In my last blog, I discussed European Union (EU) General Data Protection Regulation (GDPR) readiness—more specifically, how examining your company’s corporate culture is the first place to start. But there are details I’d like to cover today to help you feel confident in your ability to meet the major parts of GDPR. Let’s take a closer look at master data management, access governance, cybersecurity, and the Internet of Things.
Other similar legislation
While we’re looking at the GDPR, it makes sense to consider other related regulations and legislation that companies are also going to have to deal with in similar timeframes. I am thinking of the following (although there are others):
- NIS: Directive on security of networked information systems, which is more industry-specific, but also has data breach reporting requirements
- ePrivacy: PECR reform, the “cookie directive” that may become a regulation and also has consent registration and privacy requirements
- WP29: Article 29 Data Protection Working Party looking at privacy and transfer of data outside EU or preapproved countries, which is one of the compliance aspects of GDPR
Investment in organizational and technological change for GDPR will have complementary relevance to the above. Compensating controls will exist; investments can be consolidated.
A lot of companies will have adopted compliance standards and frameworks like ISO27001, ISO3100, COBIT, three lines of defense. I am aware of the debates surrounding each of these (for example, whether or not there should be four lines of defense). But on the whole, they are systems that document approaches for sound business management and reporting. The point here is that adopting these standards and frameworks will again provide compensating controls that will assist with areas of GDPR compliance.
Master data management
A significant challenge with any business these days is the so-called “single view of the customer.” For example, there is:
- A fundamental operational driver behind this (do I really know who my customers are and where precisely and completely I can get that data?)
- An operating cost driver behind this (multiple instances of what is actually the same customer is a waste of IT resources and costs)
- A regulatory driver behind this (like keeping personal data accurate and being able to confidently address data subject access requests)
Digitalization and digital transformation (or whatever you label it), is something of a fashionable phrase. But it’s clear that any company that does not reduce its IT and data management operating costs will never be as competitive and agile as one that does.
Master data management is either a precursor to, or a fundamental part of a digital transformation and data volume minimization. It also puts you in a more resilient position to safely accomplish the right to erasure for GDPR needs.
The modern definition of an employee, supplier, and customer is considerably more amorphous than it ever was in the past. And it will become more so in the future. We have full-time and part-time contractors, the “gig economy,” business process outsourcing, suppliers that are competitors, joint ventures, co-option arrangements, customers who are employees, and partners that work for competitors (to name a few examples).
We need to give people managed access to systems and data for them to do their jobs on our behalf—ideally just the right amount. Their function and responsibility will change over the time they work for us, which will require changing what systems and data they have access to. We need to remove their access when they stop working for us. If they come back to work for/with us, we probably want to have recorded and reuse what their skills and competencies were in the past.
Managing this efficiently is challenging. Managing it inefficiently however, is a significant operational cost (like downtime when onboarding or changing roles), financial cost (fixing segregation of duties), and security risk to the business (leavers still having access to admin accounts).
Overlay this onto the master data governance and digital transformation roadmap, and the complexity is made more challenging.
However, addressing these are major “thruster rockets” for your business to become leaner, more agile, safer. It gives you a solid foundation to the operational and technical changes to address data breach and processing security breaches for GDPR. It could also reduce your dependence on encryption and pseudonymization.
Cybersecurity and IoT
Multipliers abound in this aspect: proliferation of end-point devices, exponential increases in data volumes, increase in the value of personal data, plus industrial espionage, and sophistication of cyber criminals. Identity theft is one of the fastest growing crimes in the world, and ransomware attacks are also growing.
And because we are all connected, and actively striving to become more interconnected, this truly is a global phenomenon.
The concept of zero-trust is replacing older paradigms for system security. There is growing realization that application-level security (as opposed to infrastructure-level security) is under-represented, under-resourced, sometimes dismissed. However, your intellectual property and personal data are at the application level, and this is where the focus will shift.
We’re also moving increasingly towards use of robots and machine learning, releasing even more automated interconnectedness.
I don’t want to belabor this aspect in this blog (or it will take over this blog). It’s probably enough to say that it is typically in the top three of most company’s top 10 risks list, and national governments, for that matter.
Impacts of a cybersecurity event are many-fold and include:
- Financial loss (fines, loss of sale)
- Operational (inability to run the business properly from ransomware, DDOS)
- Reputational damage
- Cascading combinations
The way the world is evolving means that this is not an optional aspect. Companies must address this if they want to operate in the modern world. I would say that the investment required is directly proportional to the size of your business (pick any global business) or the reliance on your business for society to function (like healthcare, utilities).
Addressing this aspect will give you a significant development in your operational and technical abilities to address data breach and processing security breaches for GDPR.
The upside for the modern business
The points I’ve laid out in this blog hopefully provide substance to—and confidence in—your ability to deliver a modern business. And as a consequence, you’ll then be well on your way to meeting a major part of the GDPR.
And the upside for just such a modern business? To quote ICO commissioner Elisabeth Denham again, “I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy and dignity of individuals. Over time this can play a real role in consumer choice.”
To take it further (with help from Stephen Covey’s book The Speed of Trust):
- If your customers trust you, your speed of operation and security of revenue generation will increase.
- We judge ourselves on our intentions; we judge others on their actions.
Addressing the GDPR is not just about avoiding fines. See it as putting “good sense” changes in place to underwrite your growth as a modern business.
- To learn more about the new regulations, read our other GDPR blogs.
- For more on all GRC topics, visit our GRC category page for a complete list.