Author: Aaron Pritz– CEO, Principal Consultant, Co-Founder at Reveal Risk
GDPR (General Data Protection Regulation) brings some of the most significant globally reaching comprehensive privacy/data protection regulation impacts of the century – if not ever. It is a continuation of Europe’s journey since the 1960s.
For many companies, it has unfortunately turned into a “hair on fire” drill of epic proportions. Some started two years ago, others are just getting started, and some didn’t realize they were impacted. There are some complicated elements to GDPR (especially for companies with legacy tech and antiquated business processes. However, it doesn’t have to be as hard if the “basics” in understanding your business and PI data come first.
Since then, progressive privacy-minded states (such as California) have introduced similar legislation that will be effective in the next couple of years called CCPA (California Consumer Privacy Act), which will broaden the required focus in the US.
Why has protecting personal data taken massive legislation, a lot of hype and fear-mongering, and anticipation of significant fines and penalties to prompt major action?
I believe there are three main reasons for lack of action or getting a late start.
Cost and Effort
I’ve heard some individuals say that the cost of fines and penalties that may be issued is less than the perceived cost of compliance. Some leaders would rather gamble on getting penalized over taking action. Perhaps previous lack of enforcement in the US for regulations like HIPAA set a perceived standard of lack of action. Similarly, recent articles explain how many European countries are not ready or equipped for enforcement. This likely makes some executives believe there is plenty of cushion and extra time to “catch up” later. This thinking often fails to account for the softer costs of risk (beyond compliance) and what would happen if a breach occurred.
Fear of What May Be Found
There is a particular line of thinking among some individuals that would indicate that it is better not to ask and not know the state of affairs with privacy than dig in and learn that things are not in good shape and a ton of work is required. Legally speaking (and I’m not an attorney), I suppose it is a valid argument if you were to do an assessment, learn that you have a mess on your hands, and still do nothing, it would be more risk than just pleading complete ignorance. However, this argument (if enforcement is real) is similar to pleading to an officer that you didn’t notice a speed limit sign in a school zone. This rarely is an effective strategy. There also may be fear that the business processes and IT systems are so antiquated that fixing the problems would be too significant to stomach.
Privacy Has Become Comfortably Numb
The weekly (or sometimes daily) breach notifications have become so routine that there is a perception that this is “business as usual.” At the aggregate level, most companies are minimal lasting stock price or consumer trust impact (beyond some marquee breaches that have surfaced poor handling of the situation after finding out about the breach).
Regardless of the specific rationalization for lack of sufficient action, I would argue that, like many things in life, we have made this overly complex. I would also say that the basics behind almost every privacy regulation or framework share about 80% of the same requirements and actions required. I found this out after being at a company with an inadvertent (and unfortunate) technical glitch that resulted in the disclosure of patient emails to all other enrolled patient website users for a product that was considered very sensitive (a drug for depression). This resulted in a 25-year consent decree from the FTC and a side benefit of transforming the privacy efforts. After this event, I was lucky enough to join an internal audit team that was put together to conduct privacy audits (starting in Europe). I found that I was auditing and assessing well over 80% of the thing now standardized in GDPR back in 2004!
Understanding data and risk agnostic to regulations can enable your efforts to cover more territory and minimize unnecessary effort and churn. Consider these simple six questions:
1. What?
What personal information does a company, business units, or departments have (collect, process, store, or transfer)?
2. Why?
Why is this data necessary for conducting business? Is ALL of it really necessary?
3. When?
When do you need the data? Do you have and maintain it for the specific period you require for business?
4. Where?
Where is the data? (IT systems, business processes, and other data repositories). Where do you transfer the data to, and conversely, where does it come from?
5. Who?
Who needs and has access? Do these individuals have a valid need to see the data?
6. How?
How do you protect the data from becoming lost, stolen, or inadvertently disclosed?
If you read nothing else in this article, ask these questions. If you don’t understand adequately, you know where to start.
Now, pretend for a moment that there are no laws, regulations, or practical norms. Suppose your customer and stakeholder data (with an emotional value and real fundamental requirement to preserve trust) was at risk of bad things happening. Wouldn’t every CEO want to ensure that she (and all of her leadership) has a solid understanding of the six fundamental question areas above? One would hope so.
