As a CEO you are obligated to ensure the protection of personal information that your company may process, store/retain, transmit, transfer or delete whether this relates to customers, clients or employees.
I am sure you and your teams have been given a wealth of knowledge on this subject. Some with the claim that they are the “experts” that can help you navigate this very complex and sometimes misunderstood piece of legalisation, really? Considering there is no baseline to measure against, no case law to follow, no precedent set (to date) and as with any new legislation is open to the interpretation of the lawyer that is reading it, which does not help matters. There is a complex global legal and regulatory landscape that you must understand in order to appropriately protect the personal or private information that you frim holds.
In order to cut through some of the noise and to distil what is important I have put together a list of things as I have understood them. I would welcome any additions to this – or even corrections, but these are my takeaways from all the discussions I have had with fellow CIOS’s and Privacy / Data Protection Officers. I am not a GDPR expert, but have managed data protection and privacy as part of my CISO portfolio.
This would apply to any of your business locations that process data relating to EU residents, failure to the effectively follow the new legalisation may have unintended consequences; here are some of the things you need to consider.
Civil and Criminal implications; to you, to your management teams and to your firm; don’t be the first. As there is currently no case law to support this or actual prosecutions. This is a deterrent and an effective one. At 4% of your firms annual turnover or a maximum cap of 20m Euro. This is yet to be tested. Put that in to context of some of the data breaches that have occurred in 2016. If there was another Mossack Fonseca style theft within Europe, the Information Commission would in my view be truly put to the test. The context of any failure may determine the actual penalty couple that with the ability of the Information Commissions resources and funding to presue these prosecutions in the first instance. There seems to be a breach a day not sure how they will cope.
Privacy By Design; Enforces the need to ensure that you design your business processes correctly to enable the protection of the right information as it relates to the privacy of your customer, clients and employees and that it is protected in an adequate manner. This may also include conducting privacy impact assessments to better understand how data subjects wish their information to be processed.
Information gathering; The information that you gather on your customers, clients and employees is done so lawfully and transparently for example you needing the data subjects consent on what that data is used for once gathered. You will also need to have an adequate mechanism to track and monitor that data, without breaching the covenants it is trying to protect.
Security by Design: To ensure effective and adequate technical control over private information. This may include but is not limited to the encryption of data sets, the masking of private data in specific systems or services and the requirement for it to be removed to the encryption of specific communications.
The right to be forgotten; the data subject’s right to have their information removed from systems, applications, databases and so on.
Breach Notification; You will have up to 72 hours to inform the Information Commission once the breach has been detected. Which essentially means you will need to have the ability to detect a breach in the first instance. Though in some cases you may only have 24 hours to notify your customer, clients or employees. It will all depend on the extent of the breach you are dealing with.
Joint Third Party Liability; if you outsource business processes to a third party that handles personal or private data on your behalf you are just as accountable. Under the new legalisation you hold joint responsibility, meaning the third party now needs to demonstrate as you do all the effective controls in the protection of personal data.
May 25th 2018: Is the deadline for formal compliance; the passing of Regulation (EU) 2016/679 General Data Protection Regulation (GDPR) which was adopted into Law in April 2016 which will replace The Data Protection Directive 95/46/EC. Not long to go.
That may seem like a lot of activity needed. Data Privacy is nothing new. For those firms that have been at this long time may have tried and tested process, polices, procedures and the technical ability to manage *you would hope, but in my experience with large institutions there are always disconnects even in the most established of management structures. For a small to medium sized firms that operate across Europe. You will be under a lot of pressure. But you are not alone. There is a vast amount of guidance out there hopefully some of this will help.
So what is the solution, in my view the following, some simple questions you can ask your teams to clarify;
Have you assessed the current state; you must first look inwards and determine what you are doing, how you are doing it and who is doing it. At this stage it is not about technology, it business process.
Make sure you have a clear and accurate understanding of the personal information you gather and be sure you understand where it is.
Be sure of the technologies you use to collate it and also where it is used.
Do you have tools that can track and monitor where it is?
Do you have tools that will allow you to prevent such information from leaving your systems?
Do you have staff with adequate knowledge of Privacy, Data Protection and Data Security?
Get help if you don’t – but shop around. There are many good Cyber Security and Privacy Officers that can help you in the initial stages of your own discovery. Consultants can play a role, but much later in the delivery end (in my view) Know what you are dealing with first. A CISO alone will not solve this for a large global firm.
If you have the in-house expertise; use them. Bring together your support functions, such as DR/BCP/IT/Risk/Compliance/Legal/Cyber – most importantly your business. They drive this. This not just about IT!
One major element of this; which is fundamental, the appointment of a Privacy or Data Protection officer or assigning responsibility for the function under the CISO comes with a 4 year fixed term. In no way can the executive interfere with the work that is directed out of that office. You are not able to “tell” this person what to do. They are there, to be blunt, to tell you what must be done in order to ensure the effective and adequate protection of personal data. As such they are protected under whistle-blower regulation. I am happy of course to be corrected if this is not how others have interpreted this particular requirement. The best advice – in the first instance talk to your CISO’s; GDPR is here, it is just one of many challenges we as CISO’s we have to combat over the next few years. There is a potentially significant and heavy price to pay for failure.
GDPR is the start of a global shift, it is more than likely there will be a knock on effect in other well established non EU regulatory regimes with individuals seeking better and more effective governance on their information. Ensure you plan as a global entity if you have one. Take from this and build a best practise that is scalable for your organisation, which fits your needs. Don’t be the first headline, as you and your business may not recover.