Security Central: Essentials for Complying with GDPR’s Privacy Rights
As we count down to the May 25 deadline for organizations to be in compliance with the European Union’s General Data Protection Regulation, we have examined some “must-dos” for businesses that are getting ready to comply with GDPR, as well as the blind spots they might have missed when prepping for the law.
This week, we dig into the specific rights granted to EU citizens under the legislation and what they mean for organizations that need to need to demonstrate compliance.
While all organizations that process the data of EU citizens need to prove compliance by the May deadline, it appears that most global businesses are still falling short. New research from Pierre Audoin Consultants (PAC), part of CXP Group, an independent research and consulting firm, finds only 20 percent of global organizations are ready for the full rollout of the GDPR. The report, “Moving beyond the GDPR,” is based on surveys of 510 executives at large companies across manufacturing, services, transport and the public sector in North America, Europe, Southeast Asia, India and Brazil.
The legislation includes several specific privacy rights for EU citizens concerning their data, including the right to be forgotten; right to opt out; right of access; right to portability; and right to object.
MSSPs need to be on aware of all these rights and what they mean for clients as they assist them with GDPR compliance measures. All require organizations to have a clear understanding of where their data lives, who has access to it, how it’s being used, and how to delete it should an affected citizen request it. Complying with each requirement is going to be difficult for organizations all over the world, according to Paul Fischer, research director with PAC.
“They are all tricky, and something that organizations will have to just get used to,” says Fischer. “Probably right of access (will be most difficult for compliance), simply because of the timescale in which they must comply and the needle-in-the-haystack problem of finding the specific data requested.”
A Complete Data Inventory Will Be Crucial
Indeed, at the heart of compliance is a clear view of where all data exists, and how to access it quickly if necessary. So what is an MSSP to do in making recommendations to clients who seek advice on GDPR preps and complying with data privacy rights?
Fouad Khalil is head of compliance at security ratings firm SecurityScorecard, which is actively working with channel partners on GDPR. He advises clients to get on top of their data immediately if they haven’t already.
“The No. 1 recommendation is data mapping,” says Khalil. “You don’t know what you don’t know. It is critical to conduct a complete inventory.”
An inventory of what, exactly? That’s the question many businesses are struggling with, and some are even neglecting certain data sets, as we learned a few weeks ago when discussing GDPR blind spots.
“Everything is in scope,” says Khalil. “Your complete inventory must be accounted for. State that it is being used, and the location. Identify what level of consent you have for all data. That is only the start. It’s all about data.”
Storing and Retention Practices Need an Overhaul
Michelle Robles, principal consultant at Dimension Data, says many businesse still are woefully unprepared for GDPR and continue to allow noncompliant data-retention practices that could come back to hurt them when GDPR is enforced.
“What we are seeing is clients keeping data indefinitely,” says Robles. “There is no justification or legal basis in place for them to keep the data, and they are going to have to put mechanisms in place to get rid of that data.”
One of the most pressing reasons for examining and changing data-retention practices, says Robles, is the right to be forgotten extended to data subjects under GDPR. If an EU citizen wants their data expunged from an organization’s data files, businesses must comply and provide transparency into the process. And organizations need to provide a reason for holding onto data in the first place.
“It can no longer simply be, ‘We want to keep your data,’” says Robles. “They need to explain what they’re going to be doing with it, why they want it [and] how long they’re going to retain it. And they need to provide a set of directions if people want access to it, and it all has to be clear and transparent. You can’t just provide a check box and say, ‘By clicking this you agree to it.’ That doesn’t count as transparency.”
The Journey to Compliance Starts with Assessment
Where do MSSPs start with clients in getting their arms around this if you see they are nowhere near ready to meet the regulation’s demands?
“What I suggest to clients is to get comprehensive readiness assessment,” says Robles. “Time is running out, and so many companies are taking a wait-and-see approach; they don’t believe there will be any repercussions in North America. But for those that are getting nervous, I tell them to do a readiness assessment and do data-classification flows within that assessment. This is a first step to tell them what they have in place and what they need to do to reach compliance. You have to know what you have before you can fix the problem.”
“When you consider the various aspects of GDPR, it’s challenging any way you look at it,” says Khalil. “Companies are trying to figure out how they need to delete data, or produce evidence of a breach if one occurs, or evidence that data was ported without consent. It will all prove challenging at first. But the pillar for any of this to succeed is to have control over your data.”