Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
California Goes Beyond GDPR With New Data Privacy Law

Bill BonneyThis week, in my home state of California, the state legislature passed, and the governor signed, AB 375, officially known as the California Consumer Privacy Act of 2018. The legislation will take effect January 1, 2020. The good news for privacy professionals is that this bill resembles in many ways the European Union’s General Data Protection Regulation (GDPR). Much of the same data classification, business logic, and tracking of consent and preferences developed to comply with the GDPR should translate to this California law.

However, there are some key differences, which I will highlight below.

A little background and a race against time
While work on AB 375 began in February 2017, its passage yesterday is a direct response to current events. The legislation lists as one of its raisons d’être the recently disclosed actions of Cambridge Analytica, and a ballot measure, the “California Consumer Privacy Act,” that was designed to push the bill along. The measure had overwhelming popular support, and June 28 was the last day that the measure could be pulled from the ballot.

With the passage of AB 375, Alastair Mactaggart, chairman of Californians for Consumer Privacy and the major force behind the ballot measure, announced that the measure would be pulled, as was previously promised if the bill passed. The bill and the ballot measure were very similar, but by passing the bill, the California Legislature preserved its right to amend the law going forward and limited consumers’ rights of redress to breaches as opposed to all violations.

Taking GDPR a few steps further
There are several key differences between AB 375 and GDPR. The major ones are the right for consumers to sell their personal information (and by explicit reference in section 1798.125 (b), the right for a business to offer incentives to consumers to allow their information to be collected and sold), and, under section 1798.115, the consumer has the right to direct a business that sells the consumer’s information to disclose: a) what they are collecting; b) what they are selling; and c) what they are transferring for other business uses.

The right to offer incentives is a huge leap forward in that is allows firms to offer something (not necessarily money) in exchange for the resale of a consumer’s personal data, but it also establishes ownership rights in a whole new way. It’s one thing to control the use of one’s data, it’s still another to allow it only with compensation. It will be very interesting to see the market (consumers and data collectors) set the price. How much is your information worth?

California rightly excludes, under section 1798.145, the obligations where none of the covered activities take place in California and do not involve individuals who are in California at the time of data collection.

What’s next
As an information security professional, I have always used California (SB 1386), Massachusetts (201 CMR 17.00), Nevada (N.R.S. § 603A.010) and Texas (Texas Medical Records Privacy Act) as my state regulatory privacy proxies. I will immediately add AB 375 to that list and predict that the consumer backlash to the events and disclosures of 2016-2018 will cause other states to pick up where California has left off.

Author’s note: Bill Bonney is a security evangelist, author and consultant, and formerly Vice President and Chief Strategist at encryption software maker FHOOSH. Before FHOOSH, Bonney held numerous senior information security roles in industries including financial services, software and manufacturing. Bonney holds patents in data protection and classification, is an advisor to technology incubator CyberTECH, and is on the San Diego CISO Roundtable board of directors. He holds a Bachelor of Science degree in Computer Science and Applied Mathematics from Albany University.

Panel: More Automated Services Needed to Support GDPR Requirements

Where calls to “get ready for GDPR” permeated last year’s InfoSecurity Europe conference in London, keynote speakers at this year’s event—conducted just 10 days after the European Union’s regulatory enforcement deadline—put a stronger spotlight on GDPR compliance and sunk more serious messaging teeth into their talks.

Nowhere was this more evident than during the event’s “EU’s GDPR Is Here– Now What?” panel, where two enterprise privacy and security officers, a Microsoft cyber senior executive and a UK GDPR policy lead weighed the realities and rigor of the new regulatory environment.

Vivienne Artz, chief privacy officer for Thompson Reuters, said the organization has “put its house in order. Privacy, privacy and security by design are the new normal.”

Critical to Thompson Reuters progress, according to Artz, was senior management buy-in. GDPR support and change “must be a top-down exercise. Privacy cannot be delegated to a department. It is each individual who is now personally responsible,” she noted.

GDPR’s requirement that organizations report security breaches within a 72-hour period reinforces the individual employee awareness and activation, especially of documented, regularly practiced breach notification policies, according to Artz.

“If you don’t have a breach notification policy, you’re fried,” Artz declared.

