Tackling GDPR Challenge #2: Treat Others’ Data as You Would Your Own
The third post in our Top 5 GDPR Challenges series focuses on how to meet the GDPR's requirements for data confidentiality and protection.
Welcome to the third installment of our series on the top 5 GDPR challenges and how to meet them. In the previous articles of the series I first gave a highlight of the top 5 challenges, then took a deeper dive into the top challenge, the EU resident as the true, new data owner. In this blog, I will look at the challenges around and steps to resolve confidentiality and sensitive data protection; this really is the heart of what almost any data protection standard seeks to achieve.
If we look at the GDPR text, one of the relevant sections that defines the need is:
Integrity and confidentiality are two of the three legs of the CIA triad, a key theme in data security, with availability being the one not called out in this excerpt. A brief scan of the news, or if you have time to learn more, the most recent Verizon Data Breach Incident Report, shows us that this simple 3-pronged model can be exceptionally difficult to achieve.
To achieve data integrity and confidentially to a level that satisfies GDPR there are 6 elements that businesses struggle with:
Here’s what these mean, using some of the language from the GDPR itself:
- Specificity: Data must be collected for specified, explicit and legitimate purposes and not further processed without additional consent from the data subject. Business are not used to this constraint; there used to be few limits on what they could do once they have your data.
- Transparency: Organizations must clearly outline the rights of data subjects, including who to contact if there are questions, who they will share the data with, the right to see the data, the right to correct the data, etc. Again, this level of transparency between businesses and data subjects is a fundamental shift in how they operate.
- Accuracy: The information on data subjects must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. Having accurate databases makes business more efficient, but with the minimal cost to process data and the real cost to clean up data it is no wonder that businesses have been less than diligent about this in the past.
- Expiration Date: Data subjects must be told the period for which their personal data will be stored, or if that is not possible, the criteria used to determine that period. The concept of subject data being stamped with an expiration date means businesses must find a way to assess when a data subject entered the system and flag when that data is no longer allowed to be stored.
- Confidentiality and Integrity: Data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organizational measures. This is all about ensuring that the information entrusted to businesses by data subjects (or as some might call them customers, patients, or clients) is given the care you would expect they give if it was their own private information. This concept is not new, but it is not easy to achieve 100% of the time.
- Documented: All the above must be documented in such a manner that an auditor can see these steps have been taken in the event of a breach or at a periodic audit. Additionally, there is a stipulation in the GDPR for latitude in how fines or punishment in the event of a breach are meted out; this is where documentation can help reduce the impact of a breach: “… any action taken by the controller or processor to mitigate the damage suffered by data subjects…”
Sticking with the People, Process, Technology approach I outlined in the previous blog:
- Education and awareness is the place to start. Of the challenges I outlined, many of them require behavioral shifts; these changes do not happen without a clear discussion with the various teams about how their roles and processes will be affected.
- Businesses will confirm that changes are happening when they start receiving questions like “is this what we said we would do with the data subject’s information?” or “how long have we had this data, and can we still use it?”
- The key person in the people element is the data protection officer (DPO) and the level of accountability he or she has. To properly protect the data it helps to have a single person or role that is directly tied to this metric. There is no question of who to go to with concerns, questions, or when there is an incident.
- GDPR adds new rules around processing; these rules need to become part of the operating mechanism of the business such that they become second nature.
- The fewer things you have to protect, the easier the job of protection becomes. By limiting the data that you collect, your attack surface shrinks, and if data does leak your liability can be reduced from data minimization, too.
- DPOs must be empowered with the latitude to do their job. That means support from business leadership, financial support to implement the changes, and the empowerment to make decisions in the interest of GDPR compliance that may cause conflicts.
- To ensure the people and processes are working you need visibility into your organization’s full GDPR data set. Do you have GDPR data on laptops, servers, and file shares? Are people putting GDPR data into the cloud without proper controls?
- Taking that visibility and creating the powerful analytics to tell the story about your GDPR footprint is the next place where technology can help. Where is your GDPR data flowing most frequently, who is the biggest consumer of it, and when is it leaving the business? Are all these behaviors expected and compliant?
- If the answer to that last question is no, there needs to be a control mechanism to stop that action before it turns into a breach requiring notification and potentially resulting in fines. Data protection tools can prompt users when they are performing potentially non-compliant behavior or go all the way to blocking the action to stop the data loss before it happens.
- GDPR is rather vague in how to achieve the goal of data protection; this gives business the latitude to solve the problem, not implement an ineffective (non-)solution. However, there are two technologies called out in the GDPR: encryption and pseudonymization. Both of these solutions aim to render any personal data that does leak out worthless on the black market, or sufficiently anonymized such that little to no risk to the data subjects results from their exposure.
To learn more about the other top GDPR challenges and the steps required to address them ahead of the May 2018 GDPR deadline, watch our webinar on demand.
Read more in our Top GDPR Challenges series
- The Top 5 GDPR Challenges: Accelerating your Path to Compliance
- Tackling GDPR Challenge #1: EU Residents are The New Data Owner
- Tackling GDPR Challenge #2: Treat Others’ Data as You Would Your Own
- Tackling GDPR Challenge #3: The 72-Hour Notification Requirement
- Tackling GDPR Challenge #4: Privacy by Design and Default
- Tackling GDPR Challenge #5: The Data Protection Officer – Is There an Officer, Problem?