6 Key Lessons We Learned from Our Own GDPR Implementation Project
Author: Martin Dion, the Vice-President, EMEA Delivery (Information Assurance & Managed Security Services) at Kudelski Security
Data protection, privacy, and innovation are part of our DNA at Kudelski Security. We work with some of the largest national and international organizations in the private and public sectors to address their toughest cybersecurity issues. Like every other company that deals with the personal data of EU residents, we needed to review our existing global data protection policies and practices to ensure that they are in line with the requirements of the General Data Protection Regulation (GDPR). Our own GDPR compliance implementation program provided us with some surprises and insights. Based on our own experiences, here are the six key lessons that we learned.
1. IT and Security can’t do This on Their Own: Establish a Business-Wide Project
GDPR is not just an IT or cybersecurity issue. It potentially affects all areas of the business and carries significant risks for which the executive team will be ultimately held responsible. This includes, for example, fines for breaching the GDPR of up to 4% of total annual worldwide turnover or €20,000,000, whichever is greater. We established a project team sponsored by a member of the executive team and comprising all areas of the business including legal, risk and IT to factor in their own constraint and contribution to the project. We also found, that as the project progressed, the team members composition needed to evolve to meet the different requirements of each stage. The planning and analysis stages required different skills and experience compared with the implementation stages which required, for example, more IT architects and developers.
2. Engage the Executive Team and Build GDPR Awareness
Accountability is a critical element of GDPR. In order to obtain buy-in from the key stakeholders, from the start, we held training workshops which included our executive teams. These sessions covered the top ten topics that GDPR aims to address through to addressing how our organization needed to adapt, for example, with GDPR compliance and data protection. As a result, we achieved a shared understanding about the importance of our GDPR project and expected behaviors, established clear roles and responsibilities around the project as well as obtaining buy-in for gaining the necessary project resources.
3. Appoint a Data Protection Officer as Soon as Possible
Data Protection Officers (DPOs) must be appointed if an organization conducts large-scale systematic monitoring or processes large amounts of sensitive personal data. The sooner you appoint this person, the easier your GDPR journey will be – all other things being equal. They know the data inventory, the data flow, how the data is used (e.g. harvested or manipulated) as well as any gaps. As the GDPR progresses, their importance will increase. They provide the link to the supervisory authorities and are the “go to” people for advice on Privacy Impact Assessments, which must be implemented when organizations conduct large scale or risky, processing of personal data. So it is essential to work closely with them at the beginning of the project, through implementation and in the business-as-usual phases.
4. Review your Business Processes: But don’t get Bogged Down
Reviewing your business processes is an essential part of GDPR readiness. We partner with many organizations to protect their networks. We need to map with the business process accurately, so we don’t extract data we don’t need to. Whether it’s for our own purposes or when working with our clients, we focus on three fundamental questions; What data do we need? Who and why do we need access? What’s the risk and is it worth it? This helps us focus our resources and to avoid a common problem encountered in many organizations; over-investing in a bottom-up approach to process and data flow mapping. While the intention is commendable, all too often data flow mapping exercises are undertaken in a manner that is too detailed and resources consuming, given the relatively limited scope required to develop a privacy register. Moreover, when building from the ground up, people tend to justify why they had this data in the first place instead of focusing on the endgame and extracting the absolute minimum necessary to achieve the result.
5. Establish New Rights along with New Processes: Avoid Being Overwhelmed
We learned that it is essential to consider the new data subject rights under GDPR alongside your business processes. Without this, there is a high likelihood of being overwhelmed when the “rubber hits the road”. New rights include the right to be forgotten, to see data and the right to object to profiling. We have to demonstrate to our partners that we are GDPR compliant in the way that we handle data before they provide any data to us. The reverse is also true. For example, if you harvested the data or share it, you need to ensure its protection through the lifecycle, both in and out of your organization.
We continue to work closely with our legal team as well as some of those issues are not yet entirely clear for many clients and partners. For example, where customers reside vs where they are regulated. In a data breach situation where significant proportions of your clients reside in Germany and France, what are the expectations of the respective regulators and should you report it only to your country regulator and let them run with the ball?
6. Expect the Best and Plan for the Worst: Prepare a Remediation Plan
The GDPR provides clear guidelines on what must take place in the event of a data breach. Once a breach is detected, you must notify the relevant supervisory authority within 72 hours. If there is a high risk to individuals, they might have to be informed as well. Our incident response team worked with our fusion center and many business counterparts to develop an incident detection and response process that can identify and respond to any breaches of personal data. Our focus, however, is on minimizing breaches and recovery before notification.
Over 80% of breaches occur from outside threat actors. Hackers are attempting to attack 24/7, so you need a system that is continually hunting for threats. This can only be achieved cost-effectively achieved by using a fusion (vs classical) system. Fusion systems, pioneered by Kudelski Security, make it the attackers’ problem not that of the company. The attacker knows that they have been detected, or will be detected, but they don’t see the decoy, so it not only slows them down, but the primary threats can be identified, and shut down faster than a traditional system is capable of achieving.
The GDPR process forced us to address issues that were not part of our original plans, and we see many clients and business partners, facing similar situations. Most importantly, for our business partners and us, it provided valuable lessons that we have incorporated into our business-as-usual processes and training programs. GDPR compliance is an ongoing process, and we advise our clients to focus on their core business and find the right partner to help them implement various aspects of GDPR, and give the project the support it requires from executive backing and resourcing.
This article was first published in German in Netzwoche, on May 15th 2018, and can be accessed via this link.