GDPR execution will be a major task this year—and reap benefits
For IT and security professionals and other senior corporate officers, it may seem a paradox that the full inception date for the General Data Protection Regulation (GDPR) came and went last May, and yet 2019 is shaping up as the year of its practical execution in the enterprise.
How did this situation come to pass, and what does it portend for CIOs, CISOs, and IT security managers who might have thought the task was complete?
The reality is that not only is compliance achievable, but it can improve operational efficiency and even result in more revenue for the business. Getting there, however, requires some technological innovation.
[ Get on top of access with TechBeacon's guide to identity governance. Plus: Learn how to secure cloud-based Linux resources with Active Directory in this Webinar. ]
Why enterprises failed to comply in 2018
In December if last year, PwC concluded that three significant reasons for lack of compliance with GDPR were leadership's failure to support larger, ongoing operational budgets; an inability to draw in all appropriate sponsors to the program; and a lack of appreciation of the technology requirements for total compliance.
In 2018 there were three clear business drivers used by corporations and government agencies to facilitate technical change with respect to the GDPR, although few entities realized them. The three points below provide a rationale that I've found can help gain support for GDPR compliance efforts from top management.
The noncompliance sanction of 4% of global sales, or €20 million, whichever is higher, gets management's attention. But there are broader commercial impacts than a fine to ponder, such as reputational damage.
Consider the closing of Cambridge Analytica in the UK in May 2018, and government procurement organizations' and university research sponsors' increasing demand for assurance of GDPR compliance as a prerequisite to bidding. Compliance failures lead to lost business, not just a fine.
As CIOs in the insurance sector and elsewhere grappled in 2018 with the GDPR's concept of the right to be forgotten, major European corporations found that this posed a monumental data inventory task.
Curiously, some organizations made a virtue of necessity. It seems paradoxical that enabling regulatory compliance could actually achieve many other tasks on the CIO's to-do list, such as legacy data cleansing, application retirement, and data storage reduction. The resulting ROI strengthened the business case for moving forward with an active automated data retention policy. These organizations used GDPR as a catalyst for legacy data cleansing and application retirement, which enabled the organizations to locate personal information across the entire data infrastructure within 30 days.
Only a handful of corporations saw the opportunity to "monetize compliance" by using the data-cleansing imperative to generate higher-quality, legitimately processed volumes of personal data for marketing purposes.
Recommendation: Ensure that any program for data privacy compliance—whether for GDPR or a national standard—involves all C-level officers and promotes both defense and any opportunities the program presents.
The Business Value of Data Privacy Action
The key business drivers in favor of GDPR compliance include the cross-department value of assured policy enforcement, the unexpected cost savings from data cleansing, and the opportunity to monetize compliance through improved data quality analytics and data exploitation.
GRDPR's twin challenges: Data lifecycle management and security
GDPR effectiveness was slow to be initiated in 2018 because risk officers didn't fully understand two factors. On the one hand, if you can't find the data, you can't meet data subjects' rights. And on the other hand, both external cyber-attack and internal malfeasance can equally cause noncompliance.
Now comes the realization by large organizations—especially those in the financial services, telco, and government sectors—that GDPR effectiveness requires:
A coherent content management process
This is necessary for the identification of data silos; the inventory of their contents; the identification, classification, and indexation of personal data; and the ability to apply governance rules.
While most corporations have some functionality in these areas, few invested last year in the technology needed for this end-to-end process.
A security overhaul
This wasn't done in many instances, and yet sound security is a prudent measure. For example, Article 34.3 of the GDPR provides relief from informing all prejudiced data subjects if "appropriate technical and organizational protection measures" are in place. Consider the cost, staffing, and reputational damage to the Marriott Group when it was revealed in November 2018 that the data of its 500 million clients had been hacked over four years.
For remediation, all entities should review and upgrade their external cyber defense in the security operations center, the quality of their application penetration testing, the encryption of data, and their identity access management.
Recommendation: Ensure that your records management data flow is covered for such things as silo identification, unstructured data inventory and indexation, database analysis, and data protection policy enforcement.
This reference architecture offers a practical structure that combines data life cycle management and security solutions for more effective GDPR compliance. It includes conducting a major data inventory exercise to achieve policy enforcement, and tying in cyber defense, encryption, and identity and access management to meet both internal and external threats.
Regulatory enforcement is already heating up
A perceived lack of GDPR enforcement was one reason why many organizations failed to act last year. Even in the European Union, 17 out of 24 EU data protection authorities (DPAs) had insufficient resources to enforce the regulations, according to a Reuters report last May.
