In this Podcast, Diana Candela, an associate director with Protiviti Security and Privacy Practice, talks about the new General Data Protection Regulation, which has gone into effect in the European Union.
Hello, and welcome to a new installment of Powerful Insights. This is Kevin Donahue, a senior director with our marketing group, and I’m pleased to be speaking today with Diana Candela, an associate director with Protiviti Security and Privacy Practice, and we’re going to be talking a little bit about the new General Data Protection Regulation, which has gone into effect in the European Union. Diana, thanks for joining me today.
You’re welcome. I’m very happy to be here.
Diana, first question for you on this topic: Now that the GDPR has gone into effect, what are some of the more common questions and comments you’re hearing from your clients in the market in general? What seems to be of most concern to them?
Actually, I think some of the most common questions I keep hearing are still around data-subject requests and how to properly handle those. So, there’s still quite a bit of a confusion as to, “Hey, do we get a system to do that?” “Do we integrate all our systems to do that?” “Do we really need a system?” “Can we do this manually?” That sort of thing. Like any sort of tactics, from using Excel – is Excel appropriate for full systems integration? So, there’s still quite a bit of confusion around how to process those data-subject requests and then meet the window to get back to that data subject, or even identify properly that data subject.
I’d have to say the other hot topic is probably around cookies. A lot of people went and scanned their cookies, and they tried to see if their cookies were deemed to be privacy invasive. Pretty much the concept is, if your cookies were privacy invasive on your website, then that means you’ve got to go and do stuff with them. So, you either need to go get consent for the types of cookies that you’re using or put up a banner – or they draft your policy, are you going to use a notice instead, and overall, cookie management is probably one of the hottest topics: “Hey, do we do individual cookies?” “Can we do groups of cookies?” “Do we need a tool that does our cookies for us?” “Can we build our own?” That sort of thing. I’d have to say that concerns – probably, there were some operational impacts that some organizations were just not ready for, or some were not as ready as they thought they’d be when GDPR kicked in.
For example, a good topic that I’d like to mention is data-breach notification obligations under the GDPR. We all know there are certain data-breach notification requirements, and we all know about that 72-hour window, but most organizations just got the paperwork done in terms of, “Hey, this is our procedure, and this is what we’re going to do in order to be able to notify the appropriate persons about that breach.” However, not all organizations went and actually tested their plan. In some cases, they have an incident-response plan or an incident-handling plan or whatever that organization may have, or nothing at all. Others didn’t even measure the quality of their detection systems, or they didn’t even look to see if they could detect a breach.
That’s probably one of the biggest gaps that I keep hearing about: “Yes, we’ve got the paperwork, so on paper, we can totally notify within 72 hours, but in some cases, we may not even know we’ve gotten breached, or we never tested and we don’t know that we’re actually going to be able to do it within 72 hours.” Another concern, I’d have to say, is probably around DPO. The DPO thing is still a big topic. Most organizations, they may have one, but the ones that don’t, they’re still in the mode of, “Hmmm, do we need one? What do they do? What’s a DPO? How do we get one? Do we get one in-house? Do we outsource?”
Diana, that DPO, you mean the data-protection officer?
That’s correct, yes. There are still a lot of questions there, and if they do decide to outsource, the questions are, “Who do we outsource to?” “Are they reputable?” “Did they just spring up out of nowhere within the last six months to be able to comply against GDPR?” and that sort of thing. So, there are lots of questions, still, around DPOs. And I have to say, the last thing people are concerned about would be the logistics around cross-border data transfers, because those can be tricky, and then probably data retention and localization, because those can be tricky as well.
That’s a lot of issues and a lot of challenges companies certainly face even as this has already gone into effect. Diana, I wanted to ask you a little more around cyber security. We know the regulation is established a broad range of requirements for data management and privacy, but there are also cyber security issues to consider. You touched on some of these, but I was wondering if there were others that are worthy of mention as well.
Absolutely. So, there’s a great emphasis within the GDPR around the security of the data-processing activities, although many organizations really focus on that data-subject access request, or consent management, or having the right policies and procedures in place, and as such, that concept of security of the processing activities was something that really wasn’t generally considered in this whole “We’re going to comply against GDPR” endeavor. For example, breach-notification requirements, which is something I briefly touched upon earlier – organizations wouldn’t be able to meet that requirement unless they would’ve already had a robust security and risk-management program in place that explicitly included privacy controls for the appropriate protection of that regulated data.
Again, you may not even notice you’ve had a breach until months later, and then again, you don’t have to notify until you eventually discover you have a breach. If you look at GDPR’s Article 32, for example, you have to implement appropriate technical and organizational measures, and you have to consider the nature, the scope, the context and the purpose of all of those processing activities, and you log them however the organization decides to log those.
But the GDPR actually provides some specific suggestions for the types of security actions that are considered appropriate to the risk of that security. Some of the most common ones that are commonly heard everywhere are, “Hey, do we use pseudo-anonymization? Do we anonymize or even do encryption of personal data?” These are controls that are suggested or recommended, but they’re not required. There’s a lot of confusion with people going out there and saying, “Hey, GDPR says you must encrypt your data.” That’s not really the case. It’s one control; it’s highly recommended, but it’s not required. It also ties into the question of do you have to notify if your data is encrypted or not, but that’s probably a separate topic.
Another popular one is probably that the GDPR clearly says that you have to ensure around the confidentiality integrity of unavailability and resilience of those processing systems and services. So, GDPR actually uses the industry-standard definition for security by referring to that CIA, and then they’ve also added resilience, which has been a hot, trendy topic for the past few years now. It’s that sort of testing and assessing of your technical controls against your security posture in the end. It’s ultimately about your proper risk management, risk-based decisions and the selection of the best framework that fits the particular organization with the best sort of controls that mitigate or treat the risk.
Of course, they have to be appropriate for the business needs. Ultimately, you’re going to save a lot more money by just going through that exercise and seeing where you apply those security controls appropriately. In some instances, some organizations just needed to update their framework and just add the sort of paperwork requirements under GDPR, but in others, they didn’t even have privacy management in place, or they needed to start not necessarily from scratch, but probably from baby step one.
Diana, one last question here as we conclude our conversation. You’ve walked through a lot of different requirements and processes that companies should have around cyber security to comply with the regulation. In general, are you finding that organizations are prepared to meet this level of cyber security rigor?
From what I’ve seen, those highly regulated organizations were way more prepared than others, since they were more likely to already have benefits against multiple frameworks or multiple compliance or regulations. So, they would’ve already been running something that they could’ve tied into to meet GDPR. Now, other types of organizations that really didn’t have a mature security governance or risk management in their compliance program, they had a little bit more of a struggle in trying to meet GDPR compliance – multimedia businesses that probably had an informal program in place or nothing at all, or probably just had one person running the entire IT and security. They struggled a little bit more or haven’t even met compliance yet.
Well, Diana, I want to thank you very much for joining me today to discuss a few of the many aspects of the General Data Protection Regulation. I want to invite our audience to visit protiviti.com/GDPR to find much more information on this topic.