The General Data Protection Regulation requires companies to review how they handle data of European Union residents. Thirty-one of its 88 pages are non-binding recitals, statements that help define some of the specific requirements in the articles, and a good number more pages are about the departments and organizations that will enforce the law. There are specific requirements in the Regulation — reporting breaches, reviewing processing in advance, making sure vendor contracts have particular language. But GDPR makes a larger and more fundamental ask: That each company look carefully and studiously at its environment, evaluate the data it holds, and “implement … measures to ensure a level of security appropriate to the risk.” It’s a sort of data protection soul-searching designed to protect people and their data from harm. And this perspective challenges organizations to embrace the spirit of the law and be accountable for it, not just to tick a box.
“Appropriate” and “adequate” – tough words in a security context – are found repeatedly in the GDPR. The regulation suggests that “(i)n assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” That sounds like a basic risk assessment. At McAfee we are aligning our processes, products and services to be compliant with GDPR and looking at ways of going beyond basic compliance to allow for maximum protection of our customers’ data.
But what should you consider in this high-stakes risk assessment, and how do you get to where you can say you have appropriate security? Remember: This isn’t legal advice – each company has to decide for itself what it needs to do to comply with GDPR. Consider these steps as ways to get started on the journey:
- Scope. Know what you have. We can’t protect what we don’t know we have. This is a good time for companies to figure out how and where they hold personal data – and not just of EU residents, and not just for its EU affiliates.
- Protect. Know how you are protecting those assets. Are you doing the basics? Could you do more? Are your peers doing more? Are you following your data classification policy in automated ways or just expecting employees to know it? Do you delete unnecessary data?
- Monitor and detect. Do you have technologies in place (such as encryption, data-loss prevention or anti-virus software) to protect those assets from malicious actors, loss, unwanted leaks? And do you know what to do if something goes wrong?
- Review. Do you have a process to make sure that all new applications or cloud services are reviewed and that you know how you are using them? Are you implementing data protection by design by thinking of privacy and security at the very beginning of any project?
- Then repeat. The regulation requires “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Some of the specifics of what the regulation requires will take years to truly understand as regulators and courts issue rulings on what comes in front of them, and companies will have different paths to compliance with GDPR. But at the core of the regulation is knowing what you do with the personal data of your employees and customers, and making sure you have stopped to consider the risks inherent to personal data in your business. Thinking of GDPR as an opportunity to review the robustness of your data protection program and to make reforms that are good security, good business, and the right thing to do turns GDPR from a many-headed monster into healthy data-centric reform. After all, the GDPR tells us that “(t)he processing of personal data should be designed to serve mankind.”