For GDPR, Focus on Data Clarity, Supplier Risk and Incident Response
By Darron Gibbard, Qualys CTSO
With the EU's General Data Protection Regulation (GDPR) going into effect May 25, 2018 — circle that date in red on your calendar — you should prioritize several key areas right now.
GDPR's strict requirements on EU residents' personal data handling go much further than the 1995 data protection directive and country-specific laws it replaces.
Companies must know what information they hold on EU residents, where it's kept, with whom they're sharing it, how they're protecting it, and for what purposes it's being used.
GDPR broadens the scope of protected personal information to elements like IP addresses, genetic and biometric data, political opinions, union membership and sexual orientation.
GDPR also grants powerful rights to EU residents, letting them order organizations to, for example, delete, correct, and account for any or all of their personal information.
Thus, IT and InfoSec teams have their hands full. Here are three areas I recommend you tackle promptly.
Identify all personal data
To comply with, for example, EU residents' "subject access requests" or SARs, an organization needs full, unimpeded clarity into all the customer data it handles.
It's hard enough to accomplish this when IT is involved with all digital efforts. But CISOs everywhere have tangled with departments -- cough, cough: marketing -- that set up websites without IT involvement and policy approvals, and collect personal information. How do you address this?
GDPR mandates organization-wide rollouts of security awareness programs. A technique I've used successfully in the past is to identify the business' high risk areas and address them first. Leverage marketing to develop your awareness campaign and tailor the message for different business units.
Another word about EU residents' SARs: Organizations collect such vast amounts of data that one "right to be forgotten" request can become a nightmare, let alone 100 simultaneous ones. Be prepared for mass SARs.
Verify third parties meet requirements
Supplier risk management is a major GDPR challenge. The typical large organization has many suppliers it shares customer data with. At a previous job, I had a 3-person compliance team dealing with 750 suppliers. Naturally, they prioritized monitoring high risk, important suppliers. But GDPR makes you liable for the customer data-handling missteps of any third party. Watch out for obscure suppliers you've never heard of.
Focus on risk assessment and prioritization. To ensure third parties treat your customers' personal data with GDPR compliance, your legal and procurement teams must ensure contracts are updated, and InfoSec must assess security controls.
Test data breach response plans
Many incident response and recovery plans gather dust, rarely reviewed and updated. You need a current and tested data breach response plan. GDPR requires that every organization notify breaches within 72 hours. These notifications involve multiple teams: IT ops, help desk, human resources, legal, InfoSec. So test and test again your breach response plans.
As GDPR's deadline looms, your compliance programs should be well underway. I hope these tips will help with your GDPR preparedness efforts.