By Fouad Khalil, VP of Compliance at SecurityScorecard
Since it came into force in May 2018, the EU’s GDPR has made many businesses nervous. This is hardly surprising given the recent high-profile cases that have seen the likes of British Airways and Marriott International being fined millions of pounds for non-compliance with the regulation.
There is also the perception that implementing the necessary changes to comply with the GDPR will be expensive and disruptive to the running of the business. But this does not have to be the case. In fact, complying with the GDPR can improve business processes and customer engagement, as well as making the organization’s IT network more secure. But to achieve this, organizations cannot simply install the required infrastructure and then forget about it, they need continuous compliance to ensure that they are always meeting the requirements of the GDPR.
What is the GDPR?
The General Data Protection Regulation protects the personal data and privacy of all citizens and residents of EU member states. This applies to any country that handles the data of users from the EU.
Under the GDPR, personally identifiable information (PII) is defined as any data relating to any living person that can be used to directly or indirectly identify them. This could be a name, location data, online identifiers, bank account numbers, tax numbers and so on. If an organization is in doubt about whether the data it holds is personal or not, the failsafe position is to protect it.
Despite the view of some that the GDPR presents a minefield of regulatory requirements that could at any minute blow up in their face, it has actually greatly improved organizations’ chances of complying with data protection laws across Europe. Before the GDPR, there were different data protection rules for each member state of the EU, meaning that businesses working across borders often had a complicated task ensuring they complied with local laws. The GDPR has helped clear this up, so that not only do EU citizens know their rights, but it is also easier for businesses to collect and use data from other EU states.
A key principle of the GDPR is data security, confidentiality, and integrity, part of which is that organizations must only keep the minimum amount of data necessary to their business needs.
Dangers of not complying
Organizations that do not comply with the GDPR risk a large fine of either four percent of their global annual turnover of 20 million euros, whichever is the greater. Regardless of these fines, just to have your name associated with a breach is bad for business and the losses are likely to be much worse.
Other impacts could involve the costs of defending lawsuits, updating infrastructure and security measures, along with having to potentially pay contractors or staff overtime to get these issues resolved.
Undoubtedly, the most difficult task facing any company in breach of the GDPR would be to repair its reputation as they have to try to persuade customers, investors, and regulators that the situation has improved and the organization can be trusted with data.
There is also the reality that much of the compliance with GDPR is rooted in having high-quality security and privacy processes in place. If these are absent, then an organization has a higher probability of becoming a victim of a cyberattack, with data necessary to the survival of the business at risk of being compromised.
Therefore, achieving and maintaining compliance with the GDPR is essential for any business wishing to avoid these risks.
Knowing what to address
When it comes to complying with GDPR, knowledge is king. For instance, to effectively protect the personal data it holds, an organization must know what and where this is. Therefore, identifying and classifying all personal data through enterprise wide-data mapping is essential.
An organization needs to know what risks there are to the security of its data in order to mitigate them and show it is proactively addressing any identified concerns. As such, organizations need to use tools that can scan for vulnerabilities and record remediation efforts. Aside from the obvious benefits of knowing when and where to update security and having confirmation that it has been done, having this information will satisfy auditors. If an audit discovers a potential weakness and risk to data being compromised due to a network security flaw, it will require verification that it is being remediated and there are adequate controls in place. Tangible evidence such as log files is important here.
Alongside this, an organization must conduct regular Data Protection Impact Assessments (DPIA), ideally at least once a year. The assessments look at all the data connected to a particular project and make sure that all the risks are assessed. If an organization is meeting its security obligations these risks should be minimal as there should be the necessary processes and procedures in place to minimize potential threats. Conducting data mapping before starting a DPIA is highly recommended as it will allow for the identification of all the data assets in question, including their location and how they are being used.
To make sure that an organization remains compliant it should consider automating continuous control monitoring. For example, take the task of the continuous addition of assets to the system, which all need to be checked and monitored in order to ensure compliance. By automating these typically time and labor-intensive tasks, it helps to reduce the amount of human error associated with manual processes.
Securing the network
Having a regular patching schedule is one of the most basic cybersecurity elements an organization can implement. Many hackers exploit vulnerabilities that have not already been addressed by released patches. The patching of operating systems, software and hardware, indicates the ongoing monitoring and remediation necessary for compliance with the GDPR.
Firms must apply common controls such as web application, endpoint, and network security. Network security controls are critical for preventing the risk of data being stolen. Before these controls are implemented or drastically changed, the first course of action is to understand the security set up and scope of the weaknesses.
When an organization builds applications or implements changes, it must follow security by design approach, where risk mitigation is a major consideration from the beginning of the process. Continuous compliance means ensuring security controls are implemented in the organization’s day-to-day work. This minimizes the risk of application security flaws that could let a threat actor into a network.
Not only should thought be given to internal security, but also to that of third-party businesses with which the organization is connected. An organization can and will be held responsible for any breach of data it holds, even if they come via a weakness in the cyber defenses of a third party, such as a supplier, contractor or partner. Knowing what these risks are and making the third party address them, for instance as part of a contractual agreement, can mitigate the danger of being hacked via “the backdoor”.
Adhering to the GDPR is more than just about implementing robust security solutions. A well thought out GDPR program should be considered as an enterprise-wide process improvement initiative, introducing a new way of doing business and handling data.
A mature compliance program requires policies and procedures that create formal organizational controls that are mapped to the GDPR’s articles. Organizations need to establish governance about who is responsible for what processes, data and so on. In the event of a breach, there must be a clear reporting process in place so that the appropriate authority can be notified without delay.
Also, the creation of awareness programs will inform staff of their responsibilities in regard to data protection and how to keep the organization’s network and assets secure.
A good starting point for organizations needing to implement a privacy compliance framework to ensure their data processing adheres to the GDPR is to work towards achieving ISO/IEC 27001:2013 accreditation.
Rather than seeing GDPR as a threat, businesses should see it as an opportunity. Continuous compliance will not only help ensure the organization stays on the right side of the regulators but could also have the benefit of improving business processes, reducing costs, and preventing costly cyber-attacks.
However, to achieve this, organizations need the right policies and procedures in place, combined with technology that is able to automate the mitigation, detection, and recording of risks.
About the Author
Fouad Khalil is the VP of Compliance at SecurityScorecard.He is responsible for compliance programs, auditor education, and alignment with best practices. With experience in the technology space, SDLC, IT, program management and most recently IT Security and Compliance management, Khalil’s career path has provided him with keen insights in the areas of network, system and database administration, software programming and much more. For two decades, Khalil has focused on data security and compliance—an industry expert in IT, NIST, Internal Controls, GDPR, SOX, PCI DSS, HIPAA and HITECH. Khalil holds a BS in EECE from Marquette University and CISA and ITIL. Fouad can be reached online at @fkhalil65 and at our company website https://securityscorecard.com/