There are many growing drivers for an organisation and its supply chain to take the subject of information security and privacy seriously. These include major threats from cyber-crime that can kill companies with one simple data breach. Despite that threat, not all organisations invest or perhaps care about information as an asset to nurture and protect.
So, it’s no surprise that regulation like the General Data Protection Regulation (GDPR) has come about for the protection of personal data and improved privacy for individuals. The GDPR is a powerful external driver forcing organisations to improve data protection and privacy activity.
Levels of Intent for GDPR and beyond
GDPR is a compelling event for change yet despite it going live on 25th May 2018 not all organisations have made the same progress. We are currently seeing 4 levels of intent around that new regulation. So where do you see your organisation and what else can you do about it?
Level 4 – Forward thinkers on all valuable information:
Those who see GDPR as an opportunity to get ahead and improve information security overall (beyond personal data per se), reinforcing their approach to stakeholders as a real organisational asset, not a liability. It also future proofs investments of an Information_security_management_system_-_isms”>Information Security Management System (ISMS) and drives down total cost of operation. They see the benefit of working towards or following recognised standards such as ISO 27001:2013 or NIST Cyber Security alongside the regulation.
Level 3 – Doing enough now for personal data:
Those generally responding now to demands from powerful customers and concerned internal stakeholders around personal data processing. These organisations are open to making the appropriate change to retain their contracts and be compliant in their processing. Many are seeing the benefits of ‘showing their working’ with a visible ISMS to gain the trust of their stakeholders. They are less interested right now in overtly addressing other valuable information management areas like IPR, financial, commercial contracts, software code, business plan information, etc.
Level 2 – Waiting to act:
Those who are ‘consciously incompetent’ and (probably) non-compliant but not prepared to act now. However, they recognise a need to do so once fines emerge in their sector or demands to exhibit more compliance increase from powerful customers and industry stakeholders.
Level 1 – In complete denial:
Those who believe that GDPR doesn’t affect them, or those who feel their current posture is good enough to comply even though they are data controllers and processors. It’s no wonder that the Information Commissioner’s Office (ICO) has probably only got a fraction of the organisations registered. Our informal surveys suggested that many organisations didn’t even know they should be registered with the ICO let alone adopt the new privacy and protection regime.
But what does compliance with GDPR mean in reality?
Most of the organisations that are ‘in denial’, and some of the others, believe they will be compliant for GDPR as they have an ‘information security policy’ documented. It’s held in a shared folder that they send on to customers when asked. Unfortunately, the specific regulation itself is a bit more complex with about 180 requirements to consider, and buyers are getting smarter all the time! Surely there must be a better, more pragmatic way to show you can be trusted with (just) personal data, let alone other valuable information assets?
GDPR is also a bit more of a challenge because there is no official EU basis from which to tightly measure compliance. As such many organisations are asking for compliance from their supply chain to something that is ‘their view of the GDPR’ which might be over or under engineered for the rest of that supplier’s customer base.
Perhaps worse, some customers are demanding a simple yet ignorant risk transfer in a forced contract update and leaving it to the supplier to figure out how to comply. Responsible customers and their important suppliers will work together on what is acceptable given the information at risk and the value of the relationship (and any contracts).
EU authorised GDPR privacy seals and certification may be some way off yet. So, what can you do in the meantime to show you can be trusted, at least around GDPR, while keeping it pragmatic for your organisation and most if not all of your customers? An information security policy document is not enough. An ISMS is much better and within that ISMS you should ideally follow a recognised method or framework structure that your stakeholders would be able to trust and compare progress against.
Showing your progress and performance against a GDPR framework is sensible
The Information Commissioner’s Office is the UK Supervisory Authority for the GDPR. Love them or loathe them, they are trying hard to help UK PLC implement the regulation as well as develop a culture of data protection and privacy by design. Commissioner Elizabeth Denham said:
“…it’s clear some businesses will thrive in this changing environment. They’ll be the ones that look at this whole issue with a mindset that appreciates what consumers want. Today, many companies think data protection is just about ‘compliance.’ It’s a mindset that says: ‘my job is to meet the legal requirements. As long as I tick the right boxes, we’ll be OK’.
But to meet the challenges…we need to move from a mindset of compliance to a mindset of commitment: commitment to managing data sensitively and ethically.
Not just because it’s the law, but because it’s part of basic good business practice…Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. That’s the carrot for getting it right. And there’s a pretty big stick too…”
The ICO is the UK Supervisory authority and the body for the UK that will issue fines (looking from a threat perspective). So it makes sense to know what GDPR means through their lens if you are in the UK. Their original 12 steps to GDPR was great for headline communications but just too high level for implementation against the standard. As such, they released seven comprehensive checklists which have been updated and enhanced over the last 6-12 months. We recommend them to everyone.
Completing those checklists as a framework to demonstrate compliance and commitment is a great starting point. It will help identify areas of strength and vulnerability, then help form the basis of a prioritised plan of investment. As the regulation is risk-based (rather than prescribing very specific controls), it means you can also more clearly evidence why you have or have not followed an ICO recommendation. It also offers a more objective perspective than many of the snake-oil firms out in the market right now selling their own methods, which might not stand up to scrutiny in future.
Organisations that can easily describe and demonstrate how they have considered and implemented the GDPR (either with the ICO checklists or suitably comprehensive alternatives) will almost certainly get a better reception from the regulator if something awful like a data breach did still happen. They will also have delivered on the ‘jobs’ outlined below and started to build the basis of an ISMS others can trust!
What jobs need to get done for GDPR success?
Whilst there are 120 activities to consider as part of the ICO 7 checklists, they can be broadly broken down as follows:
|Jobs to get done for GDPR||Can you evidence this now?|
|1||Information you hold:
||Yes / No|
|2||Risks: Confidentiality, Integrity, Availability (CIA)
||Yes / No|
|3||Policies and Controls Management:
||Yes / No|
|4||Assessments and Requests to ensure privacy & security by design:
||Yes / No|
|5||Incidents and BCP:||Yes / No|
||Yes / No|
||Yes / No|
|8||Whole System Coordination and Assurance:
||Yes / No|