17 April 2018 by Ramsés Gallego
With the arrival of the regulation, organisations must embrace greater privacy rights in order to handle data
Governance is a discipline beyond management, an overarching umbrella for the direction and approach leading to a greater future. You should govern an organisation, a company and – in our age – a data set.
The latest law relevant to that ethos, the General Data Protection Regulation (GDPR), will take effect on 25 May. But rather than being a mere technical checklist, it aims to foster a culture of data protection and information safeguarding. And we have to celebrate it.
It took the EU three and a half years to agree the privacy angle inherent in GDPR, but it now is a massive opportunity to encourage everyone to do the right things correctly for data collection, processing, retention, protection and governance.
GDPR harmonises and unifies 28 different member states under one law – with the UK government planning to maintain the regulation even after the country leaves the EU. Since the regulation is not a European directive, it will not have to be transposed into national law by every country. It is directly applicable.
It will mean investments in different dimensions, including technological and organisational ones, to ensure that sensitive data has been collected with explicit consent from subjects. For many companies, it changes the game. Privacy will not be treated as a privilege anymore, but more like a right.
Although GDPR is an EU law, it has international aspirations, since it has been created to protect Europeans and their data no matter where they live or work.
This is interesting, since now the EU might be able to fine companies that are not within its strict jurisdiction, as long as they are processing data about European citizens. It could even cause geopolitical tensions.
It is vital to understand GDPR is not a security regulation but a privacy one. This is important, since we can have security without privacy, but we cannot have privacy without security.
There are explicit mentions of technology in the law, such as the need for encryption, and implicit references to many other technology disciplines, including identity management, access control, monitoring services, data anonymisation and cyber-risk training.
Consequently, there is an expectation from the Article 29 Working Party, an EU advisory body made up of the bloc’s various data protection watchdogs, that companies use technology to protect and defend personally identifiable information (PII).
Many things are considered sensitive information, including names, addresses, dates of birth, video footage of an individual, membership to unions or associations, and even IP addresses which are used to identify computing devices.
Every company, organisation, and government institution has this sort of information and should know where it lives, who is touching it, for how long, and with whom it is shared, both internally and externally.
“GDPR explicitly mandates that organisations ‘demonstrate ongoing compliance’”
You can see the data firm Cambridge Analytica’s alleged unauthorised access of Facebook users’ data as a recent example of a company losing control of data.
At the core of GDPR also sits the interesting concept of privacy impact assessments (PIAs). These are aimed at making an organisation understand what kind of information it manages. They can be summarised in the answers to five universal questions: Who is touching What, When, Where and How.
Also critical is that GDPR explicitly mandates that organisations ‘demonstrate ongoing compliance’. For companies this is huge, since it departs from the idea of occasional scheduled auditing.
Ongoing compliance shows how good or bad an organisation’s controls are in a given moment, and fosters the approach of being continuously compliant with the law.
An entity must have monitoring controls in place and fully understand the three natural states for data: at rest, in motion and in use. For GDPR compliance, it is fundamental to grasp where data is stored, when and where it is moving, and how and by whom it is being used – again, the five universal questions.
The EU also flagged another aspect of governing a data set: the need for communicating when a breach has occurred, both to authorities and subjects affected. This could be a process nightmare when a data leak affects millions of citizens, patients, or customers.
Curiously, the law explicitly mandates that organisations must communicate a breach ‘in 72 hours from the moment of knowledge of the issue’. This leads to the question of what happens if a company official did not know about the breach.
In this situation there would not be the obligation of communicating anything. But this does not let organisations off, since it may point to negligence and not having proper countermeasures that would have brought control and visibility around data governance.
By law, many organisations will have to name a data privacy officer (DPO). The appointment of an official being mandated by law is not new, but the way it has been approached deserves some attention.
GDPR explicitly orders that this official be ‘independent’ to do their job and report directly ‘to the highest official of the corporation’. That is an interesting twist since it shows the obligation to not hide this important role within the hierarchy of the organisation.
From another view, this setup may also breed tensions between departments, since one is tasked with protecting information, while others, like infrastructure managers or systems directors, are less interested in the privacy aspects of their day-to-day tasks.
This is a clear example of the difference between management, which focuses on execution and running systems, and governance, which looks at the value of IT, the responsible use of resources, and risk management.
It is important to remember that 25 May is not the finish line, but the starting point. Surveys from Symantec show that most companies will not be in good shape when GDPR comes into force.
This is a small tragedy, since the law will be enforced from that day onwards, and the Article 29 Working Party has confirmed that the date will not be extended. It is set in stone.
Even so, the opportunity for organisations to reinvent themselves in GDPR’s wake is massive. The law invites them to design some processes almost from scratch and, most importantly, to define controls, policies, standards, and guidelines to fully understand the information lifecycle.
“The opportunity for organisations to reinvent themselves in GDPR’s wake is massive”
In the ‘cloud’ era of remote computing, this is no small task. Organisations often use many different remote services, with different departments’ choices creating other data governance problems.
Some of these services will have been accessed without the knowledge of the IT, risk, compliance or procurement departments. This approach is sometimes called ‘shadow IT’ or ‘shadow data’. GDPR is aimed at avoiding these situations and educating everyone in the corporation on cyber risk.
Technological changes, when paired with organisational ones, have made it cheaper to encrypt information automatically when sensitive information is detected in a document.
Software can also trigger robust authentication for certain ‘circles of trust’ and embed security within the document, so that no matter where data goes access can be revoked.
Such an approach is at the heart of modern data governance, adapting and adopting mechanisms that provide control, visibility, protection and defence.
That is the overarching goal of GDPR and one critical aspect of the National Institute of Standards and Technology’s governance definition, which includes strategy, tactics, risk management and the responsible use of resources.
Responding to this change is not going to be easy, but it is possible. At the very least, GDPR will force organisations to focus on their most important assets: people, data, users and information.