In today’s world, regulations seem to evolve almost as frequently as cyber threats. One of the most significant compliance discussions today: General Data Protection Regulation (GDPR), which gives European citizens control over how their personal information is handled and holds organizations accountable for adhering to citizens’ wishes, regardless of where the data resides.
Read the full story….
GDPR, the acronym for the European Union’s General Data Protection Regulation has been quickly transitioning from a quiet murmur in the background to a top point of discussion in the board room. To help us make sense of it and why it’s important to cyber security executives, we talked with Avi Rembaum, vice president of security solutions at Check Point Software.
CT: We know that GDPR is a regulation, but what is it regulating, in a nutshell?
A: GDPR is all about data privacy and protection. More specifically, it’s about the right of European citizens to protect their personal data. In other words, the point of the regulation is to spell out that, ultimately, European citizens own their personal data, regardless of where it resides. And, that they should be able to access their info at any point in time and be sure it’s kept private. What we need to remember is that things have changed in the global-digital economy and the value of a person’s data today has become much more intrinsic than prior.
Europe has been a leader in data protection guidelines. With GDPR, there are formalized penalties and an expanded scope of coverage that make the new rules far more comprehensive.
CT: If it’s a European initiative, why should people outside of Europe care?
A: Well, yes, the regulation talks about the rights of EU citizens to control their data, but in this global economy that we operate in, data doesn’t stay in one place. So, regardless of where a business might be located or where that data exists, any organization that collects personal details from an EU citizen—business or nonbusiness—must comply with the regulation.
CT: Can you give an example of a situation where GDPR would apply?
A: Say you’re a bank or an ecommerce business. Your business makes transactions online all the time. During the process, your customers fill out fields in a form. They might provide their names, addresses, government-issued identification numbers, credit cards, and other information; all info that contains personal identifiers. Regardless of what type of organization or industry, if the customer information resides in your repository, you are potentially liable to compliance. For some types of business, the responsibility might not be immediately obvious. Take a research firm that’s hired as a contractor by an airline. That business might not maintain the passport information of an individual, but as the collector of information, it now has GDPR responsibility. Even employers are liable. For instance, when employees open trouble tickets, they provide personal identifiers. Any aspect that requires identification of individuals will require organizations to be compliant. And what makes this especially timely is that GDPR will be enforced starting in May 2018. That means organizations need to take actions now to avoid penalties for non-compliance.
CT: Which business roles need to be especially tuned into this?
A: As I mentioned, a big part of GDPR addresses accountability. That means to the highest levels, like the Board and executive level. Just as the Sarbanes Oxley (SOX) Act was introduced in response to major accounting scandals 15 years ago to hold the top executives of a business responsible, GDPR does the same. But that accountability will include very specific and costly penalties that approach levels that could have serious impact on a company’s financial performance. Interestingly, GDPR also requires organizations to appoint a new role, the Data Protection Officer, as is noted in Articles 38-39.
CT: What do you think is the biggest misunderstanding about GDPR?
A: Aside from the misconception that GDPR is just a European matter, other misunderstandings relate to the regulation’s ambiguity. Right now, there is a limited set of technical controls. For instance, it calls for pseudonymization/encryption of data; responsibility to maintain the data and control it; the right for individuals to access; the right to be forgotten, etc. But, in most cases, GDPR doesn’t really talk specifically about how to do these things. And, by extension, because it is still a new regulation, there is a lot of ambiguity within the industry itself. The danger here is that you might be misled into thinking that just because there’s no specific list of technical requirements, then they don’t exist. Not true. Each individual country will be responsible for creating its certification structure and controls. And all of this will refer back to a European Union regulator for compliance. You can’t just pick up the phone to call an auditor who will tell you what to do. You need to actually pick up your phone and call your lawyer and your auditor. Given the tight timeframe to get on board with this, reaching out to companies that operate globally and have significant experience with building privacy and security infrastructures is the wise move here.
CT: What’s your best advice for executives who want to start preparing now?
A: It’s about 4 main steps:
- Start cataloging the data that your organization owns and processes and the systems involved.
- Risk management: Analyze and understand where your main risks are; be aware of where data is possibly stored.
- Identify the potential gaps existing within the organization: in accordance with the current GDPR guidelines; do you have a classification system? Do you have roles defined? Do you require all of the data that you process? There are many other questions here.
- Build your risk analysis tables so that you understand your potential costs of compliance, penalties, and the most efficient ways possible to mitigate risk. Ideally you can implement controls and protections in a consolidated and centralized way. If access control, data encryption, data loss prevention, anti-malware and other technical controls are available in a single solution, that can provide a significant cost benefit.
CT: Where should executives look for the latest information on GDPR?
A: Aside from the official European Union GDPR site, you can find valuable information and updates on security magazines like SC Media, Compliance Week, and others. I’d also recommend checking ICO (UK’s Information Commissioner’s Office–Elizabeth Denham), and IAPP non-profit for privacy matters.
CT: Great information, Avi. Any last thoughts?
A: There are two fundamental sides to risk management: What’s the potential damage you might experience; and what are the costs to implementing solutions that can control that potential damage. From a pure Business 101 perspective, you need to look at the costs associated with each of those. Take a look at how to leverage controls already in place in order to build a GDPR program cost effectively. With the GDPR work we’re doing with our customers, we’re looking at existing functions and building off of that. Don’t start from scratch—especially given the 2018 timeframe. Companies like Check Point can offer some of the solutions and advice, but you can’t stop there. You need to compliment that with other elements. Use what already works and be creative with how you can apply it.