GRC Tuesdays: Modernise Your Business, and Consequently Cover GDPR Part Two
Last week, I discussed European Union (EU) General Data Protection Regulation (GDPR) readiness—more specifically, how examining your company’s corporate culture is the first place to start. But there are details I’d like to cover today to help you feel confident in your ability to meet the major parts of GDPR. Let’s take a closer look at master data management, access governance, cybersecurity, and the internet of things.
Other Similar Legislation
While we’re looking at the GDPR, it makes sense to consider other related regulations and legislation that companies are also going to have to deal with in similar time frames. I am thinking of (there are others):
- NIS: Directive on security of networked information systems which is more industry specific but also has data breach reporting requirements
- ePrivacy: PECR reform, the ‘cookie directive’ that may become a regulation and also has consent registration & privacy requirements
- WP29: Article 29 Data Protection Working Party looking at privacy and transfer of data outside EU or pre-approved countries, which is one of the compliance aspects of GDPR
Investment in organisational and technological change for GDPR will have complementary relevance to the above. Compensating controls will exist, investments can be consolidated.
A lot of companies will have adopted compliance standards and frameworks like ISO27001, ISO3100, COBIT, 3 Lines Of Defence. I am aware of the debates surrounding each of these (for example, whether or not there should be 4 lines of defence). But on the whole, they are systems that document approaches for sound business management and reporting. The point here is that adopting these standards and frameworks will again provide compensating controls that will assist with areas of GDPR compliance.
Master Data Management
A significant challenge with any business these days is the so-called ‘single view of customer.’ For example, there is:
- A fundamental operational driver behind this (do I really know who my customers are and where precisely and completely I can get that data from?)
- An operating cost driver behind this (multiple instances of what is actually the same customer is a waste of ICT resources & costs)
- A regulatory driver behind this (like keeping personal data accurate and being able to confidently address data subject access requests)
Digitalisation and digital transformation (or whatever you label it), is something of a fashionable phrase but it’s clear that any company that does not reduce its ICT and data management operating costs will never be as competitive and agile as their neighbours who do.
Master data management is either a pre-cursor to or a fundamental part of a digital transformation and data volume minimisation. It also puts you in a more resilient position to safely accomplish the right to erasure for GDPR needs.
The modern definition of an employee, supplier, and customer is considerably more amorphous than it ever was in the past. And it will become more so in the future. We have full time, part time, contractors, the ‘gig economy,’ business process outsourcing, suppliers who are competitors, joint ventures, co-option arrangements, customers who are employees, and partners who work for competitors (to name a few examples).
We need to give people managed access to systems and data for them to do their jobs on our behalf—ideally just the right amount. Their function and responsibility will change over the time they work for us, which will require changing what systems and data they have access to. We need to remove their access when they stop working for us. If they come back to work for/with us we probably want to have recorded and re-use what their skills and competencies were in the past.
Managing this efficiently is challenging. Managing it inefficiently however, is a significant operational cost (like downtime when on-boarding or changing roles), financial cost (fixing segregation of duties) and security risk to the business (leavers still having access to admin accounts).
Overlay this onto the master data governance and digital transformation roadmap and the complexity is made more challenging.
However, addressing these are major ‘thruster rockets’ for your business to become leaner, more agile, safer. It gives you a solid foundation to the operational and technical changes to address data breach and processing security breaches for GDPR. It could also reduce your dependence on encryption and pseudonymisation.
Cybersecurity and IoT
Multipliers abound in this aspect: proliferation of end-point devices, exponential increases in data volumes, increase in the value of personal data plus industrial espionage, and sophistication of cyber criminals. Identity theft is one of the fastest growing crimes in the world, and ransomware attacks are also growing.
And because we are all connected, and actively striving to become more interconnected, this truly is a global phenomenon.
The concept of zero-trust is replacing older paradigms for system security. There is growing realisation that application-level security (as opposed to infrastructure-level security) is under-represented, under-resourced, sometimes dismissed. However your intellectual property and personal data is at the application level, and this is where the focus will shift to.
We’re also moving increasingly towards use of robots and machine learning, releasing even more automated interconnectedness.
I don’t want to belabour this aspect in this blog (or it will take over this blog). It’s probably enough to say it is typically in the top three of most company’s top 10 risks list, and national governments for that matter.
Impacts of a cybersecurity event are many-fold and include:
- Financial loss (fines, loss of sale)
- Operational (inability to run the business properly from ransomware, DDOS)
- Reputational damage
- Cascading combinations
The way the world is evolving means this is not an optional aspect. Companies must address this if they want to operate in the modern world. I would say that the investment required is directly proportional to the size of your business (pick any global business) or the reliance on your business for society to function (like healthcare, utilities).
Addressing this aspect will give you a significant development in your operational and technical abilities to address data breach and processing security breaches for GDPR.
The Upside for the Modern Business
The points I’ve laid out in this blog hopefully provide substance to—and confidence in—your ability to deliver a modern business. And as a consequence, you’ll then be well on your way to meeting a major part of the GDPR.
And the upside for just such a modern business? To quote ICO commissioner Elisabeth Denham again, “I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy and dignity of individuals. Over time this can play a real role in consumer choice.”
To take it further (with help from Stephen Covey’s book The Speed of Trust):
- If your customers trust you, your speed of operation and security of revenue generation will increase.
- We judge ourselves on our intentions, we judge others on their actions.
Addressing the GDPR is not just about avoiding fines—see it as putting ‘good sense’ changes in place to underwrite your growth as a modern business.