Artz and Trainline security director Mieke Kooij emphasized understanding the regulation’s fine details, and working collaboratively, and very actively, across IT, audit, assurance and legal. For instance, “there are new things defined as ‘breach,’” and org-wide awareness is essential to avoid complaints and penalties, said Kooij.

The enterprise leaders emphasized their need for more automated services and tools to support regulatory requirements, such as data sourcing, mapping, data types and data access—a theme echoed by Johnnie Konstantas, Microsoft Enterprise Cybersecurity Group senior director. She said Microsoft, and most other technology and cloud service vendors, are deploying such capabilities given that GDPR lays additional burdens on the always accelerating pace of change in “applications, services and data … and of the supply chain. All of it as a very dynamic environment.”

And while not asserting the Information Commissioner’s Office (ICO) will “fry” non-compliant enterprises, technology policy head Nigel Houlden said “It’s fair to say there are some panicking” given GDPR’s requirements and impact across EU-based organizations and all entities that do business or have customers in the region.

“If an organization is willful, disregardant and neglectful of GDPR, you will be investigated. You will feel the force of … the authority of enforcement,” Houlden said. “We will not ignore anything, even the smallest complaint, if there is harm done.”

So, while leading up to the GDPR enforcement deadline, an ISACA survey asked participants about their GDPR readiness, maybe now the question should be along the lines of whether you are GDPR

  • Compliant
  • Neglectful
  • Panicked
  • Fried
  • Exhausted
  • or all of the above?

Editor’s note: For more GDPR resources from ISACA, visit www.isaca.org/gdpr.

Data Is the New Air

Matt LoebIn the infancy of any technology, there are going to be teachable moments. Prehistoric man’s mastery of fire didn’t come without a few scorched fingers and the occasional multi-acre conflagration. As a species, our taming of fire and combustion enabled innovations in everything from cooking to metallurgy to transportation, to an array of other endeavors. Those innovations, however, required a continuous process for humans to learn and establish capabilities to control fire, to use it appropriately, and to make it work for humanity’s benefit.

What the discovery of fire meant to ancient humankind, the Internet is to our modern world: a reshaping force that has reconfigured the ways in which we interact and innovate. And—like our forebearers—we are still singeing our hands a bit as we learn to operate appropriately in our evolving digital society. No matter whether we are enterprises or individuals, we must continue to develop and mature our capabilities to embrace and cope with new technologies and the resulting data that offer so much positive potential.

Data is not the new “oil” anymore. Data is the new “air.” It has become more than economic fuel; it is a catalyst of innovation, of disruption, and of possibilities. However, it’s never a guarantee that all innovations, disruptions and possibilities will be positive ones. Creating fire was one of early humanity’s greatest accomplishments. It also made arson possible. We still need to learn how to harness data and the Internet for positive benefit—as well as to manage and mitigate its risks. In the data we generate, just as there is great value, there also is great risk. We need to understand both and plot our digital pathways accordingly.

Facebook CEO Mark Zuckerberg’s recent moments on Capitol Hill made our need to digitally evolve even more stark. His testimony made the spotlight already focused on data and privacy even brighter. If nothing else was accomplished by his interactions with Congress, he has surfaced important and thought-provoking issues worthy of continued discussion—discussion that needs the active participation of policymakers, regulators, industry executives, academic leaders and individual citizens concerned about the use of their personal data.

Zuckerberg’s appearance in Washington, DC came in the aftermath of a data scandal involving a UK-based political data firm that improperly accessed data of millions of Facebook users. Pointing a finger at Facebook and asking, “How did this happen?” may feel cathartic, but it misses the larger point. This happened because the digital world in which we are now living continues to evolve faster than we have developed internationally accepted standards. This happened because, absent of such standards, evolution within the global regulatory and public policy realm has been unable to keep pace with the rapid advancement of technology. 

During his testimony, Zuckerberg admitted mistakes, accepted responsibility, and promised to do better—and then was grilled about many of those mistakes and the path forward. While Facebook has pledged expanded efforts to protect its users’ data, including giving users a better understanding of which apps can access their data and providing developers less access to data without users’ expressed consent, the revised approach going forward should not be Facebook’s responsibility alone. We, as individuals, have to accept some responsibility, too. In an odd sort of way, people have become data-driven companies in their own right. We must be proactive in the protection of our personal information, profiles, data and privacy rights.

