The Right Way to Think About Data Privacy and GDPR: 3 Steps For Success

The topic of data privacy has topped tech headlines on and off for some time now. For the general public, concern over how to keep personal data safe in a wired world spikes every time there's a new high-profile data breach. But for those watching the regulatory side of the industry, the focus on what businesses should to protect the privacy of their users has become a constant, especially alongside the discussion of the European Union's (EU) Global Data Protection Regulation (GDPR).

GDPR: More Than Just a Cybersecurity Regulation

The GDPR, which goes into effect this May, sets out to protect EU citizens by holding businesses financially responsible for the compromise of personal data in the event of a security breach. The prospective fines on the table are massive, and there has been no shortage of debate about different aspects of the regulation.

In particular, the lack of precision in the wording of particular demands has rubbed people the wrong way. For instance, GDPR's demand for state-of-the-art security has been rightfully criticized as being conceptually vague. What a top financial services organization would need to implement to demonstrate that its security of processing is state of the art is much different than what a mom-and-pop grocery store would need to do.

So, the GDPR gives businesses expectations they need to meet, but doesn't really give them guidelines for getting there. And from the perspective of the cybersecurity world, this is a little vexing. But it's important to understand – controversial as this may sound – that GDPR isn't a cybersecurity regulation.  

While GDPR should be a business-driven program within your organization, data privacy regulators and cybersecurity professionals are striving for the same thing. But the GDPR is not a benchmarking tool for the build out of a secure system. It exists, rather, to give data subjects control over their data. It's focused on ends. It's about meeting citizens' data privacy needs – not a road map for businesses getting there.

Understanding this is a big step toward knowing where and how IT should jump in, both in the process of assuring GDPR compliance and protecting data privacy in general. Rather than starting at the bottom with cybersecurity and working their way up, businesses can start where they need to and set up their cybersecurity pros for success. The following three steps can help a business do just that.

Step 1: Who Is Really Responsible For Data?

As has been discussed a bit already, top-notch cybersecurity is key to protecting data privacy – but not all data privacy concerns fall under the umbrella of the chief information security officer’s (CISO) responsibilities, or even within the purview of the IT department. In an information-driven world, it's hardly just the teams building, running and securing the networks that are involved in the collection, storage and management of user data. Still, GDPR gets lumped in with the head of security's responsibilities in all too many organizations.

If a marketing department, for instance, collects data on prospects for lead generation purposes, that department will have its own set of practices for keeping, managing and utilizing the data. It's the marketing team that knows what they need from people they're contacting, how long they absolutely need to maintain access to it, what they could otherwise do without, and what they might be collecting and storing unnecessarily.  

Likewise, an e-commerce team will understand if users who have purchased from the online store need to have their accounts always available or they can be wiped after a certain window without inconveniencing customers or falling into non-compliance with GDPR articles pertaining to legitimate purpose.

Indefinite retention of information can no longer be justified by statements like, “We might need this information in the future.”  Organizations must have a lawful purpose for processing and, invariably, this is provided through consent – something that GDPR tightens up, requiring transparency and granularity regarding the what, how, where and why of personal data.

In fact, if you think more deeply into the operations of any given business, you'll realize that it's the individual departments that gather the data, use it and know why it is or isn't important.

The IT department might spearhead the project by providing a framework to help business leaders understand what data may be expendable. But it's the departments themselves that are positioned to check off the boxes on what's necessary to have ready at hand, what needs to be stored, what they're keeping around but don't really need and so on.

Once business groups figure out the why of their data, only then can IT effectively determine how to secure it. 

Step 2: What Makes Top-tier Cybersecurity?

After having departments analyze, audit and assess their own data needs, IT can jump in, instituting controls that meet departmental needs while preventing data breaches, thereby protecting the data privacy of users.

And a big part of implementing good cybersecurity controls is understanding prioritization. Companies have limited resources, and the news is filled with a seemingly unlimited number of potential cybersecurity threats.

Seen in this light, individual departments getting things in shape to meet GDPR's data privacy directives puts IT in a much better position to manage things. When departments do their data housekeeping, IT can more easily understand what needs to be secured and how.

Step 3: Data Privacy Assurance as a Two-pronged Approach

The discussion about the need to build out systems in a way that makes data breaches less likely, of lower impact and data privacy inviolable, often runs up against a reality of the tech world – few business systems today are starting from square one. If you're in a position where you're building out a dream network and have complete authority over every aspect of it, you can mandate cybersecurity best practices from the outset. But in the real world, data security – as in all things – can be messy

There are big financial services companies that still run on archaic, decades-old mainframes built not to clear out unnecessary data, but to save as much information as humanly possible. There are businesses with information scattered across multiple pieces of legacy software communicating through custom-coded interfaces. There are countless setups out there that don't lend themselves to neatly, easily securing data to contemporary standards.

And so, in setting up networks to preserve data privacy, it's important for CISOs and the rest of the team to be pragmatic and flexible and – again – to think about cybersecurity in terms of risk; understanding that an old but air-gapped system doesn't require the same level of scrutiny as a new, constantly connected one.

After mapping out, auditing and organizing comes the second part of this two-pronged approach – developing an ongoing risk-assessment strategy. Businesses change all the time. Hardware gets replaced, and software gets upgraded. Churn, turnover and outsourcing to the cloud alters the way networks are architected and who is responsible for them.  

Data Privacy: Not a Shock to the CISO

Through a process of meticulous auditing, understanding and organizing of data – beginning on the business level and moving into the IT department – a company can better meet the demands of GDPR. CISOs, with the business backing them, can apply the correct tech controls for the situation; the ones that GDPR doesn't spell out in its pursuit of establishing data security for citizens.

But these steps should sound familiar enough, because for those organizations that have a solid cybersecurity stance, a lot of this should be happening already. No matter how concerned a business is with meeting GDPR's (perhaps vague) benchmarks, having a firm grasp on where data resides and who owns it is key to IT implementing the right cybersecurity controls – and that's always a good thing for both the business and its customers.