GDPR Part 1: A Legal, IT, or Information Security Issue?

The General Data Protection Regulation (GDPR) is a new regulation affecting organizations that reside in the European Union (EU) or merely transmit EU citizen data. The regulation is designed to strengthen data protection of this personal information and non-compliance comes with hefty penalties. Fines for the most serious infringements of GDPR are 20 million EUR or four percent of global revenue, whichever is greater. This represents a catastrophic penalty for many organizations. Even minor infringements could cost 10 million EUR or two percent of global revenue. Ouch. With the looming May 25, 2018 compliance deadline, much confusion remains around organizational ownership of achieving compliance with the European Union (EU) General Data Protection Regulation (GDPR).

At Optiv, we frequently assist clients with their GDPR strategy, and the first question we are generally asked by our clients is: “Who should own GDPR?” Effective GDPR compliance (and effective privacy and information security programs, in general) are best enabled by well-thought out division of responsibilities, good partnerships and a clear understanding of roles. In this first part of a three-part series, we will unravel some of the major components of GDPR, and share some thoughts and strategies for solving the problem of “who does what?”

It’s a Legal Issue

GDPR is perhaps the most specific legislation to date regarding obligations of data controllers and processors about privacy and the protection of personal data. Chapter 4 of the regulation begins by defining these general obligations and mandating appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Article 32). While at first glance it would be easy to chalk this statement up to a pure-play cyber security policy and technology issue, Chapter 4 further defines the requirements for a data protection impact assessment (Section 3), the assignment of a data protection officer role (Section 4), and codes of conduct and certification (Section 5).

Within each of the above-mentioned articles of the regulation, requirements for effective corporate privacy policy, codes of conduct and privacy-related tasks are identified. However, these requirements generally would not fall within the purview of a traditional cyber security program. For instance, Section 5 identifies codes of conduct which would generally fall within the scope of corporate council to define, create contracts language (or contract addendums for existing relationships), and monitor compliance through effective vendor assurance and third-party risk management.

Chapter 5 of the regulation also defines principles for transfers of personal data to processors or controllers in non EU countries or international organizations. This chapter contains a mind-boggling array of stipulations for determining adequacy of protection for third countries, binding corporate rules, safeguards and international cooperation regarding personal data. Any cyber security professional helping their organization work towards GDPR compliance would be wise to partner extensively with their internal and/or external council regarding these components of GDPR, as the contracting, privacy, and legal components of GDPR do fall outside of what most of us cyber security professionals are doing within the scope of the security program.

At Optiv, we’ve found organizations where their CISO, privacy officer (usually part of the office of general council) and general council are struggling to determine how to divide responsibilities appropriately and ensure the necessary safeguards (legal and technical) are in place. We have seen the most success when the legal department leverages the cyber security team to answer questions related to the effectiveness of safeguards, the security of processing, and the risk assessment (Article 35) components of GDPR. Concurrently, the cyber security and IT teams supporting their legal partners as they develop the appropriate contract language to enable compliance is critical. GDPR compliance truly is a team effort, and learning to “speak each other’s language” goes a long way in ensuring good partnerships between teams. Nowhere does this become more critical than the data protection officer (DPO) role.

In general, our clients appoint a DPO out of either the legal or cyber security teams to be compliant with Article 37 of GDPR. While there is no right or wrong answer on which team should own this role, it’s important to note that Article 39 of the regulation contains specific tasks of the DPO regarding the monitoring of compliance with the regulation and with interpreting the results of data protection impact assessments (DPIAs). For this reason, it’s important to not underestimate the technical acumen required to successfully perform this function. For instances where the DPO role is assigned out of the legal department, good partnerships with IT and cyber security are critical, especially when parsing through technical details that result from the DPIA. For smaller organizations, leveraging a third-party virtual DPO may be the right answer. Articles 37 and 38 of GDPR specifically enable organizations to leverage a DPO through a service contract, provided the DPO is readily accessible to the client.

With all of this, one could easily come to believe GDPR is a legal problem requiring a bit of assistance from the cyber security team, right? Not so fast…

It’s an IT Issue

Without question the most heavy-lifting of GDPR compliance (from a level of effort perspective) comes by way of Chapter 3 – Rights of the data subject. These are commonly referred to by the most well-known article (Article 17) as “the right to be forgotten,” but they contain far more data subject rights than the right to erasure. These data subject rights are extensive and include such rights as the right of access by the data subject (Article 15), the right to rectify incorrect data (Article 16) and the right to data portability (Article 20), among others. Make no mistake, enabling these data subject rights entails a substantial amount of work on IT systems and represents an enormous amount of effort for most organizations.

Most legacy customer relationship management (CRM), electronic health record (HER), enterprise resource planning (ERP) and customer web portal systems simply were not designed to support these data subject rights. Let’s take Article 20, for instance, which requires that data about a data subject be made available “in a commonly used and machine readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.” The article goes on to define some parameters for compliance and exceptions. However, to be clear this article alone represents a significant burden for extending existing business applications to enable compliance. For most organizations, achieving compliance by May 25 is out of the question for this reason alone. According to Gartner, more than 50 percent of companies affected by GDPR will not be in full compliance with its requirements by the imposed deadline.

It’s an Information Security Issue

If GDPR could be distilled down into a single sentence, it would be: “Don’t get breached,” perhaps followed by, “If you do, it’s going to cost you a lot of money.” Given the hefty financial penalties associated with GDPR, it’s critical for the cyber security program to mitigate breach risk as best as possible. Meanwhile, the IT and legal teams can focus on tackling the aforementioned heavy lifting to achieve full compliance of the regulation.

At Optiv, our perspective is that companies which establish business-aligned, risk-based, threat-aware cyber security programs realize compliance as a positive side effect. In the next part of this three-part series, we will discuss the six cyber security program pillars for GDPR compliance; how they should fit within the overall GDPR compliance program; and how these pillars enable an effective, risk-based cyber security program that accomplishes the GDPR compliance objective while protecting the organization against other risks.