The urgent need for sound data protection has reached new heights globally thanks to the arrival of the long-anticipated General Data Protection Regulation (GDPR), which is now in effect. ISACA research conducted in the weeks leading up to the deadline shows that prioritizing GDPR compliance among other business priorities is among the leading challenges that organizations face. While balancing enterprise priorities amid a disruptive and fast-evolving technology landscape is no easy task, protecting customers’ personal information – whether mandated by GDPR or otherwise – must be a priority, and therefore not relegated to being treated as a secondary consideration.

Data is the new air, and leveraging its positive potential is essential to catalyze innovation, progress, and  to create new value. To inspire assurance and confidence that the appropriate data protection efforts are in place, implementation of more rigorous and robust information/data governance is not an option; it has become a must. We may also need consensus-based standards to shape the right governance environment, ultimately making it easier to comply with any new policies and regulations that will come forward in the future. Without these conditions in place and lacking a collective commitment to collaboration, breathing this new air will become far more difficult.

Editor’s note: This article originally appeared in CSO.

GDPR Deadline Day: Not Compliant Yet?

Raef MeeuwisseThere are lies, darned lies, and then there are GDPR poll statistics. So, when ISACA recently approached me to help analyze a new poll on GDPR readiness, I was initially apprehensive.

After all, how many organizations are really expecting to be fully compliant with the new EU regulation on data protection by today’s deadline? Previous poll results from other sources have ranged as high as 90% and as low as 10%.

The significant variation in results might reflect the way that the questions are framed by different surveys, and moreover, whether the respondent believed that the results really were going to stay anonymous. When non-compliance with the regulation can result in fines of up to €20 million or 4% of global turnover (whichever is greater), very few organizations will openly admit that their compliance process expects to break the law and run some of their data illegally for a while.

Fortunately, the good folks at ISACA – supported by YOU (members of the ISACA professional community and readers of the ISACA Now blog) – came through with a set of results that have been far more insightful. The ISACA GDPR readiness poll is based on anonymous responses from thousands of relevant practitioners around the world.

Here are some of the survey highlights:

How many of us think our organizations will be ready by today? According to the ISACA GDPR readiness poll, only 29% of us think our organizations will be GDPR ready on time.

But wait, there’s more: 17% think their organization would not achieve compliance until at least 2019 or later and a substantial 31% did not know when their organization would achieve compliance.

When it comes to late-stage compliance remediation, the good news is that your organization may not be alone. However, with the unprecedented levels of potential financial penalty for non-compliance, it is probably not a good idea to remediate slowly.

However, fast remediation also has substantial downsides. For example, how many organizations have been forced to delete huge numbers of customer records simply because they rushed out a very badly worded opt-in request?

Meanwhile, in the rush to become compliant, there is at least a personal upside to this. Most of us are celebrating with each opt-in email we receive and ignore. Less junk in the mailbox – hurray!

(How I read most GDPR emails: “Would you like us to continue to send you annoying spam? Please? – Click here for YES or just ignore this email to have your personal information deleted by us.)

What about the companies not directly asking people for an opt-in but simply updating their privacy policy terms and conditions, then providing a hard-to-find, complex series of PAUSE options (instead of opt-out) buried somewhere in their website application interface? Will that approach pay off, or are they lining themselves up for future non-compliance claims? Hmmm.

If your organization is not yet GDPR-compliant, you can take some degree of assurance from YANA - the fact that You Are Not Alone. In fact, right now, you are probably part of the non-compliant majority. However, be careful, because that means you are non-compliant with a piece of legislation with a penalty level that for many organizations could be an extinction-level event.

So, who will be the first targets for deep scrutiny of their GDPR approach by the relevant EU supervisory authorities? I believe this will be any organization discovering a substantial data breach soon after 25 May, in which the same organization also appears to have intentionally ignored or misinterpreted their GDPR obligations.

It is also wise to consider this: Everyone, from unethical hackers to unhappy customers and disgruntled employees, past and present, will soon realize that the easiest way to cause financial pain to any organization that has ignored some or all of their GDPR obligations will be through their stashes of non-compliant personal information.

Editor’s note: View more information on ISACA’s GDPR preparedness poll. For additional ISACA resources on GDPR, visit www.isaca.org/gdpr.