Stewart Room, a global lead cyber security and data legal protection services at PwC, said in 2017: “At the heart of the problem is the fact that the basic principles of data protection date back to 1968, and in many organizations, they have still not been incorporated into the operational reality of business. Many organizations are engaged in data mapping exercises because they are only now trying to find the data they should have been securing for years.” My above questions are “the basics.” Without sufficient understanding of these answers, all other efforts may not be practical and will not be focused or efficient.
I believe that the modest mountain to climb starts to become more like Mount Everest because of a lack of focus on the basics, misinformation/misunderstanding, vendor propaganda, corporate bureaucracy, legal/business tangled, and general inefficiency.
Briefly continuing this analogy: climbing a “modest mountain” (assuming your company has done very little) would require planning and focused execution. You would want first to understand your mountain, why you want to climb it and scope out the terrain (your business processes and personal data). Let’s use “Half Dome” in Yosemite National Park as an example. To summit this mountain, there is an option to go straight up the face of the dome or hike up the back.
Next, you would figure out what equipment you already have and the right amount of tools required to get up the mountain. What does your climb actually need? Packing too much will weigh you down, and you will likely fall or collapse from fatigue. Packing too little could cause you to fail to be able to ascend properly or plummet to your death.
Properly physically and mentally conditioning yourself (business processes, training, and human behavior), packing, and using the right tools can make a huge difference.
- Record for the fastest climb up the “El Capitan” face (the steepest):2 hours 19 seconds– free climbing with no ropes (improved from the very first record of 17 hours and 45 minutes)
- Record for the slowest climb up the face: Infinity(17 fatalities, 85 injuries)
- Record for the fastest hike (run) up the back of the dome: 2 hours 23 seconds(no known deaths)
Which path sounds like one you would want the take?
Now let’s talk about tools. Many security programs are getting caught in the crevasses caused by thousands of security tools and compliance, regardless of your skill and effort. Many leaders are buying tools that their teams can’t keep up with. These tools never get packed for the climb and often collect dust in a garage.
Companies can spend years and tens of millions of dollars trying to encrypt every database they have (sacrificing other risk-reducing efforts). However, given that 80% of cyber-attacks result from compromised privileged access (accounts or credentials), I often scratch my head and wonder if that is the best use of time and money. Essentially, the attackers walk into the back door with a key even though your house has an ironclad perimeter around it. Don’t get me wrong; encryption is good if you can do it; it isn’t a panacea or the most critical thing you may need to consider. I would prioritize privileged access security over database encryption.
Ultimately, the secret to a successful climb is in how you plan your journey, the tools you use (and don’t use), and how everything you are doing should also be preparing you for all of your activities (not just one climb or hike). Once you have your map, you must execute and avoid ALL distractions. You may adjust your map along the way, but don’t let this throw you off your route. You should continuously ensure you know where you are on the map and that you are making the proper progress (vs. slipping backward or sideways off your path).
In summary, whether your climb feels like Everest, Half Dome, or a small hill in a park, you should have, know, and monitor your plan. Bring a Sherpa or two if you don’t think you can make it yourself. It would be best if you had someone that could understand the laws (and break them down into tangible decisions and actions. You should have someone who knows your business and how to influence change. You should have someone who can evaluate IT controls and how to influence technical change in the most simplistic and effective ways. This may be one or more people or internal or external to your company.
Find a way to simplify your evaluation and tracking of your plan, so you stay on course. Ensure your plan answers the six questions and that you are getting to the right GDPR-specific decisions on things like providing notice, consent, right to be forgotten, etc. Otherwise, your efforts will be unnecessarily burdensome and ultimately weigh your down. Pack the best and minimum amount of tools and dump the rest.
Send me a note if you want further advice specifically on YOUR summit. Good luck, stay safe, pack effectively, and don’t get bogged down!
P.S. – regardless of what you may hear, there is no magical helicopter that will take you to the top.
Feel free to COMMENT, REPOST, or LIKE to keep these free articles coming. If your security program needs help translating strategy into action and being more business risk/threat-focused, you can request more information at info@revealrisk.com. More information can be found on www.revealrisk.com.
(Note: These are my views/opinions only and do not reflect any past, current, or future employer’s or client’s views. For educational and discussion purposes only.)
