If you approach GDPR as if compliance is all that matters, then you’re bound to fail – data protection should be at the heart of business strategy.
Unless you’ve been on a retreat to outer space, you may have noticed a bit of noise about the European Union’s (EU’s) General Data Protection Regulation (GDPR).
It’s everywhere across the industry, with the security sector prominent in promoting the fear, with a whole plethora of newly self-proclaimed experts to the fore.
Apparently, the world and its mother can make you GDPR compliant, at a variety of costs, while delivering a variety of value – if any at all. In every aspect, it is all about compliance, with the majority of noise from organizations being about the need to comply with GDPR.
If you’re focusing on compliance then you are likely to be ineffective, but maybe you will manage to tick a few boxes along the way. You might get a feeling of being “fully compliant”, but even then is it a point-in-time view.
Of course, being compliant with the regulation is a good thing, but it does not protect you from a breach of your data, nor the business impact a breach would have. There is no evidence to support the view that being compliant will reduce the chance of a data breach.
A dose of reality
It’s not just fines that you should worry about, but stock value, potential class action and customer trust, for example. This isn’t to throw more fear at you like everyone else, but to offer a little dose of reality.
You are not going to prevent every attack or mishap imaginable, and nor should you aspire to, but can you demonstrate reasonable measures in the safeguarding of that data? Can you protect the value of that data to your organization? Your corporate objective is therefore not to map to the law, but to protect data.
The key to GDPR, and every other regulation in this space, is a sound approach to data protection across the organization. It’s not a security or a technology problem, but a holistic business problem.
GDPR is just the latest regulatory theme, building on the 1998 Data Protection Act (DPA), founded on taking care of, and lawfully processing, personal data.
It’s a new regulation, but data protection is not new. The requirement to protect data has always been in place, but this is another shot in the arm, with potentially far more serious consequences for those organizations that cannot demonstrate they are taking data protection seriously.
It is time to stop flirting with data protection. Your customers, employees, senior stakeholders and regulators are demanding that you get married to data protection, and that you show evidence you are taking it seriously.
Compliance is futile
Focusing purely on compliance is the wrong approach. There have been many compliant organizations that still encountered serious issues with data protection, and suffered significant impact as a result.
Those organizations were compliant with regulations and yet got breached and still suffered – how can that be? Because focusing on compliance only gets you so far. It’s a narrow scope, when data protection isn’t narrow at all.
Of course, the initial focus is always to “pass the test”, not to actually improve and mature. It’s almost always a point-in-time assessment, only revisited when a regulation dictates or for the purposes of inclusion in the annual report.
How often have we seen an annual report, where the board refers to its confidence in the company’s cyber security and the assessment undertaken by an expert? Ask yourself, how static was that assessment, the scope, who undertook the investigation, how thorough was it and what were the limitations therein?
A true approach to data protection should be embedded into your business, strategies, transformation and commercial arrangements. This will lead to a far more mature stance, and with that comes compliance.
Shades of grey
A rather large number of organizations are not complaint with DPA today, so let’s not pretend everyone is going to be compliant with GDPR tomorrow, or even close.
However, being ignorant of a law has never amounted to a good defense and it will be interesting to see how many organizations report breaches once mandatory reporting comes into effect in May 2018.
The trouble with GDPR is that it is a regulation, and regulations are rarely black and white. There’s plenty of grey in there, although it has been generally well thought out and in most cases a layman can grasp the basics. We will only begin to understand the final position of some aspects through the results of the inevitable court cases and legal challenges.
What is needed is sufficient subject expertise and business knowledge to make a sound judgement. In each case it does depend and it is always a risk-based decision, but you will struggle if you fly blind.
However, the raising of the value of potential fines – up to €20m or 4% of your global revenue – from the insignificant amounts under DPA may show intent on the part of regulators, and I fear for those organizations that take a wait-and-see attitude, with no intention of becoming in any way compliant come May 2018.
What does the market say?
The market mostly talks about compliance, but there are a series of different solutions.
Let’s start with the cheap and cheerful few-hundred-pound useless assessment. It’s not always the case that you get what you pay for, but with a complex subject such as data protection, or even GDPR, then you really will get what you pay for. A few hundred pounds for even a light-touch GDPR assessment – a law that took the Council of the European Union years to settle on and that runs to 260 pages? Give me a break.
Then there are the more comprehensive consultative engagements. How many of these involve cut-and-paste consultancy, and how much value they actually drive? I’ve seen a lot of these reports gather dust on a shelf, which is why it’s often referred to as shelfware. It’s also often a lead into a longer engagement.
There’s nothing wrong with that, but I struggle to see where the intelligent customer comes to the fore in terms of determining the right next steps and prioritization.
It requires serious practical knowledge, experience and business empathy to determine what’s possible, what should be done in what order, and what should just be documented and accepted in terms of risk. The truth is the consultants have no interest in empowering you. It is the tail wagging the dog in many cases.