Data Mapping: A Key Challenge in Achieving GDPR Compliance

Laszlo DelleiGDPR compliance projects around the world are dependent on knowing what personal information data organizations are collecting or processing.

This is a difficult challenge, as evidenced by new ISACA research that shows data discovery and mapping is the top challenge/concern respondents have in preparing for GDPR compliance. With due diligence, though, this challenge can be overcome.

The first step is to map or collect all the personal data of the company. What does this mean?

Article 30 of the GDPR (records of processing activities) states that organisations must maintain a record of processing activities under [their] responsibility. That record shall contain all of the following information:

  1. the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  2. the purposes of the processing;
  3. a description of the categories of data subjects and of the categories of personal data;
  4. the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  5. where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation;
  6. where possible, the envisaged time limits for erasure of the different categories of data;
  7. where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The most important information: these registers should be able to be presented at the request of the authority. This article does not speak about data mapping explicitly, but if we have this in place, it can be very useful later on.

A data mapping is a special type of data dictionary that shows how data from one information system maps to data from another information system. We can retrieve data mapping manually, through questionnaires and interviews. However, with the 25 May GDPR compliance deadline fast-approaching, there is not enough time for manual mapping. There are, however, some alternatives.

For instance, applications are available that identify personal data stored in databases. This is fully automated, as the engine locates and tags which system or database contains personal data. This enables scanning through thousands of database tables and identifying GDPR-relevant data automatically.

Additionally, software exists that handles all GDPR-related information and registry in one centralized application. This application has several functions, including the data map and records of processing activities.

A key component of any GDPR filing system is an up-to-date data map. Companies can rely on software programs for data maps that show the personal data stored by the company specifying the storage system, the ID and the purpose of storing them. Software can also keep records of processing activities. A well-structured filing system identifies which data of which systems are involved in profiling, or disclosed to a third-party country or organization, and even specifies the duration of data retention.

The coming GDPR deadline has placed added emphasis on the importance of data mapping. By taking an organized, strategic approach and automating where they can, organisations can meet this important challenge.

Editor’s note: For more ISACA resources on GDPR, visit www.isaca.org/gdpr.

How Data Visualization Can Reshape Your Enterprise

Larry AltonData visualization is being hailed as the next great revolution in data analytics. But besides the fancy name and the slick-looking graphs produced by the technology, how can this new addition improve your already-efficient organization?

If harnessed correctly, data visualization has the power to improve your company’s productivity, client relationships and profitability all at once.

But how?

The effects
Let’s start by dissecting the core strengths and effects of data visualization. Assuming all other factors (including staff, data sources, etc.) are equal, data visualization has the potential to add the following:

  • Interpretability. The hallmark improvement offered by data visualization is its interpretability. In other words, a set of data illustrated in a visual chart is much easier to understand than a complex spreadsheet containing the same information in a numerical format. This makes the process of data analysis more accessible and faster, to a wider range of users.
  • Speed. Data visualizations themselves aren’t exactly new; we’ve been using charts and graphs for hundreds of years. The big difference here is leveraging platforms that can quickly and precisely adjust those visualizations to account for new variables, different conditions, and other customizations requested by a user. The production element has hastened significantly.
  • Utility. We should also consider the near-universal utility of data visualization, since it can be used in almost anything, from studying demographic trends to analyzing employee productivity. This means you can harness the power of data visualization for almost any department or application, provided you have information to study.

Key effects to harness
So, how can you apply these advantages in a way that improves your entire organization?

  • Analytics approachability for employees. Because data visualization is pretty intuitive, and because it’s available for countless applications and departments, it’s possible for employees of almost any department to become data analysts in their own right. More data analysts on staff means more analytic power within your organization, and the potential to optimize almost any role for greater productivity and profitability.
  • Big data reduction. Until recently, companies have pushed to collect as much data as possible; after all, more data is always better, right? The answer isn’t so straightforward. Collecting more data leads to more vulnerability and storage costs, but also more complexity, and more difficulty drawing accurate conclusions. The imminent arrival of the General Data Protection Regulation (GDPR) introduces new privacy considerations. Data visualization takes big data and condenses it to a more intuitive, accessible form, allowing companies to make use of big data while eliminating one of the risks. Hypothetically, that means releasing a core limitation in data advancement within an organization.
  • Easing client communication. Effectively demonstrating your results and efforts to clients is one of the toughest challenges for any B2B company. Data visualization eases this problem, giving you an intuitive tool you can use to make almost any concept easier to understand. Visual tools make conversations go smoother and minimize miscommunications.

