5 GDPR compliance tips for your IT Ops team
If your company handles personally identifiable information on European citizens, you have a little over a year (May 2018) to comply with the European Union's General Data Protection Regulation (GDPR), or face fines of up to €20 million.
For those of us who lived through Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA), it may be tempting to not take the deadline too seriously, since the US government provided an extension for both SOX and HIPAA at the last minute. But there is no guarantee that will happen this time with the EU. Don't be caught off-guard.
The key is translating, training, and incorporating best practice principles into your overall DevOps process. That may sound more complicated than it actually is. Here are five best practices for compliance by design (more on that below) that will make you much better prepared for this new mandate without hurting your team's deadlines.
1. Governance means you have to train the trainer
In some cases, the governance person may not be happy about the change in their role, either politically or personally; so there may be some resistance at first. In that situation, I recommend hiring someone from the outside to drive both a compliance-by-design and end-of-life process across processes and technology. Task the governance person with downloading the COBIT (which originally stood for "Control Objectives for Information and Related Technologies") and CSA (Cloud Security Alliance) requirements, as well as working with program management to incorporate those with company directives.
Your checklist will be pretty significant until everyone starts to eliminate the duplicates and areas that are changing due to newer technologies.
2. Train your enterprise and infrastructure architects
The legal language that comes with compliance is often vague and difficult for engineers to interpret. One critical success factor is to ensure that the compliance by design trainer is both technical and an expert in compliance. This helps to reduce the conflict on what is necessary due to programmatic limitations associated with technology or legal restrictions that are in turn based on compliance restraints. These two distinctions are essential to ensure the company is not making mistakes in compliance or procurement.
For example, one financial institution reported that an auditor did not understand the difference between CPU- and core-based licensing. This almost led to them move to a transactional model with the vendor, believing they were out of compliance for five years.
Why? Because the server farm on which they were running the system had 80 cores, but only 14 CPUs. They were licensed for 16 CPUs. In lieu of reducing maintenance to the CPUs utilized, the procurement specialist asked for a quote for 72 more. In the end, a more technical auditor discerned the difference after the issue had been escalated to the CIO.
Had the second auditor not understood the technical differences and how license postures are critical for compliance, the company might have spent millions on new transactional-based licenses, while reporting an issue that didn’t exist. Arming your technical elite with the minimum requirements for compliance is an essential ingredient to transformation success.
3. Create a compliance checklist
Creating a compliance checklist was a key element that top performers who were addressing compliance by design shared. Top performers typically download the requirements from the National Institute of Standards and Technology (NIST) and Cloud Security Alliance, and they combine any specific state or regional regulation, depending on country or state of origin.
They not only identify the processes and training required to build compliance by design into the processes, they also automate them. This includes engineers creating automation frameworks from the rules and best practices from the checklist. The automated framework enabled engineers to focus their time on critical tasks.
4. Restrict and evaluate compliance
Once you have the checklist, how do you onboard the hundreds to thousands of applications? Several top performers created an open source tool that scrubbed applications for compliance based on the rules and policies created by their chief compliance strategist, who was a technical auditor. The microservice determines whether the application should be onboarded or pushed back.
The application provided feedback to the requestor as to any changes or enhancements needed to pass the compliance checks. This reduced the middleman and political charge that often comes up when someone pushes back.
5. Hold everyone accountable
During my research, business owners often said that compliance was the job of the IT department, but they did not consult IT prior to adopting new technologies that could create concerns around compliance. Top performers hold everyone accountable for compliance and adhering to the compliance by design principles. Many are also incorporating the requirements from the General Data Protection Regulation into the compliance checklist regarding dev, test, and where the data is stored.
There should be consequences for compliance violations; otherwise, there is no incentive to stop bad behavior. I have seen accountability range from a slap on the wrist (such as losing a bonus) to losing a job (if the offense is grave enough). You must decide how to implement compliance, and everyone must follow suit.
Compliance by design in a nutshell
I spend a lot of time at workshops and working with companies to ignite their digital transformation efforts. In my book, iSpeak Cloud: Embracing Digital Transformation (in Appendix D, I advocate for architecting your overall digital transformation strategy for compliance--an approach also known as compliance by design, or privacy by design.
Compliance by design combines business processes and automation technology to enforce compliance to a prescribed set of guidelines required for that business. In a Compliance by design approach, a collaborative team of line-of-business owners, program managers, developers, auditors, and operations work together to define and automate the process within the system to ensure compliance with specific regulatory, security, or business directives.
Compliance with regulatory, security, and business directives need to be built into your requirements and architecture from Day 0. By doing so, you'll waste less time and cycles trying to retrofit your architecture and systems to be compliant. In essence, the chief governance officer turns from being the chief firefighter to a process strategist.
Key to transformation success: Strike balance
If your organization is like many companies, you struggle to balance the need to ignite your digital transformation strategies while balancing the legacy conversion. One large organization I worked with kept hitting delays in its overall development process because every time the business wanted to push through a new feature, concerns over compliance issues took all of the oxygen out of the room.
Now more than ever, your success depends on incorporating compliance efforts into your overall transformation strategy. To do otherwise is to risk derailing your efforts in the months to come.
Image credit: Flickr