SAN FRANCISCO -- Most of the conversation about the European Union's new General Data Protection Regulation, at RSAC 2018 and elsewhere, focuses on th
SAN FRANCISCO — Most of the conversation about the European Union’s new General Data Protection Regulation, at RSAC 2018 and elsewhere, focuses on the “what”: what rights are guaranteed to individual data subjects, what new obligations companies have to fulfill and what are the potential consequences of failing to comply.
However, it’s not enough to understand the new law at a high level, according to Cindy Compert, CTO for the U.S. public sector market and CTO for data security and privacy at IBM Security, who talked about the “how” of GDPR. Donning a chef’s hat as she offered practical tips for GDPR preparation in a cooking show-inspired presentation, Compart shared important tips for getting up to speed with GDPR — as well as some of her favorite recipes.
“A lot of great advice is out there, but a lot of it is very high level,” Compert said, explaining that she had been looking for more specific guidance for GDPR preparation.
To put GDPR preparation into perspective, Compert offered some preliminary results from IBM Research into how practitioners view GDPR. The full results are set to be released in May, close to the start of GDPR enforcement. In a teaser video posted before RSAC, Compert noted that the results of IBM’s research showed that nearly half (49%) of respondents consider GDPR a “transformational moment,” an opportunity to transform privacy, security and data management efforts. The prospect for positive, global change is good, especially since nearly a quarter (24%) view GDPR as a “catalyst to create new data-led business models;” another 25% take a less positive view that GDPR is simply “a mandatory regulation to be complied with,” while a tiny minority, just 2%, consider the new regulation to be “an impediment to innovation and data-led business models.”
Suggesting that a strong adult beverage would help put one in the right frame of mind for getting down to business with GDPR preparation, Compert shared her favorite recipe for a Mai Tai as she debunked some myths about GDPR. Specifically, she pointed out that the GDPR applies to “any living, breathing person on European soil,” so it could be anyone, not just an EU citizen, who gets the benefit of GDPR protections.
As for which companies are subject to the GDPR, Compert noted that any organization that is actively collecting data or marketing in the EU needs to comply, but not companies whose primary focus is elsewhere.
And one big myth that Compert busted was that since so many companies are not prepared, there would be an extension to the enforcement date. Not going to happen, Compert said, though enforcement might be slow on May 25 (a Friday), with the U.K. celebrating a bank holiday on the following Monday, May 28.
Getting enterprises ready for GDPR
Compert sees three types of client when it comes to GDPR preparation: the hare, who started early with incremental preparations and is ready for the new law; the tortoise, who is still trying to figure things out but is still making progress; and the ostrich, waiting to see what happens before getting started on doing anything.
Employee awareness, Compert said, was key, and IBM requires that all employees take online GDPR training so they all understand the implications of being GDPR compliant. Other steps companies can take for GDPR preparation include understanding obligations under the new law, creating a cross functional GDPR team, appointing a data privacy office, inventory data, and reviewing the company’s approaches to data including privacy policies and statements, consent and choice mechanisms, processes for allowing data subjects access to their data and schedules for data retention.
Compert also demonstrated some techniques for getting control of the GDPR preparation process, including using scanning tools on IT project management files as a way of understanding where all of the company’s applications — and data — are being administered.
Other tips for GDPR preparation included building a sustainable audit trail and tracking where data is processed in the organization. Building a template for incident response that includes breach notification that can accommodate the accelerated 72-hour breach notification window under GDPR. Automating the process, Compert said, would simplify the process, though she added that as long as it is clear that the company is making an effort, there would likely be some leeway. “Regulators are reasonable folks and will work with you,” she said, adding that they can answer questions and would likely be willing to collaborate with companies to be effective in protecting privacy.
Compert also demonstrated ways to automate the processes necessary for GDPR compliance, though she stressed that each company needs to come up with the practices that work for the organization. One approach Compert described is to use robotic process automation to take manual processes, like logging into a web page or mailing a link, and automating the way they are handled based on data subject rights, so that the right kind of data is preserved in audit trails.