What Happens After GDPR’s D-Day?
GDPR is now a month away and most organisations with either a UK or EU presence or customer-base should be wrapping up their GDPR compliance programs. But what happens once May 25th rolls around and GDPR in the UK becomes our reality?
A common pitfall of any compliance effort is that often heroic efforts aren’t replicated in a sustainable way following accreditation, and process, improvement and control aren’t baked into business-as-usual operations and governance. GDPR will be UK law 24x7x365, but in the current absence of a formal accreditation framework, organisations won’t even have the regular motivator of an approaching external audit to focus the mind and maintain good practice.
GDPR Isn’t Just About Data Protection Processes
It’s about embedding an ongoing technical security practice. Much has been made of GDPR’s requirement for ‘appropriate technical security controls.’ There really isn’t an effective substitute for hiring and suitably resourcing internal expertise to develop, drive and manage these, but options for organisations that cannot support a fledgling security team to exist.
Consultancy is one approach. Whilst this is a great solution for fulfilling deep specialisms (a GDPR expert, for instance) or gaining insight into a particular vertical, you lose the consistency and ‘ever-presence’ of a full-time voice and their familiarity with the guts of the business. Experience suggests that carefully selecting a smaller, boutique consultancy can lead to a bespoke engagement and greater quality and cost-effectiveness than the Big Four, but YMMV.
The technology behind security at any reasonable scale can also be ruinously expensive, but there are now an increasing number of very effective projects within the open source community to fulfil needs previously met by specialist COTS vendors. A security team that can combine awareness of open source technologies with a little in-house development work on the side can lead to significant security gains without unsustainable expense.
GDPR Isn’t Just About Cybersecurity
It’s about robust, reliable, effective data protection practices, sustainably in place throughout the organisation. Processes that burn cycles in the name of ‘compliance only’ or require significant repeated manual effort, workflows that fight against the efficient execution of people’s responsibilities and policies that are rarely read and less understood work well once, at initial audit. With the hindsight of 6 months of operation, these millstones are inevitably the source of non-compliance and, where they form the backbone of your alignment with GDPR requirements, nasty data breaches waiting to happen.
Finding the right tools and automation to support new policy requirements is vital. Compliance generally generates paperwork, but it should never actually be on paper or need actual human intervention unless absolutely required. For organisations that process any larger or more sensitive PII data sets, data protection actions need to execute correctly every time with effective management processes to clean up, or those errors will mount up into business-critical fines.
Similarly, try to make sure that every department is actively involved in policy definition and process design and that they provide meaningful feedback after trialing the ‘new way’ in the course of their actual duties. Ideally, a new or altered process for creating, managing or deleting data brings with it the opportunity for some other operational improvement that makes the business more efficient or the day-to-day experience of the people actually doing the work demonstrably better.
GDPR Isn’t Just About Accountability
It’s about a narrative of continual improvement. Data breaches eventually happen to all organisations regardless of the depth of your investment, the strength of your controls or the compliance of your processes and personnel. Yes, GDPR’s punitive regime is terrifying. For most organisations, the worst-case outcome is unsupportable and uninsurable, a regulatory “sword of Damocles”. Add in the potential for a dose of non-transferrable liability with regard to the onward breaches you might have caused on behalf of your customers and the possibility of civil action and reputational damage, it’s clear that GDPR was designed to shock even the largest organisation into compliance.
Whilst exact details are understandably sparse, experts anticipate that the ICO will continue their practice of levying proportional fines based on the context and scale of the breach. Where organisations have expended massive effort to align to GDPR requirements but then allowed the organisation to backslide and fail to keep abreast of changing codes of practice over time, it seems likely that the ICO will take a dubious view.
Remember that the burden of evidence is on the ‘Controller’ or ‘Processor’. Maintaining and being able to rapidly and clearly evidence ongoing internal dialogue and attention regarding data protection matters is vital to minimising those fines and keeping reputational damage in check. Alongside actually maintaining compliance with the regulation, up to date action logs, minutes of meetings and discussions and relevant email exchanges are all useful artifacts to be able to provide to the ICO when you inevitably have to report a data breach.