It isn’t often that compliance specialists get to be the heroes of the story, but in the last four years, as we prepared for the implementation of the GDPR, we found ourselves more frequently in the spotlight. It is a fascinating time to be working in the sector, particularly when you’re also part of the rapidly growing cloud industry. We’ve built up knowledge along the way and as we take the first steps forward on the journey of ongoing data privacy it seems like a good time to take stock of what we’ve learned as an organization whose success depends on getting this right. There are some tips and pitfalls that we’ve encountered along the way that will help companies that are still establishing their GDPR strategy and structure.
GDPR is much more than an IT regulation – it is a change in corporate governance
There’s a tendency to zero in on the area of GDPR most closely connected to your own area of operations, be that IT, HR, marketing, legal or finance. However, that siloed approach risks making your strategy fragmented, with no overarching principle behind it. The scope and risks associated with the GDPR mean that it should be viewed as a corporate governance issue in the board’s domain with the compliance program driven from the top.
That doesn’t mean that every director needs an in-depth understanding of data sovereignty or cybersecurity, but it does mean that the board needs to provide oversight to ensure that the business is treating data privacy with the importance it deserves, and that sufficient resources are in place to facilitate compliance.
There’s no quick fix
We spent four years working on this regulation, and one of the biggest takeaways is that there are really no shortcuts and no solution that you can buy off-the-shelf that will make you compliant. Compliance is achievable, but it needs work and a commitment to building in processes that will keep you compliant in the future. You can and should take advantage of the expertise that suppliers such as ourselves have built up in the area but when it comes right down to it, you will need to make sure that you have the resources to build and maintain your own compliance program.
Due diligence extends down the supply chain
The data controller is responsible for ensuring the privacy of subject data all the way down the processing chain. This means that they must be able to prove that the data processors they use are operating to the same GDPR-compliant standards as the controller. If the processor uses third parties to subprocess data, as is common in cloud service providers, the controller must establish that these are also compliant. This means that contracts between customers and CSPs must be watertight and written in terms that both parties understand. If the controller handles protected data, this needs to be made clear to the processor so that the appropriate safeguards can be put in place.
Proactively demonstrating compliance is another key aspect of the regulation and this marks a change in the way IT departments usually operate. They tend to use a system that logs significant or unusual events and generates alerts when something unexpected happens. To demonstrate GDPR compliance, systems will have to monitor a lot more day-to-day activity, for example providing audit logs to prove that only authorised personnel are accessing data subject information. Basically, this will mean a lot more storage of activity/event data that must be accessible to demonstrate compliance. Providers must also be able to offer clients this level of monitoring and visibility, with robust processes in place to notify of data breaches.
Data Protection Officers – worth the investment
Even if your business has fewer than 250 employees and does not process specially protected data, appointing a Data Protection Officer (DPO) can help you put structure around your GDPR program and underlines your commitment to compliance. We’ve found that having a senior, independent person responsible for GDPR helps to define structures and reporting lines so that everyone, from the Board through to the individual departments, has a central point of contact and expertise with whom to raise data protection and compliance issues.
Structuring your program – don’t reinvent the wheel
Taking a risk-based approach to GDPR using ISO27001, SOC2 and CSA cloud guidance standards ensures proper governance and management of risk and security for all data collection and processing – as a controller and for the data processed on customers’ behalf. The BS 10012:2017 UK Standard will also directly align you with GDPR. If your organization already complies with all or some of these, you can utilize these frameworks to structure your GDPR compliance programme. Similarly, when looking for suppliers, choosing those that align with these standards is a good indication of their commitment to GDPR, although it is still your responsibility to audit suppliers independently.
Leverage your legal department
Ensuring ongoing compliance with GDPR means that contracts between data controllers and processors need to be carefully written and reviewed. It is incumbent on the data controller to verify that contracts cover all of the required elements of performance, audit and security and this means the legal department has to be resourced and ready to review contracts.
…and finally, it’s good to talk
As with so many major business projects, communication is a critical factor. When you’re working to understand the way that data flows through your organization, it’s one thing to look at a chart or process diagram, but you often get far more insight by sitting down with data handlers and letting them describe what they do with data every day. This can flag up those little silos and workarounds that soon become embedded in workflows but which wouldn’t show up in a conventional audit.
We’ve learned a huge amount in the past few years as we’ve worked to be GDPR-compliant. The next few years will show how this new system of governance will work in practice to keep personal information secure wherever it resides.
Frank Krieger is the vice president of governance, risk and compliance at iland