Future trends to watch
These benefits are just the start; in the future, data visualization will likely improve even further, especially along these dimensions:

  • Higher-dimensional data. You can chart two variables against each other with a simple line graph with an X- and Y-axis, with each axis representing a variable. You can chart a third or fourth variable by adding more lines or bars to your chart, or by utilizing some kind of Z-axis. But what if you want to visualize 10 variables or more? High-dimensional data visualization is the answer, but it’s a technology still in its infancy. It’s hard to make high-dimensional data as intuitive as low-dimensional data, but researchers are striving to find an efficient way to make this happen.
  • VR and AR. The advent of virtual reality (VR) and augmented reality (AR) can also change our relationship with data visualizations. Rather than interacting with a static projection on a computer screen, users could feasibly reach out, touch, and interact with data in a 3D environment.
  • Machine learning and AI. Already, machine learning and artificial intelligence (AI) algorithms are making data analytics platforms more intuitive and faster for users. When they become more efficient, they may be able to not only generate custom visualizations, but also recommend what type of visualizations to render based on available data. In effect, they could serve as analysts in and of themselves.

The organizations most willing and able to make good use of data visualization technology are the ones likely to remain competitive for the foreseeable future. If used correctly, this can be more than a superfluous add-on to your existing platforms; it can help you transform your department, or your entire organization for the better.

SQL Databases and Data Privacy

Robin LyonsIf anyone had any doubts, data privacy is still kind of a big deal. Beyond being at the core of regulations ranging from the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the United States to the global, far-reaching General Data Protection Regulation (GDPR), data privacy has its own annual day of recognition – 28 January. As organizations design operational strategies and tactics around data privacy, opportunities to leverage applications with built-in functionality to safeguard sensitive and confidential data are valued. For those using Microsoft SQL Server 2016, there are a couple of areas where built-in functionality can assist with data privacy initiatives.

Where is the data?
Safeguarding of sensitive or confidential data generally begins with data classification. Once data has been identified and appropriately classified, the next effort is establishing internal controls commensurate with the sensitivity/confidentiality level of the data. Depending on the organization, designing and implementing internal controls may be a bit of a hurdle. In its 2017 State of Cybersecurity Metrics Annual Report, IT consulting firm Thycotic reported that 4 in 5 companies don’t know where their sensitive data is. Understandably, unknown data locations make it difficult to identify safeguards to protect the data. As in prior versions of SQL, using SQL Server Management Studio (SSMS) in SQL Server 2016 can provide a list of databases. Also, in addition to a variety of other data querying options, Transact-SQL (T-SQL) queries can be used to locate data and related tables.

Who has the data?
Having identified where the data resides, entities are faced with ensuring that access to the data is limited to those with the appropriate roles in their organizations. Once those access determinations are made (following the Principle of Least Privilege), organizations can then use Microsoft SQL Server 2016’s Dynamic Data Masking (DDM) feature to support its access strategy. With Dynamic Data Masking, sensitive/confidential data remains unchanged in the database while this data is hidden in designated database fields. Organizations can fully or partially mask the sensitive/confidential data depending on how they configure DDM.

Another option for limiting access to data is to use Always Encrypted. This feature allows encryption of sensitive data (at rest and in transit) within client applications. Since encryption and decryption happen outside of the SQL environment, it facilitates least privilege by limiting data access to those who own the data and need to view it.

As data privacy expectations become more permanent fixtures of entities’ operational landscapes, built-in features such as Dynamic Data Masking will become more commonplace. The newer DDM functionality, coupled with existing functionality through SQL Server Management Studio, can help entities achieve and maintain data privacy goals. Coupled with best practices in data management, this built-in functionality should provide an easier path to meeting the data privacy expectations of customers and compliance regulations.

