With just two weeks until GDPR comes into force, IT security experts commented below.
Importance of long-term compliance
Rob Price, Pre-sales Consultant at Snow Software:
“At this stage, and with the deadline for compliance just a matter of weeks away, varying states of readiness remain at-large across the business community. Some organisations are already years into their compliance journey, whilst others are only now realising the scale of the task that lies before them in order to meet the deadline.
In recent months, the overwhelming sentiment of the media furore around the General Data Protection Regulation (GDPR) has been focused on how companies can become compliant in time for deadline day on 25 May 2018. Instead, it should be analysing and scrutinising how those companies striving to become compliant intend to maintain the required standards once the deadline has passed.
With this in mind, establishing enterprise visibility should be at the heart of any organisation’s approach. Companies’ efforts need to be anchored around how they can create a cost-effective and precise strategy to handle and adapt to evolving compliance rules and demands over time.
There is now a burning need to closely examine those databases that have been central to the digital estates of many companies for many years. With new databases, processes and products being created every day, impacting upon every step of an organisation’s journey to become compliant, comprehensively scrutinising already entrenched systems is essential.
The majority of organisations beginning their journey to compliance understand the importance of identifying the location of personal data repositories, meaning that their focus is on systems such as SAP, Oracle databases and middleware like Marketo and Salesforce. But these large systems often represent just a fraction of the systems that process personal data. Like an iceberg, the vast majority of applications are often effectively invisible, unconsidered by the GDPR team and include SaaS applications purchased by business units with little to no involvement by IT.
As the digital estate continues to rapidly evolve, looking beyond the deadline date by conducting an extensive assessment of company software – both old and new – will be paramount to avoiding any penalties down the line – be they legal or financial.”
Impact on company culture
Rob Price, Pre-sales Consultant at Snow Software:
“Though having a watertight process and the performing of rigorous technological checks may be two key components to ensure compliance, instilling the right culture will be critical to guarantee that employees adhere closely to what’s required of them.
Typically, the road to compliance can be portrayed as too technical, which can, in turn, lead to a breeding ground for misinformation. Instead, organisations should be focusing on improving employee understanding, instilling a culture of the foundational tenets of compliance, and, given the harsh realities of today’s cyber climate, providing constant reminders of the importance of protecting data. Only then can they move on to establish concrete processes, which is where self-assessment and the identification of gaps comes into play.
Some basic steps like setting up a cross-functional data governance team, made up of the data protection officer (DPO), IT leaders and business leaders from a range of functions including Compliance, Legal, HR, Customer Service, and Marketing is a solid starting point. These are the individuals who can help the importance of customer data protection become woven into the fabric of a business model.
By repeatedly emphasising the importance of data protection, CIOs will set themselves, their teams and their organisations up for success. And, positioning data privacy front and centre will enforce a company culture that can truly help to deliver GDPR compliance collectively.”
Controlling data sprawl and recognising enterprise accountability is key to GDPR compliance
Chris Mayers, Chief Security Architect at Citrix:
“The GDPR will do far more than strengthen data privacy rights. The regulation will set a high bar for responsibility and accountability – and not one that every business will meet.
Ensuring data privacy processes and systems are in place – from privacy by design to privacy by default – requires an organisation to know exactly where their data is and who can access it. Yet many are losing sight of data, spread across multiple systems and shared with multiple partners, while also struggling to scale up to store and control the huge influx of personal customer data they receive today.
Businesses must recognise that more centralised application and data storage environments will make it easier to meet technical compliance goals. This centralisation can be achieved in various ways, from introducing unified access controls across on-premise and cloud services with single sign-on to rolling out centrally-managed virtual workspaces. However, it is done, controlling data sprawl and recognising enterprise accountability around data privacy will be key to GDPR compliance.”
How do businesses actually protect their data?
Elodie Dowling, Corporate VP, EMEA General Counsel at BMC Software:
“With two weeks to go until GDPR many organisations are placing a great deal of emphasis on the technical aspect of GDPR, but the road to compliance involves more than technology and state of the art. Organisations must break compliance down into three phases – people, process, and technology.
Organisations should be focusing on instilling a culture of compliance. Only then can they move on to establishing concrete processes, which is where self-assessment and the identification of gaps comes into play. From there, organisations can turn their efforts to constructing a roadmap to compliance.
Technology is the third component and this is where discovery is crucial. How can customers become truly compliant if they don’t know what’s in their data centres, who has access, what other devices are active and vulnerable, where their sensitive information is stored and how they should be maintaining their devices to ensure they meet auditor standards?
Only by relentlessly examining internal processes can customers discover how their devices storing data are configured, how they’re connected, where any vulnerabilities sit and then piece together a plan to remediate those vulnerabilities and correct them. Data is constantly in flight so in order to transfer it in a secure way, it must be archived to protect it from the recovery implications contained within the GDPR.”
The importance of tackling fundamental challenges, such as data sprawl
John O’Keeffe, VP EMEA at Looker:
“The 25th May will mark a significant milestone for businesses across the globe – when organisations managing EU citizen data will need to be compliant with GDPR, or risk punitive measures to the tune of up-to €20 million. Yet, as revealed in this survey, many businesses are still not ready.
“Many are still tackling fundamental challenges – such as data sprawl – in which masses of data is left dispersed, uncategorised and disordered. Because of this, businesses can easily lose track of what data is being stored, how it’s managed and whether it’s robustly safeguarded. Ensuring these data ‘swamps’ are cleaned, organised and filtered should be the first port of call for CIOs.
“Once organisations have clean data ‘lakes’, they can continue the process of data analytics to drive business outcomes. But – if they want to maintain their compliance with GDPR – leveraging tools that don’t extract the data is key. Data analytics should enable positive business change, not start the data sprawl process all over again.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.