It was the fall of 2016, and I winced at the title of the article: “Is YOUR Organization Ready for GDPR?” I thought to myself, what was GDPR again? It sounded like a device used on CSI to lift fingerprints from a moving ceiling fan. Turned out the General Data Protection Regulation (GDPR) was a new law approved by the European Union (EU) Parliament that was set to significantly change data privacy – and soon.
Fast forward over a year later and the emails and articles with GDPR buzzwords were filling up my inbox. Regardless, as a cyber security consultant, I had to find out for myself, so I grabbed a croissant and some hazelnut spread and prepared to ingest this 88-page manuscript four years in the making.
What I discovered is that in the aggregate, GDPR is a security professional’s dream, and perhaps a newly-forged secret weapon. I didn’t get very far through the document before realizing the questions GDPR emphasizes are ones I’ve been asking my clients for years that they could never answer. Important questions like:
- What data are we as a business collecting? Is the data relevant to our business practices? (Purpose limitation)
- Do we have a business case for all the data we’re collecting? How soon do we foresee using it? (Data minimization)
- How is the data updated? What happens if it gets stale? (Accuracy)
- At what point or under what conditions is the data deleted or removed? (Storage limitation)
- How is the data we’re collecting protected against tampering, destruction or damage? (Integrity and Confidentiality)
- Who is ultimately responsible for data protection? (Accountability)
- After we protect the data, where are we going to eat lunch? (Satiability)
Okay, that last one I made up, but these questions are business critical for all organizations, specifically for those that collect personal data and fall under the GDPR’s purview. Most companies I’ve worked with couldn’t really tell me what type of data they collected, how many servers their data was stored on, and who could access that information. I found the most common approach to data collection is the Pokémon method of “Gotta Catch ‘Em All,” prototypical of the big-data mentality that has ruled the online domain for over 10 years.
If you fall under GDPR regulation, your near-term intellectual future has been decided: you must comply. You (hopefully) have already started the arduous process of digging through the information your company collects and asking, “do we need this?”
Who’s Affected by GDPR?
As noted in the FAQs on the official GDPR website, “GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” The fines for non-compliance are quite hefty and could potentially impact many businesses that don’t actually conduct business in the EU, but which may have data on EU subjects, such as contacts in sales and marketing databases, for example. Personal data can include “anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
According to a GDPR survey and compliance report conducted by Crowd Research Partners and Cybersecurity Insiders, in most organizations, IT (27 percent) and Information Security (25 percent) teams have primary ownership for meeting GDPR compliance (52 percent). However, this task is not just for IT or information security. It will be a multi-departmental effort and should include heavy involvement by business operation leaders and data architects.
I can imagine the discussions on data retention are right out of a scene from the show “Hoarders” where someone wants to throw away Aunt Vicki’s decapitated doll collection covered in some brown jelly-like substance, but Vicki shrieks, swearing to disown the whole family if her prized treasures aren’t kept. As is the case in “Hoarders”, for business operations and data security, the most successful cases force participants to do what they should have been doing all along: communicate, listen, and work together.
For organizations that don’t have to comply, this is actually a perfect chance to take a step back and take a scrutinizing look at your data collection practices. First, go download and watch a few episodes of “Hoarders” to get some inspiration. After you’ve done that, consider that now is a good time to start building a map of all the data your organization collects. Here are a few tips to get you started:
- Get CISO or C-suite buy-in. The mapping process can be time-consuming, and you’ll need their blessing before you start dissecting your organization.
- Start with the needs of the business. This means asking questions about the way your organization works. Focus on inputs, processing, and outputs. Be intentional about following the entire lifecycle of the data from collection, use, then destruction.
- Add structures and relationships to your map by keying in on a few verbs: store, process, transmit, use, access, create, and dispose.
With the May 25 deadline rapidly approaching, there is a lot of buzz around GDPR. As a security professional, take advantage of the spotlight that’s being shed on personal data security to empower your discovery of very significant pieces of information that you’ve probably been begging your C-suite to help you define.
Leverage GDPR like your secret weapon, but don’t use it to get fingerprints off a moving ceiling fan. Turns out that doesn’t work.
NOTE: No ceiling fans were hurt in the writing of this blog.
You can follow Ryan Clancy on Twitter @RyTheCyberGuy.