calling out pupils by their assigned numbers instead of their names;
- Closure of a cemetery, because some gravestones had names of living persons on them; and
- Offers of special GDPR-compliant filing cabinets.
These situations were widely described and discussed on the internet in Poland, raising concern. To counteract this, in June this year, the Minister of Digital Affairs empowered Mr. Maciej Kawecki, the Director of the Department of Data Management at the Ministry, to create a special task force to deal with the worst absurdities. Mr. Kawecki is a top data protection specialist who is coordinating the work done in Poland to adapt Polish law to GDPR. The mission is very challenging; there are about 800 regulations that need to be revised. In the next few weeks, the Polish Parliament will debate the first package of legislative changes.
Mr. Kawecki posted a call for volunteers to work in the group. This proved to be a very sought-after, widely appreciated initiative, and the response was huge. From the several hundred candidates, 93 people were picked to work in five groups on issues concerning specific topics: health, education, finance/telecomms, public administration and general issues.
I had the pleasure to be selected to be a member of the education team. We come from a mix of different professions and different involvement in day-to-day school activities. This creates additional value as we have different perspectives and experience that enable us as a team to take a much broader look at GDPR issues.
In the first stage, we were asked to compile replies to seven especially pressing questions concerning schools. We came to the conclusion that each question should have two answers:
- A short one, of the "YES /NO" type with just a brief added comment, so that headmasters and headmistresses would know right away what they can or cannot do, and
- A long one, with legal reference to the applicable regulations concerning school and pre-school education and some practical advice for all concerned.
We already have noted our first success. Part of our work has been used in the GDPR guide for schools, just published by the Ministry of Education together with the Polish supervisory authority.
Creating a GDPR task force by the Ministry of Digital Affairs is a highly recommended approach. It gives the opportunity for data protection professionals to get involved in supporting GDPR compliance at the national level. It also creates opportunities for an exchange of knowledge and experience between practitioners and government officials in charge of developing regulations and recommendations. The Ministry intends to continue using our group to obtain practical and up-to-date information on issues and problems concerning GDPR implementation and to develop appropriate guidelines. This also gives us the opportunity to share our ideas and thoughts with our peers and to disseminate best GDPR practices to stakeholders both in the public and private sectors.
A good example of the usefulness of guidelines developed by official organizations are the “Guidelines on the protection of personal data in IT governance and IT management of EU institutions” published by the European Data Protection Supervisor (EDPS). These good practices are based on ISACA’s COBIT 5 and describe the data protection aspects related to the processing of personal data. With just a few minor changes that basically come down to replacing “EU institutions” with “data controllers,” this document can easily serve large and small organizations from the public and private sector in the European Union and outside in their efforts to achieve GDPR compliance.