It may sound strange to suggest that, in order to address GDPR correctly, it’s best to avoid focusing narrowly on the law itself. But it’s a point worth making. Today everyone is talking about deploying additional security products and solutions to address GDPR’s requirements around securing individuals‘ personally identifiable information (PII). But shouldn’t those protections be in place for any type of valuable information? True, GDPR does mandate some specific controls to address, for example, consumers’ data access rights and the right to be forgotten. But many of the data protection activities needed for compliance are already in operation at quite a few companies. And for businesses in general, they should be there by default, as general security best practices.
Companies should see GDPR not as just one more irksome compliance challenge, but as an occasion to look more broadly at their security processes and to situate compliance within frameworks that they may already have, at least partially, in place. With that in mind, we’d like to suggest eight principles that can help you determine the need for specific GDPR-focused upgrades:
1. Visibility comes first.
It’s only logical to suppose that if you want to protect something, you need to know that you have it and where it actually is. Since GDPR requires you to protect assets that are processing PII, you must know what those assets are and where they’re located. Many organizations don’t maintain an up-to-date asset list, and many lack a formal asset management program. If your company is among them, remember that one of the GDPR’s main goals is to push businesses to think more carefully about how they process PII. Evaluate whether your processing activities are risky, and set up controls accordingly. Any company that‘s serious about data security (which should be all of them!) must know exactly what assets they own, how they‘re managed throughout their lifecycle, and how they interact with PII. If you don’t do this, it‘s close to impossible to correctly identify all PII-related risks.
2. Don‘t re-invent the wheel.
Many organizations already have relatively mature cyber-security and data protection programs in place. Often they‘ve also deployed security controls based on a systematic identification of risks, and they‘ve framed this activity within an organizational risk management program. If your organization is in this group, you won‘t have to build a brand new system in parallel just for GDPR. You can use your current risk management program as-is, perhaps extended to cover a specific focus on protection of PII. And this also holds true for other IT security processes, such as incident management and business continuity management.
3. Security standards are your best friends.
We have worked with quite a few companies that are clearly mature when it comes to technical security controls, but that lack a formal security governance program. For example, in many environments not all security controls are always properly documented. Everything may look OK when the business and systems are running fine – but when an unexpected change occurs, it typically becomes a nightmare to maintain the correct levels of security, functionality and reliability. Stardard security frameworks (such as those based on ISO 27k and ISO 29k) are useful here. They help you to address GDPR and other regulatory requirements (including, in the United States, HIPAA, Sarbanes-Oxley, and the Gramm-Leach-Bliley Act). More importantly, they help you to build a systematic, well-documented, functioning and secure IT environment that can be properly governed. Last but not least, these frameworks also enable you to demonstrate proper security governance to whoever asks for it – including the auditors who may come knocking on your door after a data breach.
4. Compliant does not equal completely secure.
Some organizations invest the absolute minimum effort in ensuring compliance with new regulations. Which is definitely OK, as long as they run IT based on best practices all the way from governance down to their technical IT processes. After all, the goal is of GDPR is to protect the data you collect from individuals – not to keep your company safe from all threats. That’s your responsibility.Increasingly, organizations are deploying long-term and standard mechanisms to transform their security environment. Once more, this shows the importance of adopting standards and frameworks. These resources embody the lessons learned by many organizations – so they help you avoid making mistakes that others have made..
5. Keep asking “Why?"
This is the question you must ask yourself over and over when it comes to data processing or the deployment of a security control. GDPR mandates that every data controller must have a valid reason to process PII, and should address all possible security risks. Organizations must learn to discover the rationale behind data processing and the need for additional security controls. This exercise is already a familiar one in most companies for many other business-related data requests; under GDPR, it just needs to be extended to new areas of cyber-security (basically: everywhere.)
6. Get buy-in from management the right way.
GDPR ensures compliance by dangling the sword of fines over companies‘ heads in the case of significant data breaches and negligence. But in order to motivate management to invest in security solutions for GDPR, it’s best to focus on the positive. Make the case for seizing the opportunity to transform the organization to one that‘s more efficient, cheaper to operate, and better secured against data threats. Your CISO will need good communication skills to translate the compliance goals into specific actions that appeal to key decision-makers and address their specific motivations. A good CISO will help everyone in the organization understand that security is everyone‘s concern – not just the security department’s.
7. Security is a never-ending story.
Just as an organization’s IT environment is always changing, IT governance, security governance and their related processes should be in constant transformation. It’s not just a question of repeating specific GDPR compliance checks; you must do regular check-ups of your entire IT environment. To ensure that you’ll be able to do this correctly for the long haul, it’s best to avoid implementing isolated fixes for the specific data requirements of any single player, which could complicate governance. Instead, focus on creating a systematic, standard approach that handles all data requests the same way, even though they come from different actors and stakeholders in your organization.
8. Automation is always a good idea.
Automate whenever and wherever you can. Automation will help you avoid human operator errors, and it can create much more traceable, detailed activity logs. Consider investing in powerful self-service portals or solutions that automatically classify information and apply the corresponding security controls.
For most businesses, GDPR is no walk in the park; it involves many tasks that must be specifically addressed, such as the updating of contracts with third parties, and supporting the new or updated data subject’s rights. But companies can take some consolation in the thought that proper governance will ultimately pay off, and offers benefits that extend much wider than the simple assurance of compliance in an increasingly regulated IT world.
Let's meet in Vegas
If you'd like to learn more about these topics, join us for HPE Discover in Vegas, June 18-21. We have the following sessions and demos that relate to the topic:
- Session T5027: Do you have customers, employees or contactors in the EU? Prepare your IT organization for General Data Protection Regulation. Presented by Jan De Clercq.
- Demo 701: Pump up your operational security, compliance and cyber defense with HPE Pointnext
Related Articles:
About the Authors:
Martin Zich
Martin Zich is IT security advisory consultant, member of HPE Pointnext Worldwide Security CoE, focused not only on information security and privacy in different environments and industries but also on overall cyber-defense and various solutions enabling its practical implementation. Apart from technical advisory he helps organizations to improve their IT security strategies, governance and to address various compliance requirements using IT security best practices.
Jan De Clercq
Jan De Clercq is the Security CT in the HPE Pointnext worldwide Security Center of Excellence (CoE). Jan has over 20 years of experience in IT security and is an HPE TCP Distinguished Technologist. He currently focuses on hybrid IT security for which he develops new services and assists with the first-time delivery at customers.
ServicesExperts
HPE Services Team experts share their insights on the topics and technologies that matter most for your business.
