Chief information security officers (CISO) have played a key role in implementing the data security measures needed to meet the requirements of the EU General Data Protection Regulation (GDPR). Now, as we move towards its implementation on 25 May, organisations need to think about how they can continue to embed sustainable improvements in their data management and use that to create value for them.
Manage risk appropriately
A risk-based approach to security is central to complying with GDPR. Article 32 requires that the measures taken by organisations must provide a level of security appropriate to the risk. This ensures that priorities are established and decisions are made by evaluating data sensitivity, system vulnerability and the likelihood of threats. Many organisations will already have remediated their high risk applications but it is important they do not stop there and now look to apply relevant technical controls to medium and low risk areas as well.
Provide assurance on unstructured data
While organisations have been focusing on remediating IT systems to make them GDPR ready, much of the personal data they hold is in the form of unstructured data (for example excel files, word documents and emails). To manage the risk around this unstructured data, the CISO needs to provide clear guidance to the business on how to secure it and how to minimise its use where possible. They should also consider using tools that can discover large stores of unstructured data which might have been undetected during the inventory building process required for Article 30 compliance.
Deal with shadow IT and cloud risk
Shadow IT, which are systems and solutions used without explicit approval from the IT department and are not supported by them, can also potentially introduce a large amount of GDPR compliance risk, especially if the privacy office and CISO are unaware of these. These risks can be mitigated by encouraging business users, when building their inventory of personal data, to identify the data they use in terms of business processes, rather than IT systems. A time-limited amnesty for users to disclose if they use any shadow IT services can also help identify where these are being used.
There is a need to work with the IT function to understand the reasons why these shadow IT services are being used. That includes ensuring that employees can access the tools they might need through official channels rather than resorting to unapproved alternatives. Organisations can also use data loss prevention solutions to monitor how personal data is used within the organisation, and identify further sources of shadow IT.
Similarly, they should make sure that the cloud services they use have the right technical and legal controls in place. That means avoiding using cloud computing services in the absence of any guarantee about the effective geographical location of the data or without ensuring the lawfulness of the data transfers outside of the European Union.
Respond to data breaches
Another critical role for the CISO is in identifying and managing data breaches. In many cases, the cyber-security team will be the first to detect a data breach. A clear documented process will help to ensure this is logged appropriately, and the relevant action is taken in a timely way. A decision tree should make it possible to quickly identify the actions to be taken for each incident type, based on the severity of the data breach. The teams should then work with various internal and external stakeholders (including suppliers if needed) to manage the incident, and notify regulators and impacted individuals rapidly. After the immediate management of the breach is complete, a rigorous testing regime should be put in place. This should cover technical controls, policy, people and process and be tested against the real world scenarios appropriate for the business.
Audit and monitor technical controls
Finally, periodical security audits should be carried out on the technical controls to check that they remain embedded in the organisation, and continue to be effective. Each audit must produce an action plan, and its implementation should be monitored at the appropriate level within the organisation. Taking these actions will ensure that organisations are not just compliant on the day GDPR comes in but that they have a sustainable model that can secure the value of better data governance.
Contributed by Sharad Patel, a GDPR expert at PA Consulting Group.
PA Consulting Group delivers an online course Introduction to GDPR with UCL and UCL Consultants, on the FutureLearn platform.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.