Security Technology Executive

MAY-JUN 2018

Issue link:

Contents of this Issue


Page 42 of 79

www. • May/June 2018 • SECURIT Y TECHNOLOGY E XECUTIVE 43 to complain or has been chosen by a data subject to represent their interests. These complaints can be submitted to any supervisory authority, not just the supervisory authority with territorial responsibility. If an organization is found to be overstepping the requirements of the GDPR, supervisory authorities have a variety of corrective powers from which to choose. These include the ability to issue warnings and reprimands to controllers or processors; but also include far more substantial powers, which can com- pel an organization to process data in certain man- ners, or cease processing altogether, as well as force an organization to communicate data breaches to the affected data subjects. Implications for U.S. Businesses The official GDPR date and final (or last-minute) prep- arations for compliance came at the same time that public conversations about online privacy reached a fever pitch. Between the massive Equifax breach, a seemingly continuous string of customer data breaches at major retail and restaurant brands (not to mention healthcare and financial services), and the Facebook-Cambridge Analytica scandal, the American public is getting a crash course in the security and privacy weaknesses of online services, apps and net- worked systems. It may not happen immediately, but chances are that further regulation and more intense oversight mechanisms will be developed in response to these striking revelations, which have damaged public trust and corporate integrity. Public sentiment is wary and shifting. Organiza- tions that rely on personal data — and individual users' consent and trust — have an opportunity to go above and beyond GDPR in order to assuage worried and wary customers and partners. Apple has offered an example, announcing recently that they will offer GDPR protections to all their customers, not just EU data subjects specifically protected under the law. These protections — including a new privacy policy, easier access to important privacy settings, access to personal data stores, and ability to permanently delete accounts — will be available first to EU sub- jects and rolled out to every Apple customer world- wide in the months following GDPR enforcement commencement. In this critical moment in the era of digital transfor- mation, there are many lessons to be learned. Lead- ing organizations will take the time to review how they are handling privacy concerns and how they are communicating about privacy to their customer base, supply chain, and partner ecosystem. Forward- looking strategic planning should include: monitoring Congressional and state legislative activity, regulatory guidance, and thought leadership; fine-tuning and rehearsing incident response plans; and keeping up with privacy and security best practices with regards to people, process, and technology. Last Minute Scrambles As is always the case with major regulatory changes, there are some companies who didn't start GDPR preparations early enough, found the necessary activities were broader in scope or more complex than initially assessed, or only recently realized their business operations fell under GDPR's purview. Even with mere weeks to go, there were still important steps that companies scrambled to accomplish to show they were taking the regulations seriously and had begun compliance work in earnest. For U.S. companies that might still be enacting their action plans, here are some clear directives. One of these initial steps is to show risk manage- ment readiness — a deliberate review of existing data privacy policies, processes, and plans. Get your team together, and be sure to include representatives from every business function that touches personal data — this is not just a job for the marketing department. Consult legal advisors, figure out which internal security and data experts to work with, and work to get C-suite backing to make preparations a priority. Review products and services for data privacy hot spots; you may need to include product development or engineering teams in GDPR activities, especially if a non-critical feature introduces an outsized risk that could lead to expensive consequences. With a solid plan, a thorough risk review, and a multi-faceted team in place, companies can show they are being diligent, even if they aren't technically compliant yet. The next big step for latecomers (and an important obligation for all entities) is to assess the extended ecosystem — third parties, vendors, and partners — for GDPR compliance, data risks, and required documentation. For most companies, cloud service providers and other technology vendors will play a significant role in getting compliant with many regu- latory regimes including GDPR, HIPAA, PCI DSS, and more. If you can't tell enforcement agencies that you know exactly what data passes through or is held by your cloud provider, and what they're doing to protect it, you can't possibly show that you're taking a seri- ous and diligent approach to compliance. Confining GDPR activities to the public-facing corporate website and other obvious customer interfaces will signal to regulators that an organization is under-prepared or has a poor understanding of its obligations. In the case of organizations still scrambling to catch up, it is imperative to stay laser-focused on top priorities. Determining the core tasks, ensuring About the Author: Steve Durbin is managing director of the Information Securit y Forum (ISF). His main areas of focus include the emerging securit y threat landscape, cyber securit y, BYOD, the cloud, and social media across both the corporate and personal env ironments. Prev iously, he was senior v ice president at Gartner. Continued on page 48

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2018