GDPR: Readiness Playbook. Beware, prepare or despair.

GDPR is making a lot of noise both domestically and globally. Recently major US technology companies, the FANG companies (Facebook, Amazon, Netflix and Google), have made a splash with the opening of new privacy centers along with attention to data privacy to help their companies comply with Europe’s GDPR regulation that will arrive in just three short months. These company’s announcements come as a stern warning to U.S. companies which have been extremely slow to react and prepare for the May 25 compliance deadline.

Unfortunately they may be underestimating both the risk and impact of the data privacy regulations improperly thinking it affects companies in the European Union only. This is just not the case. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.

So to be clear: If you’re part of a U.S. company that handles personal information of EU residents the GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52 percent of companies believe they will be fined for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.

The players: Who within my company will be responsible for compliance?

A GDPR project will require commitment from the executive leadership team and impact many areas of a company. Legal, IT, Security, Compliance, and Business Leaders will need to orchestrate and execute a coordinated response across the enterprise for their GDPR plan to succeed. There are three defined roles defined by GDPR you should be aware of:

• Controller: According to Article 5 from the EU GDPR, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are: lawfulness, fairness and transparency, data minimization, accuracy, storage limitation and integrity, and confidentiality of personal data. So the controller determines the purpose, conditions, and means of processing data, but doesn’t actually do the processing.
• Processor: According to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”. Essentially whether the processor is a third party or internal to the organization the processor should follow the contract as set by the controller and adhere to confidentiality. GDPR regulation clearly indicates “clouds” will not be exempt from GDPR enforcement. Additionally, the processor protects data with technical and organizational controls, and documents those.
• Compliance Officer or Data Protection Officer (DPO): The compliance officer is a key resource to assess the risk of regulatory requirements. This person will supervise and communicate with the executive team the plan to protect personal data, and clarify the penalties associated with faulty or delayed implementations.

Countries and organizations may define personal information in different ways, but the GDPR defines it as data that can be used to identify a person:
Basic identity information such as name, address and ID numbers

• Web data such as location, IP address, cookie data and RFID tags
• Health and genetic data
• Biometric data
• Racial or ethnic data
• Political opinions
• Sexual orientation

Thus GDPR goes way beyond just cyber security, so the IT team, Information security and Legal need to work together closely. .
Readiness means building a comprehensive Data Integrity Platform, here are the principles:

1. Data Roles & Responsibilities: Determine who has and should have access to data and manage permissions accordingly. Knowing this vital information helps organizations defend the business need for the data and ensure data isn’t used outside of its intended purpose.
2. Data Asset classification: Analyze and classify relevant data for ongoing management. The data classification process entails locating data and assigning it a certain category (e.g., highly restricted, restricted, internal use, public), so your business can enable the right level of protections based on the associated business and regulatory risks.
3. Data discovery: Data discovery involves identifying and locating sensitive or regulated data in order to adequately protect it or securely remove it. Data discovery is a priority for GDPR teams because it is a crucial component of compliance readiness. Data discovery involves auditing sensitive or regulated information, including confidential or proprietary data as well as protected data such as personally identifiable information (PII) or electronic protected health information (ePHI). Data discovery enables security teams to identify this information in order to protect it and ensure its confidentiality, integrity, and availability.
4. Data access: Determine who has and should have access to data and manage permissions accordingly. Knowing this vital information helps organizations defend the business need for the data and ensure data isn’t used outside of its intended purpose.
5. Data handling: GDPR requires that controls be in place to manage risk to the confidentiality, integrity and availability of sensitive data in any form whether data is at rest, as well as data that moves through the company. Importantly, GDPR specifies that breach notifications are to be reported to EU authorities within 72 hours of an incident.
6. Data protection: When you design a system for GDPR, think about the privacy of its ultimate users. If you are collecting personally identifiable information (PII) just because somebody from the marketing team said to do so, perhaps you need question the process? Do you store PII in a place where it can be compromised? Shouldn’t that be encrypted? Information security practitioners don’t always have to provide the answers to these privacy questions (that’s what CIOs get paid for), but it’s important for GDPR.

Legal needs to establish a GDPR information security program which is deciding what security measures are necessary based on the regulation, and protect the company from vulnerabilities. Be sure though, not complying means intense scrutiny from European partners, and opens up costly litigation.

The bigger benefits

Set a sense of urgency that comes from top management:

Risk management company Marsh stresses the importance of executive leadership in prioritizing cyber preparedness. Aligning with global data hygiene standards is part of that preparedness. GDPR is such an intimidating opponent to many U.S. organizations that they don’t even appear to be showing up for the competition, let alone trying to win. Rather than considering GDPR a problem too tough to tackle, view it as an opportunity to put the right building blocks (people, processes, and technology) in place for an effective security program. After all, when you have a well-run security program, regulatory compliance — including GDPR compliance — will be a natural side-effect.

This is precisely where SEEBURGER comes in… offering one centralized platform that manages and secures all file transfer or business processes containing GDPR data payloads. Our solutions are built from the ground up and are laser focused on the security and compliance requirements around data flows whether in transit or at rest that IT and Security is responsible for both inside and outside the organization. We take into account the formats, standards, communication protocols, and combine it with extensive experience deploying the solution in the cloud or on-premises. From the heart of Europe our German Engineers have built a standard complying Hybrid Integration platform and Business Integration Suite (BIS) to bridge not only the GDPR challenges but any digital transformation that impacts business processes that are on the horizon. When Governments or the European Union regulate and change how data is to be moved globally on the information superhighway you can count on SEEBURGER to assist you being ready.

For more information visit SEEBURGER.