BT's Mike Pannell on why any organisation that holds personal data should have a compliance strategy in place
I’ve been thinking about how GDPR affects our customers, and what we can do to protect their data. I believe that many are focussing their attention on their obvious data, but neglecting the less well controlled information. There is a varying level of readiness and with GDPR fast approaching, the cyber security landscape is turning into a real warzone, and it is becoming a painstaking initiative to combat the risks, and to comply with the new regulation.
Sadly, many organisations still massively underestimate the scale of the threat. As Jason Hall, Director of Health BT, said in his latest blog, ‘The damage that cyber-attacks bring to organisations is startling… These are not merely technical issues. People’s lives are sometimes at stake.’
The PII data held will naturally vary between organisations. The CRM system is an obvious database that holds personal data. There are strategies to protect this, but the risk extends beyond this. Unstructured and Dark Data can equally contain personal data and should not be ignored, and these are also harder to quantify and protect.
Compliance, data discovery, data loss prevention, unstructured data and security challenges - the breadth and depth of questions worrying the ‘top minds’ in cyber security and their boards suggest that many are still not ready to fully assess the amount of personal data they hold and where it is stored.
This echoes the “The cyber security journey – from denial to opportunity” research which flags that a lot of organizations are still at the 'denial stage' of their cyber security journey succumbing to the ‘it will never happen to us’ syndrome. In fact, every organisation goes along a security journey and there will be faltering steps before they are a true leader in data security. Clearly, with GDPR now coming into effect, many need extra help with compliance.
As such, at a minimum every organisation that holds any personal data should already have their Data Protection Officer appointed and it is crucial the person in this role understands their business, how data is handled and protection mechanisms already in place.
You could acquire consultants to conduct a data discovery exercise, but they need to be sign-posted where to look. Do you have data in the public cloud? Do you share with 3rd party organisations or hold on in-house servers and PCs? Without this insight you will have an incomplete view of the PII risks.
When you know the data you hold, steps can be put in place to protect it. Crucial to this is a philosophy of privacy by design; every business process should only access data relevant to that transaction. This may be hard, but least privilege and minimum data must be at the heart of information processing.
Proofpoint, a cyber security company headquartered in Silicon Valley, invited me to their flagship conference Proofpoint Protect. It is a hugely insightful gathering where the threat trends are discussed and the best practices to combat today’s security, compliance and digital risk are shared amongst the ‘top minds’ in the cyber security industry.
The agenda was both exciting and worrying. Exciting for us, cyber security experts because our role in organisations across the world has never been as important and is likely to gain even more gravitas as digital transformation becomes more tangible than ever before. Worrying however, for the unprecedented scale of the cyber threat at the global level.
Enza Ianopollo an analyst at Forrester, shared with us some latest stats based on a survey of over 3,000 companies which assessed their overall readiness for the GDPR. Disturbingly, less than a half claimed to be ready now and there is still some doubt what compliance means.
Ryan Kalember, Enza and I were on stage to answer audience questions on GDPR. Topics were varied, including compliance, data discovery, DLP, unstructured data and security challenges. The breadth of questions asked reinforced my opinion that it is an imperative you start your cyber maturity journey RIGHT NOW.
As a minimum every organisation that handles Personally Identifiable Information (PII) should have a compliance strategy statement. One cannot be sure how an auditor will test compliance, but a compliance strategy backed up with appropriate technology, staff training and awareness will be a good start. There is no easy answer to compliance, but all must cover the core principles of the regulation, including:
- Notification of data breaches
- Appoint a Data Protection Officer
- Demonstrate how privacy is designed into business processes
- Data risk management
- Assessment of risk management should also apply to any 3rd parties who have access to PII.
In a recent post my colleague David Petty questions where IT is in a corporate org chart. This leads to a natural question of where a Data Protection Officer should sit in your organisation. Should it be a role within the CIO domain? I’d argue this role has to include elements of IT knowledge but probably should report to a Chief Information Security Officer and not the IT manager.
GDPR should not be a revolution over existing best-practice data handling policies, and those organisations who already had robust polices are likely to find GDPR a small step. Well controlled data handling can be a benefit to any business as they can react to opportunities quicker if business information is already well understood. Of course, GDPR threatens financial losses as organisations are naturally worried about the potential fine for data breach as this can be a significant amount of money. Harder to quantify, but reputation damage can also have a significant impact on a business. Further down, we just need to make sure data loss doesn’t turn into life loss, when the damage caused will be truly inconceivable.