A blinkered approach
Another common approach is in software systems that look to address certain aspects of GDPR/data protection.
For example, discovering your data and encrypting it is the panacea offered by many. It sounds good, but is a very blinkered approach in terms of actual data protection, and negates the fact that no system will discover all of your data. Of course, data also needs to be accessible, so the encryption cannot be a processing overhead.
As an attacker, I’ll compromise something that has legitimate access to the data, this system will decrypt it for me and then I’ve got your data. That is the path of least resistance.
The final common offering comes from the hundreds of firms suggesting they can make you GDPR compliant without first understanding your business. This is impossible.
Each business is different; unique in its own ways. It’s the same for data breaches – what can we learn from an organization being breached? Nothing at all.
Data breaches are different from your organization in so many ways as to make it nigh-on impossible to draw anything significantly worthwhile beyond the fear of another organization being breached.
If you don’t understand the nuances and complexities of an organization, their processes and future vision, then how can you ever offer to make them compliant with anything? These off-the-shelf, one-size-fits-all systems are also useless.
A lot of organizations will be spending an immense amount of money ineffectively.
To DPO or not to DPO?
We have an acknowledged the cyber skills gap – or chasm. We can argue over the breadth of that gap, but one does exist. If you are looking for appropriately skilled security resources, then the gap widens.
Now we have another role that requires some very similar aspects of expertise – maybe not the ninja-grade examples that have been trotted about, but we need someone who is cognisant of GDPR regulations, the theme of data protection, the business, processes and all that goes with it.
There is a big job market looming as headhunters race to fill the skills gap, with a rigid interpretation of GDPR suggesting that tens of thousands of data protection officers (DPOs) are going to be required, and a lot of people and organizations that can make money out of exploiting the opportunities.
From your perspective, how do you know what to look for, or that what you’re hiring or contracting is any good? How will you measure it when most of the time it will be hidden from you? You could probably be a terrible DPO and get away with it, as most organizations will be wholly ignorant, without any means to test the value of their investment.
It is going to be tough to find the right resource, with the right level of gravitas and remuneration to make a good fist of this. It is hard, but it is also very much doable, if you get it right.
A proper practitioner
You could always outsource your DPO function. That’s fine, though again you must be an intelligent customer and do your homework. Most consultancies won’t provide someone with extensive experience as there aren’t that many to go around.
I would recommend understanding what that outsourced DPO has ever done in this space and where. If they’ve only ever done theory, then don’t hire them.
Look for someone who understands what it is to truly assess an organization and make demonstrable positive changes – somebody who understands risk and business process. They will be hard to come by, but then why are you hiring a DPO unless you’re taking data protection seriously?
When you look at the skillset as specified in GDPR Article 39, which covers the DPO requirement, don’t you think that person would be an excellent addition to your team? Unless you’re just ticking an “I’ve got a DPO” box, in which case, good luck.
The DPO should be a proper practitioner – not a hobbyist or a fresh-out-of-university graduate, but someone with some battle scars, who has succeeded and made mistakes.
Don’t go for someone who only knows theory, but someone who has worked at the coalface in complex organizations and still managed to deliver positive outcomes that are transparent to the business operation and support the business vision.
Are you doing it wrong?
If you’re simply aiming to be GDPR compliant, or if you’re running GDPR compliance as a security program or looking to tick boxes, then you’re doing it wrong.
If you’re trying to do it on the cheap because you can’t see the value of a robust and resilient data protection strategy, then you’re doing it wrong, and you’re taking a significant risk.
Data protection doesn’t have to be expensive. It needs to be focused in the right areas that will provide a demonstrable return and a demonstrable improvement from a current position. To garner a current position, you must understand the business. It cannot happen any other way.
An assessment is key to enable an organization to be an intelligent customer and seek to remediate specific risks, to provide the legal teams and the board with a position which can be defended. There will be lots of quick wins to demonstrate that a data protection program is having a positive impact, even just for your lawyers.
Data protection should be embedded at the heart of your business strategy and business transformation. It enables you to build data protection by default in all that you do. It isn’t easy, but it is a business imperative and does enable you to use your transformation to your advantage in terms of data transparency and safeguarding.
If you retro-fit data protection to your programs you will likely extend costs by roughly a third. Retrofitting security or data protection is hard, cumbersome, expensive and tends to be detrimental to the overall business outcome of the change. Building it in up front allows you to build transparent data protection that is in no way inhibitive to the desired business outcome.
All too frequently companies miss opportunities to adapt or take advantage of change. Detecting “fault lines’’ is essential to survive, and when it comes to the corporate objective to protect data, you kind of think: where are you as a business leader to be missing or dismissing all the warning signs of a big fault in your business?
Be intelligent in how you do it, and don’t just look to “buy” data protection – it doesn’t work.