Transitioning GDPR preparations into successful operations
While organizations may think that they have done everything needed to prepare for GDPR, they may not have thought about how they arrive at assurance over GDPR, especially considering that being prepared for GDPR is different from having GDPR as part of operations.
GDPR has now been in force for over a year, so would it be correct to assume that all organizations have taken the necessary steps to ensure compliance? Based on our work and feedback from others, it appears that this is not the case, and far from it. But the big question is will the magnitude of the recent fines imposed on British Airways (£186m) and Marriott (£99m) make stakeholders think again?
What does the Information Commissioners Office (ICO) expect of an organization?
That’s quite simple. The ICO expects that all organizations, no matter their size, are taking the protection of personal data seriously and that they are looking after the interests of the data subject. The ICO would expect all organizations to have compliance with the legislation at the core of operational activities. This means that in respect to personal data they are:
Clearly both British Airways and Marriott failed to convince the Information Commissioner that they were doing the right things and had done all they could to protect the personal data of their customers, but why are the fines so big? Is it because the ICO is making examples and sending out a message to those organizations who approached GDPR as another compliance headache and did the bare minimum or, worse, ignored it completely? Possibly, but equally it could be because both companies failed at a fundamental level – they failed to safeguard their digital estate.
But it could have been much higher. BA’s fine was 1.5 percent of global turnover; it could have been up to 4 percent. It is also noteworthy that Marriott incurred the £99 million fine because it acquired another hotel chain in 2016 – and it was this hotel group, Starwood, that had lost customers' data through a cyber breach.
While many organizations have invested a great deal of time and energy to be compliant with the regulation, many have failed to recognize the business value.
Instead of viewing GDPR as another regulation you need to comply with, consider the potential business benefits. Why wouldn’t you want to ensure that your data is:
Deliver Business Value … Comply with GDPR
GDPR is also about value and trust in data, a central element of information governance. Information governance encompasses, among other things, information security or, at a digital level, cybersecurity.
There are many organizations that were taken in with checklists and companies offering one-stop technological solutions, without taking the necessary steps to understand how personal data flows through the organization, as opposed to designing and implementing a framework that will fit with the culture and ways of working of your organization.
Then there are those organizations that complained “it’s not fair” and placed it on the “too difficult to do” pile.
On many occasions, senior stakeholders have told me that they could not see how GDPR affected them as they didn’t collect, store or process personal data – in all cases they had failed to grasp that employment data was personal data.
Absorbing GDPR into business as usual requires a holistic approach to information governance.
People, processes and technology – the guidance issued by Working Party 29, responsible for developing the regulation and the ICO, spelled it out: raise awareness, train, develop processes and procedures, tighten up on IT security.
How can doing the above build business value? It can be a differentiator, especially if you buy into the view that we are moving from the information age to where reputation is paramount.
In the marketplace, competition is fierce and choice is not restricted by geography. We no longer just rely on the shops on the high-street or local businesses to fulfill our needs.
Could it be that in the not-too-distant future we will be looking at a “data trust index” when making our decisions over which internet business we want to interact with? So, will a business whose reputation is damaged because it cannot be trusted with our data be overlooked the next time we go shopping?
In GDPR terms, even those organizations that embraced the challenge are only at the beginning of their journey. Organizations collect data for a whole host of purposes and from a range of sources.
The simple question is why we spend time and resources collecting, processing and storing this data? The simple answer should always be because it is necessary to assist in achieving business objectives. If this is the case, then the data collected must have value and be worthy of being safeguarded. If something has no value, why do would we acquire it?
For the last year or two, the focus has been on GDPR, but in reality, many progressive organizations have been using GDPR as a way to improve their overall approach to information governance.
Looking forward, it is how we incorporate GDPR into information governance that will lead to a certain level of GDPR maturity. There is also a real prospect that protecting personal data may fall as part of annual audit requirements.
But it’s not just about our organization; it’s also about organizations with which we share our data. If we do not manage our third-party data-processing relationships appropriately, our reputation could be impacted upon by their negligence. Even if there is a breach in a third party’s data security, we are still accountable; therefore, it is our responsibility to make sure that the third parties we work with are looking after the data we share.
GDPR does not reflect a whole new philosophy with regard to personal data; rather, it builds upon the basic application of good information governance practices, albeit with a greater emphasis on transparency than an auditor might be accustomed.
Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise:
What can you, to reduce your risk of a fine? Here are some key points of consideration:
• Provide data subjects with their personal data in electronic form, which facilitates portability.
Don’t let your organization be the next one hitting the headlines for receiving a large fine from the ICO. The fine is only the start of your worries – reputational and brand damage could cost much more!
Don’t Panic, Help Is At Hand
There are a number of sources of information to help us, including:
ISACA’s GDPR Resources: https://www.isaca.org/info/gdpr/index.html
ISACA’s Cybersecurity Resources: https://cybersecurity.isaca.org/info/cyber-aware/index.html
ICO’s 12 Steps: https://ico.org.uk/media/for-organisations/documents/2014918/dp-act-12-steps-infographic.pdf
NCSC’s Cyber Essentials: https://www.cyberessentials.ncsc.gov.uk/
NCSC’s 10 Steps to Cybersecurity: https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
NCSC Board Tool Kit: https://www.ncsc.gov.uk/collection/board-toolkit
(This post originally appeared on the ISACA blog, which can be viewed here).