Core Advisory
Risk Transformation
Enterprise Security Architecture
Cyber Defense and Incident Response
Emerging Technologies & AI
Authors: Alisa Moretto, Sr. Manager, GRC Strategy & Enablement and Samuel Bradley, Director, GRC Strategy and Enablement
The European Union General Data Protection Regulation (GDPR) is an important priority for most large enterprises in 2018. While officially approved almost two years ago, the provision will go into effect this May. The recent attention is warranted — there are aspects of the regulations that will take organizations a lot of time to move into compliance. In fact, Gartner predicts that by the end of 2018, more than 50 percent of companies affected won’t be in full compliance with the GDPR requirements.
US-based organizations should know that the GDPR not only applies to organizations located within the EU but also to any organization that offers goods or services to — or monitors the behavior of — data on EU subjects.
While compliance with regulations is often seen as onerous and without benefit, there are some positive aspects for US-based companies. This is especially true with things as complex as the international privacy law. It pays to look at these new mandates with a glass-half-full approach and analyze both the positive and potentially negative aspects of data protection regulation.
Pseudonymization and Encryption
Most people know what encryption is, but ‘pseudonymization’ (spelled ‘pseudonymisation’ in the regulations) may be a new term. While similar to what they are aiming to achieve, they are implemented in different ways, and both have trade-offs. In either case, both will help organizations keep their data secure while at the same time lessening the impacts of the regulation.
Under Article 34, encryption is specifically called out as a method where communication of a data breach would not be required. Such a disclosure is something organizations may want to avoid.
Under Article 32, pseudonymization is called out as a security protection measure, and under Article 25 it is specified as an appropriate technical and organizational measure to help ensure data protection.
Of course, the work that must be done in keeping data secure is not easy. There is always a cost (processing, speed, dollar) and often encrypting all data could make working with the data almost impossible. However, using approaches such as pseudonymization — and ensuring all files are encrypted in transit and storage — will go a long way toward increasing an organization’s risk and security posture, not to mention making the requirements of the GDPR less onerous.
Off to the “One-Stop-Shop”
Similar in concept to the local big box store, the one-stop-shop for data protection can help organizations deal with the complexity of working in up to 28 different countries. If an organization has multiple establishments in the EU, it should get to deal with a lead authority, a main regulator. This was in fact one of the key drivers behind creating a new regulation – consolidating the data protection laws throughout Europe.
While the vision for such a simplified approach is well-intentioned, the implementation has proven to be a bit difficult.
There are worries over data controllers with broad processing activities cherry picking the best location for their “shop.” There are also concerns that there could be difficulties for people looking to enforce their rights in locations far away from where they reside. To address these concerns, there are other mechanisms in place. For example, supervisory authorities in individual countries remain able to investigate and enforce data protection laws if a complaint is directed to them. A national supervisory authority (SA) can also start an investigation despite not being the lead SA as long as it notifies the lead SA of its intentions (which kicks-off a whole other set of procedures).
The legislators obviously tried to strike a balance between the protection of individual rights and eliminating the administrative burden in cases involving multi-jurisdictional data processing. While the one-stop-shop may not be what was envisioned, it should bring greater consistency for organizations working in multiple European jurisdictions.
Privacy by Design
The regulation mentions — more than once — the need to “implement appropriate technical and organizational measures” to ensure compliance. Using the regulation as a driver, organizations can (and should) adopt “principles of data protection by design and by default,” making sure that privacy is embedded into any new processing or product that is deployed. This means (a) upfront planning and additional work at the beginning of any new process or product, and (b) the inclusion of skilled individuals to oversee design. However, there are challenges. For example, organizations will need to demonstrate compliance while reducing the cost to the business.
A few rules of thumb: it is always less costly implementing privacy upfront rather than adding on top of a fully developed process or product.
In addition, to achieve the positive results of privacy by design, organizations can include privacy assessments in the design phase of projects. And as the regulation states, this principle should also be considered when working with other parties or data processors.
Preparing for Data Breaches
At first glance, a discussion about data breaches might not seem relevant to the regulation. In these times, however, organizations must understand that it is not a question of if there will be a breach of their systems and data, but when, and the regulation recognizes that.
Under Article 33, the controller at the organization will need to notify the supervisory authority within 72 hours of being aware of a breach (unless the organization can show that the breach has caused no actual risks for the data subjects or other individuals). Article 34 has the requirement to notify data subjects about breaches “without undue delay”.
So what are the positives? As Benjamin Franklin said, “an ounce of prevention is worth a pound of cure.” Mr. Franklin was addressing fire safety, but a breach often feels like a fire drill. Notification requirements will likely not be the first — or second or third — thing on your mind. Now — and on a regular basis — would be the time to update internal procedures for handling data breaches, and of course include notification processes in the documentation.
Conclusion
International privacy law is complex, and the GDPR will be challenging for many organizations. However, by looking at the potential outcomes one can see positive results both for organizations and individuals. With the right approach organizations in the EU and the US can use these new requirements for the impetus to drive competitive advantage. Compliance with GDPR will put organizations in compliance with various other industry standards in addition to federal and state regulations and keep their customers and data secure.
If your organization is having difficulties launching a GDPR program or if the costs and complexity are too high, let’s talk. Edgile provides clients with a process-driven automated approach to GDPR. We start with a 3-day workshop to quickly assess your current state and future plans. Then we provide practical approaches to get your organization moving toward GDPR compliance in time for the 2018 mandates.