Enterprise everywhere is bracing itself for Europe’s new General Data Protection Regulations (GDPR). Scheduled to come into force beginning in May 2018, GDPR applies to any organization—regardless of size or geography—that processes or stores data containing personal particulars, or personally identifiable information (PII), of European Union citizens. Short of time or money to invest, enterprises are casting around for suitable candidates to take on the EU-designated role of Data Protection Officer (DPO).
One person stands out clearly for the role. Someone who is already well-positioned to assess the risks and can be trusted to lead a team tasked with making any necessary changes—that person is the enterprise architect. For anyone not intimately acquainted with GDPR, the main process for driving compliance is constant risk assessment.
In business nothing ever stays the same for long. The organization is constantly evolving, growing the customer base, and adopting the latest information systems. At the same time, advances in technology allow cyber attackers to develop increasingly sophisticated threat techniques. GDPR says effective protection for sensitive data requires organizational risks to be continuously assessed for new vulnerabilities. It is also the only way to be sure insider privileges do not overstep the mark and weaken the company’s overall security posture.
Risk assessment comprises half a dozen basic steps compliance teams should follow in order to be GDPR compliant.
1) Assemble the right team
The compliance team should include anyone responsible for managing or processing PII. Start with the stakeholders—Who is most likely to be affected by GDPR? This usually means those in charge of handling customer relationships alongside the heads of marketing, HR, IT, and legal. The DPO who heads this team has overall responsibility for GDPR compliance.
2) Study other compliance standards and frameworks
GDPR lacks specific procedures and precise definitions so use other compliance standards and frameworks, such as PCI DSS, as a starting point. They may have a different purpose, but the same primary goal of protecting sensitive data is the same.
3) Know your data
Classify the types of data you collect and store. Before you can begin to assess risks, you need to know which data is sensitive, where it resides, and who has access to it. Data classification is also essential for responding promptly to auditors’ requests as well as to spot security incidents, identify their root causes, and fulfil data portability requirements. Adopt a single platform for data governance and policy management. This will help avoid data storage fragmentation—a great risk to data integrity and therefore regulatory compliance.
4) Identify your unique risks
Identify the risks specific to your organization and classify them in terms of severity and likelihood using categories like high, moderate, and low. Determine exactly what valuable assets could be harmed by each risk. Each organization will have its own unique set of risks and possible consequences. A risk matrix can be a valuable cheat sheet to help ensure nothing is missed.
5) Determine your risk/benefit ratio
GDPR asks businesses to carefully weigh the benefits of processing data a certain way against the attendant risks. This means different organizations may score the same threat differently according to the chances of it occurring versus how effective mitigation measures might be. “The processing of personal data should be designed to serve mankind,” says GDPR. If this means storing more personal data, you can do so—just don’t forget to weigh up the need to process that data against the risk of storing it.
6) Repeat risk assessment continuously
GDPR requires risk assessment to be an ongoing process. This means constantly monitoring new data, discovering new risks, re-evaluating risk levels, taking mitigation action, and updating the action plan. Ensuring these measures are aligned with GDPR requirements requires full visibility into controls, processes, and practices at all times.This may mean, for example, having greater insight into and control over access permissions in order to minimize the risk of sensitive data being accessed by unauthorized people.
In summary, GDPR simply demands that every organization fully understands its own unique security vulnerabilities and takes appropriate steps to reduce or eliminate them. Regular checks are also required to ensure security best practices keep pace with changes in the business. Unlike other industry regulations that require inspection by external auditors, GDPR is entirely self-policing. If EAs can demonstrate that the security systems in place are adequate for your business, then compliance with GDPR is unlikely to be a major burden on enterprise time and resources. A&G