A lot has already been written about the GDPR. For the information security community, the focus has largely been on the data mapping or data inventory elements. In many companies these have been handed to technology/IT departments – but for large companies and those with many legacy systems, it’s a challenging issue.
The GDPR demands a change in approach to privacy, but it also provides an opportunity for better information governance. GDPR requires companies to look holistically at how they ‘do’ privacy, and to embed it in their systems, processes and cultures. In some ways it is catching up with information security, which has been an integral part of business for some time. GDPR presents an opportunity for privacy and information security professionals to pool expertise and resources, and achieve better information governance for their companies.
Good information governance is more than a compliance tick-box exercise. It reduces risk, focuses and prioritises company efforts, and demonstrates to shareholders, customers and consumers that your company takes privacy and security seriously. Good information governance increases trust and enhances a company’s brand, especially at a time where security breaches are reported on an almost daily basis in the news.
TAKE A HOLISTIC VIEW; HAVE A VISION
So yes, the data mapping part is important, and in my view it is a foundation for so many other aspects of GDPR. But seeking to understand what information an organisation holds needs to be a collaborative effort between privacy and information security professionals. While the information security experts are concerned with securing all information, and privacy professionals are specifically focused on the handling of personal information, we are all aiming for the same outcomes: finding out what information we have, what to do with it, where it resides, how it moves around, how long we keep it, who has access to it, and how we protect it against unauthorised access, use or disclosure.
Taking a holistic view of the information you have as a business allows both information security and privacy professionals to get on with their respective roles of protecting that information, ensuring and tracking compliance, introducing efficiencies, and responding to requests for information or statistics from company boards, business operations teams, customers or consumers. Working together – based on a mutual understanding of shared outcomes and a willingness to support one another – can achieve this.
It starts with a vision: what do privacy and security mean for your company? Are you looking to achieve only minimum required compliance, or to become a leader in your sector? Are you trying to make it your USP? If you need to build the case for the board you can do that together. Use and build on what has already been done for GDPR planning (such as systems or asset inventories, or DLP stats), and use GDPR requirements to improve how you do things to achieve this vision.
USE GDPR FOR COMPETITIVE ADVANTAGE
GDPR requires data minimisation and encourages ‘pseudonymisation’ and encryption. It also requires a privacy risk assessment when personal data is involved, and for documented evidence of assessments, decisions and implementation solutions. A typical example of a business request is for a particular function to gain access to certain information held by the business. Usually the assumption is that all staff need all data and it’s as simple as getting the IT department to flick a switch.
By working together, privacy and information security experts can assess all the risks of the request, discuss its technical implementation, and consider how best to achieve the desired outcome in a way that keeps everyone happy. This leads to documented evidence of a risk assessment with both privacy and security requirements built into the process. Done right, you will not only meet a multitude of GDPR requirements, but probably many of your own KPIs as well.
These can often be reactive scenarios, but a more holistic approach would look at the bigger picture to find answers to such pressing questions as: how is access determined, managed and kept upto-
date; how does it relate to the new starter and leaver process; how do staff go about asking for and being granted access to data, and how is that process managed, documented and approved? Getting these things right from both a privacy and information security perspective is crucial in order to avoid constantly being in reactive, fire-fighting
This may all sound obvious, but sometimes it doesn’t work like this, and in my view GDPR is a real opportunity to take a step back and look at how you approach privacy and information governance, to review if you have adopted the right approach, and then to do it better.
GDPR can be a hard sell. At first glance it seems to be yet another list of onerous things you have to do to avoid a fine. However, an enlightened company will see this as a chance to embed privacy and information security at its operational core, and use it as competitive advantage to increase trust in their brand. It’s time to move away from seeing privacy and information security as just compliance cost centres, to seeing it as a way to ensure everyone wins.