12-step action plan for GDPR

Implementation times too long

While 25% said they had no idea how long it would take to implement new tools and pass a “right to be forgotten” audit others did provide a timescale. What is clear is that this is not a simplistic process that can be rushed. Responses ranged from less than 3 months to over 3 years. For many respondents (60%) the time required would be up to 1 year.

This is good news for companies as they have until 2018 when the GDPR is due to go live. However, sitting around and putting it off will not make this any easier and there is a real risk of companies still chasing the risk processes and tooling. Interestingly, the survey did look at which stakeholders were the most concerned around data privacy.

The department with the least interest in data privacy (2%) was called out as Marketing. This is not necessarily fair as they do tend to use some anonymised data but for marketing campaigns, buying in lists and reusing them without permission from those on the list is a problem.

There was also a surprise in that those departments and individuals who might reasonably be expected to be a big supporter of privacy were called out as being completely disconnected. Both the Legal department and compliance team who should be setting out policy around privacy and data security were named by just 7% of respondents. The CIO/CISO fared little better with only 8% believing that privacy was a key issue for them.

As with many things around technology it was believed that IT has the most interest in privacy. In reality that is probably more to do with the job function than anything else. The challenge for IT however it the amount of data that is being exfiltrated outside of the organisation through the use of cloud services.

As reported by Skyhigh Networks, the number of cloud services inside the average organisation continues to increase. Chief among the services used are collaboration and file services, many of which are not enterprise grade when it comes to security or under the control or oversight of IT departments. This means that data management tools and any attempts to implement a right to be forgotten policy are being hampered by the data flooding out of organisations.

Can Europe export GDPR as a global standard?

Perhaps the most surprising responses where those to the question: “Do You Believe Other Countries/Regions Should Implement Data Protection Laws Similar to GDPR?” While 65% said yes, 14% said No and 23% said Don’t Know.

The biggest challenge here is not China but the US. The recent Safe Harbor ruling from the European Courts has created problems for the transatlantic alliance and data sharing. Even with a new version of Safe Harbor under discussion the best the US will offer is to look again at data protection. This is not exactly the ringing endorsement to protect privacy that Europe would like.

Running parallel to all of this is the Transatlantic Trade and Investment Partnership (TTIP) where all information inside Europe has been marked at secret and not for public discussion. Before the EU Commissioner responsible took such a draconian action it was being reported that TTIP would provide an opt out for US companies around GDPR and other legislation through secret processes.

This would, of course, undermine the GDPR and limit its impact. At the same time the UK debate over the proposed Investigatory Powers Bill is also felt to be a risk to privacy by removing encryption. The US and China are close to announcing their equivalents with India and France also looking to weaken encryption. As encryption is a key element of protection these moves seem to run counter to the protections set out in the GDPR.

Interestingly it seems that this was sidestepped by the survey with no attempt made to ask what risks respondents saw to effective implementation of GDPR. Perhaps we will see that in the next version of the survey.

A 12-step plan GDPR action plan

As part of the survey, Blancco has published a 12-step action plan to help companies prepare for GDPR. It is a mix of auditing, data discovery, processes, tooling, internal education and cultural changes that companies can adopt and work through. For many large enterprises it will be interesting to see how it maps to their existing systems and what they can do to strengthen their existing solutions.

The 12-steps are:

1. Conduct Internal Audit
2. Create written documentation
3. Remove data securely
4. Provide proof of data removal
5. Deliver customer communications
6. Incorporate mobile device management
7. Collect data responsibly
8. Drive cross-department collaboration
9. Implement education and training
10. Appoint Data Protection Officer
11. Monitor risk management
12. Develop incidence response plan

None of these are new and all should be part of existing processes inside organisations. While we are two years away from implementation there is a need for companies to consider looking at what they currently provide and what is missing. The tools and processes have already been identified as issues. However, many companies still don’t provide a link to their Data Protection Officer via their website.

Clawson believes that: “If organizations want to be ready for GDPR compliance by 2018, they will need to assess their current weaknesses. Once they have done so, they will need to develop end-to-end data lifecycle management processes, create transparent processes and customer communications regarding their data removal methods/tools, and finally, improve their security posturing as a whole to include detection and response and the gathering and sharing of threat intelligence.”

Conclusion

The explosion of data and IT systems means that privacy has often been overlooked or even ignored inside a lot of companies. In most cases it can be argued that the policies, processes and tools required to be GDPR safe are already available and should already be in place.

One of the big challenges that we will hear more about over the next year is likely to be the risk that big data and analytics pose around privacy. It is already pretty easy to take disparate data sets and use them to identify some detailed information about individuals. Building the processes and tools to prevent a privacy breach during data analytics will challenge any company.

Irrespective of how hard any of this is, 4% of global turnover of the much reduced upper limit of $20 million should help to focus corporate attention on the need to address privacy. If it doesn’t, European regulators could begin to levy large numbers of fines which could see some companies at risk of survival.