Let's remove the R in GDPR

Except if you were on a sabbatical in the last year, the abbreviation GDPR must have crossed your radar at some point. The General Data Protection Regulation is the new vehicle that will help safeguard the identity and Personally Identifiable Information (PII) of every European Citizen. Hundreds of pages were published, debating the value, government pampering, consequences, penalties, etc... Like mushrooms, companies pop up, all claiming the ultimate GDPR ready (black-box) solution. Are we brewing a new “millennium bug” hype?

  Let’s face facts. GDPR has put privacy high on the agenda of nearly every CEO. Many organizations now realize the negligent attitude they had in the past and need catching up. According to IAPP, at least 28.000 Data Protection Officers (DPO’s) will be needed. And this in Europe alone. The main focus is on how to become compliant with the new regulation. And here is the Catch 22: we’re starting to miss the point, which is Data Protection in General.

As with any law or regulation, there is a (small though important) gap between how it has been composed, and how it will be executed. Good examples of this are the obligatory breach notification within 72hrs of detection, and the fact this applies only to the collection of personal data of EU citizens. Let’s agree, there is a notable difference in a notification plan and a response plan. And many organizations struggle with protecting their Intellectual property even more than their customers personally Identifiable Information (PII). Hence my request to remove the R in GDPR. Let’s make data protection a corporate attitude, regardless of the regulation around it. The effort to go from GDPR-compliant to corporate data security policy is not that big, the return of your effort is all the more. 

  There are many ways companies plan to become GDPR compliant. The red wire in most them is a 4 step program: first discover what you have, then manage/consolidate where possible, next protect the right information, and finally report on information access and potential breaches. Obviously, all of this is focused on the Personally Identifiable Information (PII) that is persistent in the organization.

 What if we now extend the mission. The discovery phase is certainly larger when the scope is extended to all information. Is it really? The reality is that many organizations don’t know where all their PII resides, and are thus obliged to extend the discover area anyway. When you decide to immediately go for a full information scope, then you are sure there will be no unexpected surprises afterwards; You have a much better vision on duplicated data; and you will know where the core Intellectual Property (IP) of your company is located. You’d be surprised how many companies still have datasheets lingering around, containing core business processes, accessible to everyone, sometimes even from the outside.

 In order to streamline and reduce cost of managing PII, many companies are focusing on consolidating the areas where the PII will reside. Logically, the less the information is distributed, the less overhead and control mechanisms to manage it. This argument is valid for any type of information. Furthermore, we live in a world where data mining and adaptive learning become standard practices. Managing/consolidating all information so it can be processed is a key action. Even if your organization does not feel the need to opt-in this trend, the fact that you have mapped out where all the information resides, will allow to have better information management.

 Protecting information and logging/reporting on access should be a standard practice, regardless of the regulation. For many organizations it is still a learning curve, sometimes the hard way. Often people don’t realize the value of the information they have; and the reputation impact it will cause when leaked. I have a warm invitation to look at your corporate information through the eyes of your customers and/or malicious people. You’d be surprised how the value of information changes when looking from a different perspective. For each deal you win at a customer, you will (hopefully) maintain all gathered information in a secure way. Loosing that data likely means loosing that customer. And what about all the offers you made for customers that didn’t opt-in your proposal? Given you lost “the deal”, the gathered information/proposal has a tendency to lay around more openly. For you it has no more value. For others, the content of that proposal may be gold.

 Karel Dekyvere

Chief Security Officer