FINAL WORD
“
IT’S A SORT OF DATA
PROTECTION SOUL-SEARCHING
DESIGNED TO PROTECT PEOPLE AND
THEIR DATA FROM HARM.
While the combination of new technologies
and the new regulation may seem an
insurmountable task to manage over the
next 12 months, CIOs and IT directors
should look at GDPR as an opportunity.
Rather than approaching it separately and
in isolation, the new regulation has put
a price on cybersecurity and secure data
management, bringing it to the attention
of the C-Suite. CIOs and CISOs should
harness this opportunity to get the budget
and procedures in place that will enable
them to transform their organisations’
approaches to cybersecurity and reposition
IT as a function that enables business
transformation and growth.
This will have a dramatic impact on a
number of current security challenges many
IT teams are facing, such as the massive
growth in Shadow IT. According to a recent
McAfee Labs Report, almost 40% of cloud
services are now commissioned without
the involvement of IT, and unfortunately,
visibility of these Shadow IT services
has dropped year on year. 65% of IT
professionals think this phenomenon is
interfering with their ability to keep the cloud
safe and secure. This is not surprising given
the amount of sensitive data now being
stored in the public cloud and more than half
(52%) of respondents report that they have
definitively tracked malware from a cloud
SaaS application.
For the first time, GDPR gives CIOs and
IT leaders the authority to clamp down
on shadow IT in their company, with the
support of the rest of the board who fear the
ramifications of GDPR.
Better late than never – getting
started on the GDPR journey
There are specific requirements in the
regulation: reporting breaches, reviewing
processing in advance and making sure
vendor contracts have particular language.
104
INTELLIGENTCIO
But GDPR makes a larger and more
fundamental ask: That each company look
carefully and studiously at its environment,
evaluate the data it holds, and ‘implement
. . . measures to ensure a level of security
appropriate to the risk.’ It’s a sort of
data protection soul-searching designed
to protect people and their data from
harm. And this perspective challenges
organisations to embrace the spirit of the
law and be accountable for it, not just to
tick a box.
‘Appropriate’ and ‘adequate’– tough words
in a security context – are found repeatedly
in GDPR. The regulation suggests that ‘in
assessing the appropriate level of security,
account shall be taken in particular of the
risks that are presented by processing,
in particular from accidental or unlawful
destruction, loss, alteration, unauthorised
disclosure of, or access to personal data
transmitted, stored or otherwise processed.’
That sounds like a basic risk assessment. But
what should you consider in this high-stakes
risk assessment, and how do you get to where
you can say you have appropriate security?
Remember: This isn’t legal advice; each
company has to decide for itself what it
needs to do to comply with GDPR, but I
would suggest you consider these steps as
ways to get started on the journey:
1. Scope. Know what you have. We
can’t protect what we don’t know
we have. This is a good time for
companies to figure out how and
where they hold personal data; and
not just of EU residents, and not just
for its EU affiliates.
2. Protect. Know how you are protecting
those assets. Are you doing the basics?
Could you do more? Are your peers
doing more? Are you following your data
classification policy in automated ways
or just expecting employees to know it?
Do you delete unnecessary data?
Tarek Jundi, Managing Director, Middle East
and Turkey, McAfee
3. Monitor and detect. Do you have
technologies in place (such as
encryption, data-loss prevention or anti-
virus software) to protect those assets
from malicious actors, loss, unwanted
leaks? And do you know what to do if
something goes wrong?
4. Review. Do you have a process to make
sure that all new applications or cloud
services are reviewed and that you
know how you are using them? Are you
implementing data protection by design
by thinking of privacy and security at the
very beginning of any project?
5. Then repeat. The regulation
requires ‘a process for regularly
testing, assessing and evaluating
the effectiveness of technical and
organisational measures for ensuring
the security of the processing.’
Some of the specifics of what the
regulation requires will take years to truly
understand as regulators and courts issue
rulings on what comes in front of them,
and companies will have different paths
to compliance with GDPR. But at the core
of the regulation is knowing what you do
with the personal data of your employees
and customers and making sure you have
stopped to consider the risks inherent to
personal data in your business.
Thinking of GDPR as an opportunity
to review the robustness of your data
protection programme and to make reforms
that are good security, good business, and
the right thing to do turns GDPR from a
many-headed monster into healthy data-
centric reform. After all, the GDPR tells us
that ‘the processing of personal data should
be designed to serve mankind.’ n
www.intelligentcio.com