GDPR Can't Fix Stupid

Scott RosenmeierGDPR, the much-discussed General Data Privacy Regulation from the European Union, will not be a cure-all for the world’s data privacy problems simply because the GDPR, like every law, is subject to the bureaucracy out of which it was born. This bureaucracy can be compared to a super tanker and those who would violate the law to speedboats. While the super tanker takes miles to make a simple course adjustment, speed boats can dance around the super tank with little fear of a collision.

Sure, there will be times when a speedboat captain makes a mistake and collides with the super tanker resulting in the organization being penalized, but my current expectation is that the organizations that will ultimately pay the potential fine of 4 percent of global turnover will be few and far between. I say this because the GDPR, for all its good intentions, was created by humans, and lawyers will quickly find the loopholes, unintentionally created by the humans, to keep their customers from paying significant fines. Moreover, I simply do not believe that many of the organizations charged with enforcing the GDPR currently have the required manpower and skills to successfully enforce the law. Add to this the fact that Working Party 29 continues to provide guidance on what different sections of the law mean and, at least in the short term, we have a construct that may be difficult to enforce.

That said, I think the GDPR could have a very positive effect on the events we have recently seen involving Facebook, Cambridge Analytica and the political decisions they are claimed to have influenced. GDPR clearly lays out individual’s rights and a primary focus of data privacy and information security professionals should be training colleagues, family, and friends about those rights under this law and the threats that attempt to undermine their rights. The key to success is education, for it is only education that can fix stupid. We, the world, must add critical thinking to educational programs at all levels. An educated population, with solid critical thinking skills, will significantly improve our ability to reduce the effectiveness of fake news and to take back our democracies from the forces that would use our data and opinions against us.

Despite these observations, don’t despair. GDPR is a well-intended regulation that has the potential to change the way the world views data privacy. This value will be derived, however, through education rather than through fines. We must all understand that we do not have to accept our employers, governments or, perhaps worst of all, non-governmental organizations that attempt to sway public opinion on crucial political decisions, misusing our data. We have options. We can inform ourselves using multiple accredited sources. We must demand that our rights are respected.  We should confront those who spread fake news, both in the internet but also at our own dinner table. Most importantly, we can vote, with a few mouse clicks, and can close our accounts on those social media platforms which exploit our data for their gain. We must all understand that data privacy is a universal right and thinking critically about what those with access to our data will do with it is the ultimate safeguard for our data, our privacy and ultimately for our democracies.

Author’s note: The author’s views are his own and do not necessarily reflect the views of his employer.

Cambridge Analytica and Facebook: Lessons for Enterprise

Ed MoyleThere have been many developments for policymakers, privacy advocates, corporate execs and, in fact, the public at large to contemplate considering recent news about Cambridge Analytica and the information collected by Facebook. The facts have been covered heavily elsewhere in the mainstream and industry press, so I’ll spare you a repeat play-by-play here. However, I do think there are a few important, timely observations to call out for leaders and practitioners in the security, risk and assurance communities.

Specifically, regardless of whether you are an end user of enterprise technology, an enterprise software vendor, or just an individual concerned about keeping your (and your household’s) information protected, there are some “lessons learned” to prevent or mitigate headaches down the road.

I should mention at the outset that these aren’t the only lessons that can be gleaned from these events, and they may not even be the best ones depending on your environment and circumstances. And, of course, we will continue to track developments as the story evolves, with perhaps more lessons on the horizon. Consider these, then, prudent measures for anyone – either observer or impacted party – and for organizations to benefit from, with current events serving as a useful “proof points” to explore at the enterprise level.

A punch in the face?
The first factor is being aware of permissions you give and agreements that you enter into – particularly in relation to privacy and security. Quite a few people were surprised and concerned about the volume of information collected by Facebook on mobile platforms, and many viewed with alarm the realization that Facebook collects call records and sent/received SMS messages on Android phones. However, the permissions requested by the Facebook-supplied app (which users agree to when they install) let it do exactly that. While some might view the outcome as undesirable, the app specifically requested these permissions and users agreed to them at the outset.

An analogy would be someone asking you if they can punch you in the face. If you give them your consent to go ahead and take a swing, are they in the right or in the wrong when they follow through?  That’s a thorny question, and arguments can be made on both sides (for example, it might matter how they asked the question in the first place). But they did ask for your consent first and, if you don’t want to get punched, you can say no.

