The great GDPR hoax

One of my favourite stories as a child was Chicken Licken. I'm sure you'll know it, but in case you don't, it's a macabre folk tale about a chicken who believes the "sky is falling down" after an acorn lands on his head. Hysterical about the impeding disaster, he rushes off to tell the king, amassing followers in the process, and leading them to their untimely death. Whilst the story teaches children about courage, the main lesson they learn is not to follow blindly and believe everything they're told.

It's a good lesson and this simple children's story reminds me of where we are with the GDPR right now. If we're to believe everything we're told at conferences, or read online about it, things look pretty bleak.

Although compliance to the GDPR is to become regulation in less than a year’s time, and carries hefty penalties for non-compliance, in my opinion it need not be a scary affair. If you take action now, as Microsoft Office recommends in their episode of ‘Modern Workplace, GDPR: What you need to know’ much can be done to help you get ready in time and eliminate the negativity we’ve been hearing about it. For example:

1.   In October 2016, having surveyed 900 businesses across the UK, France and Germany, Symantec told us that 96% of companies didn't understand it; 9 out of 10 businesses had concerns about their ability to become compliant with it; and only 22% considered the GDPR a top priority for the next 2-years.

2.   In April 2017, Veritas published the results of their GDPR survey. Having surveyed 900 companies across 8 countries they provided a damning report of how unprepared businesses are, and how fearful they are about being put out of business for non-compliance with the GDPR.

3.   In April 2017, YouGov, surveyed 2,129 senior decision-makers within businesses across the UK and found that only 29% of businesses have started to prepare for the GDPR; 71% are unaware of the fines for non compliance and only 26% are confident in their ability to report data breaches to the regulator within 72-hours.

As I don't believe there's a need to panic if you take action now, in this post I'm going to run through exactly what steps you’ll need to perform in order to achieve compliance.

Seven simplified steps to achieving and maintaining compliance to the GDPR.

Step 1. Agree the stakeholders. When it comes to the GDPR, unless your business is all about personal data, the responsibility will typically be a shared effort, between those in Information Security, IT and the General Counsel. Whoever is involved you'll need to agree whether you'll do it all in-house, outsource it, or use a hybrid approach. This will mean weighing up all the pros and cons including the costs, time to implement, risks and so on.

Step 2. Familiarise yourself with the regulation. The GDPR is complex and impacts any organisation that collects data on EU citizens and residents, including those in the UK, even after Brexit. Understanding the GDPR requires you to get a firm grip on why it was created, the changes the new regulation brings, what the key definitions mean, and what you'll need to do in order to comply with it.

Typically, in order to achieve GDPR compliance you'll need to set up a privacy compliance framework, understand the role of the Data Protection Officer (DPO), perform Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs), create a risk management framework, map your data flows, update subject data consent rules and access requests, and implement breach reporting and incident response processes. We'll look at some of these shortly.

Step 3. Set your objective. This seems obvious but it's really important to know what your key drivers are for complying to the GDPR, and the priority levels. By understanding your over-riding objective and those for each stakeholder within your business, you'll make buy-in and implementation not only faster but easier. For example, for some stakeholders the main driver will be to avoid a fine; and for others it will be to avoid reputation/ brand damage, or to enable business, or to demonstrate effective security etc.

Step 4. Create a Data Register. A Data Register, is essentially a GDPR diary, and it enables you to keep a record of your process and potentially reduce your liability should anything go wrong. As each country has a Data Protection Association (DPA), it's their responsibility to enforce the regulation, judge whether a business has been compliant, and which penalties are to be enforced during a breach. Should a breach occur, having a Data Register enables a business to show the DPA its progress towards compliance and mitigate its risk of a heavy fine. Without any proof of this, the DPA could fine a business much more quickly, and enforce a fine that could be anything from 2% to 4% of a company’s turnover, depending on the sensitivity of the data being breached.

Step 5. Perform a Gap Analysis or GDPR Readiness Assessment. Once you've created a Data Register, you'll need to perform a Gap Analysis or GDPR Readiness Assessment. This is when you'll establish where you are now, what gaps your business has with regards to complying with the GDPR and what you need to do in order to comply.

This will require you to define your business' core activity, discover and identify the data you need to protect, map out your data flows, and review how you're protecting it.

Looking at the data, this relates to the Personal Identifiable Information (PII) you hold i.e. information that can directly or indirectly identify an EU resident or citizen. You'll need to know where it's being stored, who has access to it (classification), who it's being shared with, in what processes it's being used, and how it's being protected. You'll also need to know who's responsible for controlling and processing it within your business, and ensure all the correct contracts you have with any third parties, who may also be involved, are in place.

As the GDPR states that an organisation must look into the “impact of the envisaged processing operation on the protection of personal data” you'll need to perform a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) of all security policies, evaluating the data life-cycles from origination to destruction points. Both provide evidence to the supervisory authorities that in the event of a data breach, you've considered, anticipated, and taken measures to protect the PII on EU citizens and residents that you hold, and to avoid a breach.

Step 6. Planning and implementation. This is where you'll devise a plan and implement the changes you need to make. These will vary from business to business, but will most likely include implementing revised processes around penetration testing, network monitoring, employee awareness, incident response management and data breach breach reporting, plus new technologies, such as encryption, tokenisation or psuedonymisation.

Step 7. Devise a process for ongoing maintenance. Compliance to the GDPR is ongoing and needs to be at the forefront of every new idea, plan and application for the business moving forward. This means that you'll need to create a process and document what's required for each stakeholder going forward. The more ingrained this is in the business and the more you can get others to take responsibility for adhering to it, the less of a problem complying to the GDPR will be.

Now I want to hear from you…

• Tell me what aspect of the GDPR challenges you, or if you’ve learnt lessons along the way please let me know and share them here.
• Watch Microsoft Office’s episode of Modern Workplace, GDPR: What you need to know and discover what other tips you can apply to your business.

Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this Microsoft Office Modern Workplace Episode. Because your success is important to me, I only align myself with brands I believe in and Microsoft is one of them.

About Jane Frankland

Jane Frankland is an award-winning entrepreneur, speaker, author, consultant and CISO advisor. She's also one of the top 50 influencers in cybersecurity in the UK. Jane has 19-years worth of experience in the industry, has built and sold her own global penetration testing firm, been an SC Awards Judge for Europe and the USA, advised boards, and held senior executive positions at several large PLCs, including the NCC Group. As an ambassador for cybersecurity she's passionate about diversity in the workplace and her book, 'In Security: why a failure to attract and retain women in cybersecurity is making us all less safe', is due for release in 2017. You can learn more at https://jane-frankland.com.