GDPR: The first year in practice
May 25, 2018—the official go-live date of the General Data Protection Regulation (GDPR)—was, without doubt, a date firmly etched in the minds of every Chief Information Security Officer (CISO). Now that we are just a few weeks away from GDPR’s first anniversary, the regulation has heralded the arrival of significant changes for all European organizations, and indeed global companies that do business with European citizens.
The changes at a glance
In the EU, personal data can only be gathered under strict conditions and for legitimate purposes— those who collect and manage people’s personal information must protect it from misuse. There are now more obligations, potential liabilities, new and expanded rights, and significant penalties for those that get it wrong. The new 72-hour reporting window, simply put, means all organizations must gather all related information and report data breaches to the relevant regulator within the allotted timeframe. This is a significant undertaking for any organization and involves the development and provisioning of a comprehensive response plan.
A year in practice: the business perspective
By their very nature, regulatory changes tend to be rather nebulous at the outset, evolving according to legal precedents and standards that are set by those that fall afoul of the requirements. This “evolution” creates significant uncertainty, both for those that are the first to be fined under the new rules (as Google discovered with the 57M USD fine levied by the French CNIL) and for everyone else. Therefore, in the early stages of GDPR, I have had a number of interesting conversations with organizations around the world regarding their experiences so far.
Indeed, many of the U.S.-based CISOs with whom I have spoken reported that their organizations have embraced GDPR as their de facto global standard across the enterprise, as they have found this an easier and more cost-effective way to accommodate the new requirements, rather than segmenting off European-related operations. Additionally, they say it is imperative that enterprises work with employees and customers to ensure that they understand that security-related activities are being implemented to protect them and their privacy, thereby protecting the enterprise. Ensuring the privacy and security of enterprises, employees, and customers should be considered the first line of defense.
While it is entirely understandable that CISOs and privacy officials have been preoccupied with GDPR over the past year, I would argue that compliance with this, and indeed all major regulations, should ultimately be a natural by-product of focusing on best-practice security and privacy operations, and that this is where organizations should be focusing their scarce resources and efforts. What’s more, these best practices must be adopted and implemented across the entire enterprise. All of this activity comes in addition to CISOs’ and privacy officials’ obligation to ensure that their businesses can adapt quickly to changing business requirements, all the while dealing with the patchwork requirements created by differing regions and countries. This inevitably contributes to the difficulty of maintaining compliance while enabling their enterprises to protect and drive revenue.
Another factor to take into consideration, not only in EMEA, of course, is Brexit. The uncertainty regarding what the eventual outcome will be is creating a myriad of new challenges for organizations. With regards to data protection, however, the fallback can be to rely on the EU standard contractual clauses for data transfers between EU and non-EU countries. In the case that the common foundation for data privacy is lost due to an unregulated withdrawal, these clauses will still ensure adequate data protection is in place.
GDPR is in its relative infancy and will require a degree of flexibility from impacted organizations as precedents are set and standards evolve. In the midst of this confusion, I believe the best way for companies to proceed is to ensure that their “ducks are in a row” in terms of privacy, data, and security and that they’re applied uniformly across all regions in which they operate. Businesses should also concentrate on ensuring employee security and privacy as the first line of defense for the enterprise, thereby allowing GDPR to be adhered to naturally instead of purely ticking the GDPR boxes.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Stan Lowe is the Zscaler Global CISO