This might sound a bit like “blame the victim” – and, if so, that is not my intent. I bring it up because there are lessons here for those on both sides of this equation: end user and technology supplier alike. For the end user, viewing critically (and with a healthy skepticism) the permissions that apps request – and the measures agreed to by a supplier or service provider – is always an exercise in prudence. While some vendors might be more transparent about what they’re doing than others, keeping a handle on what is being requested (or promised) is absolutely critical. This is, in fact, what the Android permission system was built for in the first place.

This same principle extends beyond mobile. For example, if your cloud provider says it is performing a certain task (such as a security countermeasure), how confident are you in that? Are you checking? How would you know if not? For those supplying those services or products, being transparent about why you’re asking for the permissions you’re asking for (and how they’ll be used) can save you quite a bit of hassle down the road and being explicit about what you’re doing to keep information (and how) is likewise valuable.

The supply chain
The second item I’d call to your attention is the “transitive property” that exists between suppliers and the end entity – at least from a perception and customer point of view. For example, in this case, while it is true that Cambridge Analytica allegedly broke the rules and violated Facebook’s terms in how they acquired data, public angst (at least quite a bit of it) is directed at Facebook.

Are there reasons to be concerned about Facebook’s privacy and security more generally? Perhaps. But in this case, much of the pain that Facebook seems to be in results from actions taken by a member of its ecosystem rather than itself directly. As organizations become more interdependent on suppliers, contractors, business partners, and even customers, the lesson of how customers and the world at large will view a failure of trust is important. This is particularly true as it relates to private information about those users and customers.

So, lest we needed to be reminded, a lack of confidence in an organization’s data stewardship (i.e., a privacy issue, a security breach, or any other issue that impacts users’ information) caused by someone in the broader ecosystem can and often does generate ill-will to those connected to it via supplier, partner or other relationships. You’ve heard the old saying that “you can’t outsource liability”? It’s as true now as ever.

I’m sure as events unfold, we’ll all learn more about these circumstances and, with that, new lessons will continue to emerge that we can adapt to the work we do on behalf of our organizations. But starting with these, and working to make sure that we are aware of permissions and agreements that we might have entered into (including potential consequences that might arise), and the relationships that we have in our supply chain that can potentially impact us, is a useful way to ensure we’re keeping our organizations in solid shape. 

GDPR Assessment Provides Customized Guidance

Christos DimitriadisAlthough we are less than two months from the European Union’s General Data Protection Regulation (GDPR) compliance deadline of 25 May, many organizations are not yet confident in their level of preparedness for this landmark new data privacy regulation.

If that concern applies to you and your enterprise, know that you are in good company. Many of your colleagues across the globe are in a similar position, still working diligently to make the needed headway to be in solid position once GDPR takes effect.

Another reason not to panic: ISACA is here for you. Our new GDPR Assessment helps users and their enterprises identify gaps in their GDPR readiness and offers guidance on how to resolve those gaps. It provides customized output of areas in which your enterprise needs to focus and provides the opportunity to retake the assessment later after implementing the initial guidance.

The complimentary assessment was powered by the contributions of leading global security and privacy experts and includes gap analysis expertise from CMMI Institute. The tool is part of ISACA’s ongoing commitment to help our global professional community prepare for GDPR; if you have not recently viewed ISACA’s frequently updated array of resources on the topic, I encourage you to visit www.isaca.org/GDPR.

After such a long buildup, it is hard to believe that we are now less than two months away from the deadline. GDPR compliance should be seen as a business opportunity, rather than a roadblock. GDPR is not a checklist to be completed, separate from the enterprise’s core functions and capabilities. Instead, complying with GDPR needs to be a basic, foundational element of the organization’s operations, capabilities and decision-making. It requires a level of cross-functional collaboration that will serve the enterprise well long beyond the compliance deadline.

It will be fascinating to watch how data privacy regulations around the world evolve in the coming years. As the world becomes acclimated to conducting business with the EU in the era of GDPR, expect other nations to develop similar policies in an effort to deal with universal challenges in data protection and data privacy.

I fully expect the ISACA professional community to demonstrate leadership in embracing the challenge of helping their enterprises adjust to the new regulatory environment. GDPR represents an excellent opportunity to put our enterprises on stronger footing and better serve our customers.

1 - 10 Next