But this is changing in a variety of ways—as shown by the French DPA’s €50 million fine on Google for insufficient valid consent in January 2019. Other reasons to take GDPR seriously include:
Multiple regulations and laws
In-house counsel, risk officers, and CIOs are realizing that GDPR is just the tip of the iceberg. In the US, the California Consumer Privacy Act in the world's fifth-largest economy goes into effect in January 2020. Many of its standards mirror those of the GDPR, but in some instances its requirements are more stringent.
Meanwhile, in the UK in January 2019, the DPA used a parallel law— the Computer Misuse Act—to have a senior manager imprisoned for data hacking. So the gloves are off.
Expectations from global law firms
Leading practitioners such as Herbert Smith Freehills believe that the whole social uproar over data mismanagement by Facebook and others could lead to new privacy laws in the US.
International privacy enforcement
While some might say that GDPR enforcement has been restricted to a few regions, multiple countries that are signatories to the Organisation for Economic Co-operation and Development (OECD) are now moving toward GDPR standard enforcement. In January 2019, the Singapore Health Authority was fined US$739,000 for a data breach affecting 1.5 million citizens. And global law firm Norton Rose Fulbright’s 2018 Litigation Trends Annual Survey showed a surprising level of data privacy law enactment across Asia Pacific.
It is surprising that non-G40 countries should actually have data privacy standards that are close to—and in some cases even match—those of the EU. And these countries have sanctions, including major fines and jail time, that are even more draconian than those of the EU.
That's why multinational organizations should not expect to have lower data privacy standards by location/sourcing and so on from fringe OECD jurisdictions, such as the Philippines and Indonesia.
Recommendation: Ensure that risk, compliance, and legal executives appreciate the existing and increasing exposure, which will require compliance-policy automation to be effective. In this respect, obtaining a formal legal opinion that translates the regulations into corporate policy is essential.
M&A volatility only complicates matters
In response to disruptions caused by challenges to the World Trade Organization by the US government, and to the UK Brexit program, increased merger and acquisition activity is likely. In October 2018 alone, US corporations acquired over 250 mid-sized UK companies, benefiting from the UK's instability and taking advantage of the favorable dollar-to-pound exchange rate.
But for a CIO or CISO, every sale, purchase, or merger entails a data discovery to satisfy investors, regulators, and in-house counsel. Such activity naturally calls into question the ability to handle the personal data of employees and retail customers in every event. Under time pressure, how can the CIO and CISO meet expectations technologically without making an investment in both data lifecycle management and security tools?
Recommendation: Ensure that the CIO and CISO are kept advised on future corporate restructuring and that security technology is reviewed and appropriate.
Class actions are increasing
If empowering regulators weren't enough, the realization by private individuals that their rights may have been infringed upon is already increasing the number of class-action law suits. This is happening via both formal lawsuits and through the simple mass communication of social media. For example:
- The UK’s High Court ruled against a mass lawsuit launched in November 2017 by a group called Google You Owe Us. The lawsuit sought $1.3 billion in compensation from Google for allegedly collecting sensitive data about 4.4 million iPhone users in England and Wales.
- A class action for €200 per person was launched last fall in Italy against Facebook, activated by Altroconsumo. This was over loss of data due to the improper use that the platform would make of the data of registered users within it, and the lack of security and privacy for Altroconsumo. Altroconsumo is now pursuing this action further in Spain, Portugal, and Belgium.
Recommendation: Ensure that social media traffic is monitored, collated, and acted upon in a timely manner.
Data privacy: An issue compounded by technology
This may also be the year when organizations come to appreciate that the GDPR and peer national data privacy regulations are compounded by the fact that they cover data in any medium, whether audio, visual, alphanumeric; on any device, but especially the cellphone; in any of over 1,000 different file formats; and in any language.
Regulators expect that all such data can be collated from across a complex corporate IT architecture—at speed.
So do CIOs and CISOs feel confident that this capture, as well as comprehension and policy enforcement, is achievable to avoid regulatory sanctions and reputational damage? This is a massive task only achievable over years, but can you demonstrate commitment and program action to a regulator?
Compliance is achievable
The volume of regulation is increasing, the power of the regulators and the data subjects is expanding, and time is of the essence. However, with a prudent data inventory, a risk policy overhaul, and intelligent functionality deduction, you can achieve regulatory compliance—and the upside it can bring to operational efficiency and revenue generation—through smart technological innovation.