By Yves Le Roux, Co-Chair (ISC)² EMEA Advisory Council (EAC) and Chair of its GDPR Task Force.
The (ISC)² EMEA Advisory Council is turning to its professional membership to measure the readiness of organizations and security departments for the General Data Protection Regulation (GDPR) and highlight the challenges they are facing in the effort to become compliant by May 2018. We are doing this by bringing people who are actively working on implementation projects together either on monthly international calls and, as of this month, in face-to-face workshops hosted at (ISC)²’s new two-day Secure Summits, five of which are being held across the EMEA region this year. The first such workshop staged a series of round table discussions at our Secure Benelux Summit in Amsterdam gathering over 120 information and cybersecurity professionals from various industries. Another is set for Stockholm at the end of May, and we’ll be in Zurich for the end of June.
Through this effort, we are helping our members realize expectations and requirements that they hadn’t anticipated. In January, for example, we raised the alarm around the lack of engagement and support from the business units which hold the key to assessing how and why personal data is collected, how it is processed and used, and therefore how much effort should be made to ensure the company can continue to work with it. Lack of engagement continues to be a challenge with many of our Summit workshop participants reporting that they are still working to motivate the stakeholders needed across various functions. Unfortunately, the work continues to be the domain of a few as most employees and their managers have yet to understand that GDPR is a task for everybody.
Work is progressing on the development of policies—legal departments are active in the review of contract clauses, plans are being made to communicate privacy notices to individuals—but there remain many practical gaps and a level of detail that many in the room admitted they had not yet considered. An example included employee awareness and the need to manage their downloading of data on laptops. It was clear training would be required, but the scope of such training has yet to be defined. In considering the need for an inventory of the personal data held, some very basic questions are still being asked, such as: How can you know when the task is complete?
There are also numerous uncertainties arising as requirements are translated into the processes needed for implementation. Discussions covered whether companies could rely on consent gathered decades ago, should a record of it be found. Participants were unclear as whether privacy notices would have to be given in local languages—or all EU languages. To challenge things further, the role of the Data Protection Officer and parameters to conducting Data Protection Impact Assessments have not yet been fully defined by the EU Committee (Article 29 Working Group) working with and providing guidance to member states. And, as is currently the case for security practice in general, companies will continue to be challenged to gain the control needed over legacy systems and shadow IT to assure compliance. This is expected to, for example, frustrate the effort to document a process and efficiently fulfill data subject access requests, a new individual right that will come into force.
Overall, with just over a year to go to the compliance deadline, organizations remain in discovery mode. Plans are being put in place, but we are still developing our understanding of the scope of the task ahead, and our engagement with the organization. To address this concern, the EAC GDPR Task Force has worked with members’ input to define 12 Areas of Activity and their key supporting tasks, as well as some of the tips they shared for implementation. They can be tackled simultaneously, are easy to understand, and importantly, communicate to the people that will be responsible for achieving them:
- Stakeholder support: board and business units
- Inventory of the personal information you hold
- Privacy notice and information
- Individuals’ rights
- Data subjects’ access requests
- Data Protection Impact Assessments
- Personal Data Breaches
- Security of data processing and Data Protection by Design
- Data Protection Governance
- International Data Transfers
We will continue to share what we learn from the upcoming opportunities to learn more about members’ experience as we progress. Workshops will be held at all the (ISC)² Secure Summits in the EMEA region this year, and an overview will be shared within the Strategy Theatre at Infosecurity Europe June 8th. Join us if you can and let us know how you are getting along.