GDPR. Four letters that are thrown around organisations at an alarming rate, causing panic, profiteering from ‘experts’ and limitations on the way we work or; GDPR. Four letters that are allowing organisations to finally understand that you must do the right thing or face potentially serious consequences.
As a security consultant I am often asked for my opinion when it comes to the GDPR from many different organisations and individuals with one common theme; what do we have to do and how do we do it?
Many organisations that are currently preparing for the GDPR enforcement date are spending lots of time and money spinning up a GDPR programme, carrying out a data mapping exercise, appointing a DPO, analyzing non compliance’s and tracking their progress with reports to accountable executives allowing for effective management and viability – this is great.
Unfortunately, not all organisations have the funding available to carry out such an extensive programme and not all organisations carry out the above steps in an effective manner – too often is the problem not down to the planning and funding, but instead it is down to ineffective execution. In this article, I am going to give you 5 tips that in my opinion, will help your organisation to succeed in becoming more compliant if you aren’t already at that point;
(Note. these tips should be applied in context and may not be suitable for all scenarios – the key is to apply some pragmatic, common sense.)
Tip 1 – Always use a top down approach for non-compliances
Every organisation will experience an aspect of non-compliance, whether it is due to legacy systems, tricky cultural problems or the ‘known unknown’ – the real problem lies is the approach to managing this. If you know that something cannot be done due to XYZ, you MUST document the decision making process with supporting risk assessments and approvals – if you know that the perfect solution isn’t possible due to technical or cost issues – document it, don’t just accept it and move on. My approach is to ask ‘if a customer sat you down and asked why you where doing this’, could you immediately provide a comprehensive, justified, supported organisational response that reduced and mitigated risk where possible for a clear benefit, or would you have to get back to them at a later date.
Tip 2 – Always take a pragmatic approach and ask yourself one question
Are we doing the right thing? If you cannot easily answer this question, the chances are you shouldn’t be doing what you are and regardless of the GDPR – you should stop what you are doing – this should be the first question asked when looking at any workstream within a GDPR programme, which leads on to the next tip;
Tip 3 – The often forgotten last option
Can we just delete it or stop capturing this information? Upon completion of a data mapping exercise or assessment of data capture journeys, organisations tend to jump straight to a solution as a means to make the data or process compliant. Too often do people in the room not ask the ultimate question; what is the actual benefit of this data / process and what happens if we just delete it – you will be surprised with how many opportunities you will find to reduce cost and ease data management if you drill down to the core purpose of capturing information.
Tip 4 – focus on the basics first
If you haven’t got the basics right, do not waste your time getting caught up in over complicating your GDPR programme – focus your efforts on getting the basics right first. From a security perspective and to satisfy a core principle of data protection, there are many frameworks and best practices available for free to bring your organisation up to speed. If you still have members of staff sharing passwords or insecure customer databases, don’t spend your time looking for a fancy behavioral analytics tool. Another good way to achieve this is by completing one of the many security accreditation i.e. ISO27001, Cyber essentials. If taking this approach you must be careful – having an accreditation does not mean that you are secure – you can learn to pass a test but still not know the subject.
Tip 5 – For the sake of both your organisation and customers, speak up
Many GDPR related meetings and boards have become political and swathed in bureaucracy causing problems, especially when something needs doing as it often comes down to the ability to cross charge to departments and paying for formal resource with no-one wanting to pick up the cost. If you are in a position where you have identified a gap in a process or changes that need to be made; put something together in a clear format with justification and speak to your DPO or accountable executive if possible – I would challenge any expert to deny the opportunity when presented in this manner and often it empowers you to turn a lengthy process into a quick change. Of course, this is dependent on your organisation and you should always be mindful of hierarchy when skipping formalities.
What you will notice about these tips is that they can be applied to other scenarios, not just for the GDPR and are more so for good security practice and decision making. This helps in highlighting one of the biggest problems that organisations face – pigeon holing problems and becoming too immersed in those four letters. Aside from the few specific requirements that the GDPR brings it should be treated as helpful legislation that is confirming how we should be treating customers and their personal information but has the ability to enforce much greater consequences on those who act unlawfully, if you are on your way to doing the right thing and have effectively documented your decision, keep making progress and do not worry – it is not something to be feared unless you should be fearful
Finally, the GDPR has given a fantastic opportunity for those security departments within businesses, that struggle to push and gain support for the security agenda, to embed best practice and have more of a say in the way that some demanding businesses operate and I personally welcome the changes and can already see huge improvements across organisations of different size and sector.