The Right Way to Think About Data Privacy and GDPR: 3 Steps For Success

Data privacy has topped tech headlines on and off for some time now. For the general public, concern over how to keep personal data safe in a wired world spikes every time there’s a new high-profile data breach. However, for those watching the regulatory side of the industry, the focus on what businesses should do to protect their users’ privacy has become a constant, especially alongside the discussion of the European Union’s (EU) Global Data Protection Regulation (GDPR).

GDPR: More than just a cybersecurity regulation

The GDPR, which goes into effect this May, aims to protect EU citizens by holding businesses financially responsible for the compromise of personal data in the event of a security breach. The prospective fines are massive, and there has been no shortage of debate about different aspects of the regulation.

The lack of precision in the wording of particular demands has rubbed people the wrong way. For instance, GDPR’s demand for state-of-the-art security has been rightfully criticized as being conceptually vague. What a top financial services organization would need to implement to demonstrate that its processing security is state-of-the-art is much different than what a mom-and-pop grocery store would need to do.

So, the GDPR gives businesses expectations they need to meet but doesn’t really give them guidelines for getting there. From the perspective of the cybersecurity world, this is a little vexing. But it’s important to understand—controversial as this may sound—that GDPR isn’t a cybersecurity regulation.  

While GDPR should be a business-driven program within your organization, data privacy regulators and cybersecurity professionals strive for the same. However, the GDPR is not a benchmarking tool for building a secure system. It exists, rather, to give data subjects control over their data. It’s focused on ends. It’s about meeting citizens’ data privacy needs—not a road map for businesses getting there.

Understanding this is a big step toward knowing where and how IT should jump in, assuring GDPR compliance, and protecting data privacy in general. Rather than starting at the bottom with cybersecurity and working their way up, businesses can start where they need to and set up their cybersecurity pros for success. The following three steps can help a business do just that.

Step 1: Who is really responsible for data?

As has been discussed a bit already, top-notch cybersecurity is key to protecting data privacy—but not all data privacy concerns fall under the umbrella of the chief information security officer’s (CISO) responsibilities or even within the purview of the IT department. In an information-driven world, it’s hardly just the teams building, running and securing the networks that are involved in the collection, storage and management of user data. Still, GDPR gets lumped in with the head of security’s responsibilities in all too many organizations.

If a marketing department, for instance, collects data on prospects for lead generation purposes, that department will have its own set of practices for keeping, managing, and utilizing the data. The marketing team knows what they need from the people they’re contacting, how long they absolutely need to maintain access to it, what they could otherwise do without, and what they might be collecting and storing unnecessarily.  

Likewise, an e-commerce team will understand if users who have purchased from the online store need their accounts always available or if they can be wiped after a certain window without inconveniencing customers or falling into non-compliance with GDPR articles pertaining to legitimate purposes.

Statements like, “We might need this information in the future " can no longer justify indefinite retention of information. Organizations must have a lawful purpose for processing, and, invariably, this is provided through consent—something that GDPR tightens up, requiring transparency and granularity regarding the what, how, where, and why of personal data.

Suppose you think more deeply about the operations of any given business. In that case, you’ll realize that the individual departments gather the data, use it, and know why it is or isn’t essential.

 

The IT department might spearhead the project by providing a framework to help business leaders understand what data may be expendable. But the departments themselves are positioned to check off the boxes on what’s necessary to have ready at hand, what needs to be stored, what they’re keeping around but don’t really need, and so on.

Once business groups understand the why of their data, IT can effectively determine how to secure it. 

Step 2: What makes top-tier cybersecurity?

After departments analyze, audit, and assess their own data needs, IT can intervene, instituting controls that meet departmental needs while preventing data breaches and thereby protecting users' data privacy.

And a big part of implementing good cybersecurity controls is understanding prioritization. Companies have limited resources, and the news is filled with seemingly unlimited potential cybersecurity threats.

 

In this light, individual departments getting things in shape to meet GDPR’s data privacy directives puts IT in a much better position to manage things. When departments do their data housekeeping, IT can more easily understand what needs to be secured and how.

Step 3: Data privacy assurance as a two-pronged approach

The discussion about the need to build out systems in a way that makes data breaches less likely, has a lower impact, and makes data privacy inviolable often runs up against the reality of the tech world—few business systems today are starting from square one. If you’re in a position where you’re building out a dream network and have complete authority over every aspect of it, you can mandate cybersecurity best practices from the outset. But in the real world, data security—as in all things—can be messy.

Big financial services companies still run on archaic, decades-old mainframes built not to clear out unnecessary data but to save as much information as humanly possible. There are businesses with information scattered across multiple pieces of legacy software communicating through custom-coded interfaces. There are countless setups out there that don’t lend themselves to neatly, easily securing data to contemporary standards.

And so, in setting up networks to preserve data privacy, it’s important for CISOs and the rest of the team to be pragmatic and flexible and—again—to think about cybersecurity in terms of risk, understanding that an old but air-gapped system doesn’t require the same level of scrutiny as a new, constantly connected one.

After mapping out, auditing, and organizing comes the second part of this two-pronged approach—developing an ongoing risk-assessment strategy. Businesses change all the time. Hardware gets replaced, and software gets upgraded. Churn, turnover, and outsourcing to the cloud alter the way networks are architected and who is responsible for them.  

Data privacy: Not a shock to the CISO

Through meticulous auditing, understanding, and organizing data—beginning on the business level and moving into the IT department—a company can better meet the demands of GDPR. CISOs, with the business backing them, can apply the correct tech controls for the situation—the ones that GDPR doesn’t spell out in its pursuit of establishing data security for citizens.

But these steps should sound familiar enough because for those organizations that have a solid cybersecurity stance, a lot of this should already be happening. No matter how concerned a business is with meeting GDPR’s (perhaps vague) benchmarks, having a firm grasp on where data resides and who owns it is key to IT implementing the right cybersecurity controls—and that’s always a good thing for both the business and its customers.   

Do you have what it takes to implement the right cybersecurity controls? The CompTIA Cybersecurity Career Pathway can help you get there.