GDPR: Making It Work For You

Being a Consultant allows me to sit in varied conversations where differing levels of informational grasp or frustration are exhibited. Here lately it has been the implementation of GDPR. Suffice it to say there is more frustration than exuberance and it is understandable. As painful as regulatory compliance can be, business should expect it and in fact should get into the business of overtly building capabilities to predict regulations based on indicators in the existing political and social environments. As regards the GDPR, the concern that’s often expressed regards the purpose behind implementation. The why is easy to answer: simply put if you want to continue doing business in the EU (UK included) and with EU data subjects, you need to be compliant. What’s more nuanced and unspoken is this: what is the benefit to implementing this time consuming, resource intensive regulation that’s not a USA requirement? Implied in this concern is the likelihood that the organization will prefer to outsource that risk because it’s cheaper.

I’d like to suggest a different approach. Perhaps as opposed to figuring out “the Why” and making that central to the business case, organizations can look at it as the future of doing business and attempt to get ahead of the curve. Here are a couple of pathways to that end.

1.     Data Subject Awareness

Increasingly people (Data Subjects) are asking why the USA is not implementing protections for consumers at the level of the EU-GDPR. Traditionally as American consumers we have been willing to sacrifice our privacy in order to get access to a service, gain access to redeemable rewards programs of choice or even access to event enhancing experiences online. However, the number and type of permissions required to access these items often extend beyond the data necessary to run it. For instance, why does a discount aggregation service need access to the microphone on a device as a default setting? What are data controllers doing with all this information that’s gathered? More importantly, should the Data Subject object to the permissions requested, can they still access something as inane as a game online? In a recent online conversation regarding the above game scenario, the Data Subject declined to accept the terms of the provider and was promptly denied access. And this in the EU. It raised the question of the GDPR and even though it doesn’t come into effect until 05/25/2018, the scenario raised brows that this provider was obviously not complying with the regulation.

It is incumbent on organizations in the USA to “read the room” when it comes to privacy and data. Millennials have caused organizations to change course in how some business practices that were once acceptable are implemented. Additionally, recent data breaches in the USA have created the right environment for this conversation to take place.

In order to get ahead of the curve and showcase organizational data responsibility, implementing the GDPR makes sense. The current activistic tenor of data subjects in the USA is likely to cause a shift in that direction. Organizations are not losing anything by ensuring that customers can rest easy with their personal data in the organization’s possession: their crown jewels. It helps affirm the organization’s role as a socially responsible business entity which goes beyond community engagement and annual giving back targets.

2.     Infosec Double-Duty

GDPR compliance requires a risk-based approach. This makes it highly complimentary to InfoSec implementation. There are several publications online that map the GDPR to standards or frameworks such as ISO 27K. Not surprisingly matters highlighter by GDPR such as access control management that’s detailed in article 5, is reflected in control 9.1.1 which requires that an organization define and document with clarity what its access control policy is and that it should be business need to know with information security requirements and restrictions to access clearly defined. A personal favorite is GDPR Article 46 which details the conditions under which data transfers for processing to a third country are acceptable. Issues such as the suitability of the control environment, implementation of appropriate safeguards that are enforceable and the role of the Supervisory Authorities in decision making processes should those be triggered are discussed at length. This is reflected in ISO27002 control 18.1.4 which enumerates requirements regarding development and implementation of data protection policies in accordance with relevant legislation.

Predictively this amounts to the question of the suitability of the current InfoSec environment in the USA. Should it be found with evidentiary proof that the data protection environment does not meet the EU standard, then what? Wouldn’t it make more sense to ensure that an organization does not suffer losses should that decision be made? This is very possible as seen in how “Safe Harbor” became ineffective and “Privacy Shield” being implemented. The point here is preparation in the face of such high risk works in the organization’s favor and allows business continuity which saves precious resources long term.

For those who have been in this business long enough, you may recall the GLBA and its implementation. Initial resistance finally gave way to an acceptance that permeates the way we do business today. And if technology has changed as much as it has, shouldn’t organizational approach to managing the risks presented by that technology evolve as well? At a recent Hacker’s conference, one of the panelists shared his experiences with marketing companies that called him. Four companies with similar offers of similar products called him and 3 offered him the assurance that they do not share information with companies and organizations in the USA as an additional incentive to do business with them.

Implementing the GDPR to the fullest extent required is beneficial in many ways. Beyond these two discussed here, how would it benefit your organization?