This is the final part in my GDPR Step-by-Step series, and one that, in my cynicism, I see very few organisations even trying to attempt. I have lost count of the number of companies with whom I have tried to implement a continuous compliance program, only to have them stop once they received their initial ‘certification’. In this respect, GDPR will be no different from something like PCI.
But for GDPR, if you don’t build the necessary knowledge / processes into everyone’s day jobs, your compliance program will falter. While data protection and privacy are everyone’s responsibility, they cannot, and will not be at the forefront of everyone’s mind as they work through an ordinary day.
There are some who are convinced that you can ‘operationalise’ the entirety of GDPR with ISO 27001. This is, of course, nonsense. However, the concept is perfectly valid in that ISO 27001’s goals are to:
- Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a comprehensive suite of information security controls and/or other forms of risk treatment;
- Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs
So why can’t you just replace “information security controls” with “data protection controls”? Because the entirety of ISO 27001 covers only 1 of 99 Articles in GDPR (Article 32), the rest of the Articles cover aspects of data protection that the ISO standard was never designed to encompass. Nor should it try.
That said, a lot can be learned about how to adopt GDPR’s “appropriate technical and organisational measures” by bridging them with the ISO concepts. As partially demonstrated by this white paper from IAPP and OneTrust; Bridging ISO 27001 to GDPR (my thanks to Gabriel Avigdor for bringing this to my attention).
In the end though, to operationalise GDPR you will be implementing some new concepts [to you anyway], as well as taking existing concepts to a whole new level. Still simple, and still bloody difficult, especially without appropriately qualified expertise.
Things to operationalise:
- Senior Leadership Commitment: Leadership commitment to cybersecurity is one thing, but GDPR has the potential to significantly impact the way an organisation performs its core function(s). The commitment from the CEO/BoD has to pay a lot more than lip service, data protection needs to be built into the company’s values and goals. They need to live and breathe this stuff or no-one else will;
- Governance: GDPR is the perfect program to put in the hands of governance. What other function in the organisation has both the support from senior management AND representation from all departmental verticals?;
- Employee On-Boarding: Lost count of the number of times I’ve harped on about this one. Go here if you want more, just add ‘data protection’ to the list of subjects HR could help address; Human Resources, the Missing Piece From Every Security Program;
- Employee Awareness & Training: As stated above, data protection is everyone’s responsibility, so every employee MUST receive training appropriate to their role within the organisation;
- Policies, Standards & Procedures: Data protection adds a whole raft of ‘paperwork’ to any organisation. Without appropriate document management, these will not keep up with the changing face of privacy law. In this respect, data protection is no difference from cybersecurity, as without your ‘paperwork’ in place you will never be compliant with anything;
- Risk Management: This is almost identical to the risk management performed for cybersecurity and IT; 1) measure your risk, 2) determine whether your current controls meet the risk, 3) if yes, do nothing, if no, remediate the gap(s), 4) repeat. Of course there are differences, in that a normal risk assessment will not cover the requirements of a Data Protection Impact Assessment (DPIA), but the process is VERY similar and will likely involve much the same people;
- Asset Management: Core to cybersecurity, and core to data protection. You cannot manage what you don’t know you have. However, while cybersecurity cares about the security controls you have in place around the data assets, data protection cares about what you’re doing with the data. This takes asset management to a whole new level, a level you have no hope of achieving if you can’t manage your data life cycle;
- Vendor Due Diligence: While you could almost get away from not doing this well for ‘just’ security, under GDPR your third parties must ALL be held to much higher standards. There is little room for error in both contracts and ongoing service monitoring, as you could well end up 100% liable for their failings. Controller/Processor relationships are critical;
- Incident Response / Breach Management: Like vendor due diligence, organisations are very lazy about getting incident response right. Not under GDPR, there will be very few excuses supervisory authorities will accept if you cannot, as a controller, report a breach after 72 hours of being notified. You will need a very good REASON;
- Record Keeping: Unless your organisation has fewer than 250 employees AND your processing of personal data is ‘occasional’, you will need to keep a record of your processing activities. For most this will be a manual process on a spreadsheet, but that does not mean it should not be assigned ownership and warrant frequent review at senior level.
There are literally dozens of other things that need to be addressed, but I think these are the big ones. It’s actually quite scary how similar these are to security. Which perhaps explains why security people get cornered with this stuff so frequently. But while there are definite similarities, even parallels, the differences are profound and must be addressed by the appropriate skill-set.
If you only get one take-away from this GDPR Step-by-Step series, I hope it’s this; There is nothing new here. In some way, shape, or form, EVERYTHING required of you for GDPR has been done before, and there are a many people out there who have done it.
All you have to do is a little homework…
[If you liked this article, please share! Want more like it, subscribe!]