Yves Le Roux, co-chair and public policy workgroup lead, (ISC)2 EMEA Advisory Council
This Saturday marks the 10th anniversary for Data Protection Day, celebrated each year on 28 January – which is the date the Council of Europe’s data protection convention, known as “Convention 108”, was established. Data Protection Day, known as Privacy Day outside of Europe, is now celebrated globally, raising awareness of people’s rights as they relate to the automatic processing of their data. Each year, events are held around the world to both arm citizens with the information they need to understand and protect their rights, while also helping companies and organizations understand the rules and responsibilities to which they should adhere.
In addition to the 10-year milestone, Data Protection Day is particularly noteworthy this year as organizations around the world grapple with the European Union’s (EU) General Data Protection Regulation (GDPR). The regulation, which passed this time last year, gave everyone two and half years to come to grips with and put into place the measures needed for compliance. With one of those years now behind us, GDPR is teaching us a lot about company attitudes in this area. There appears to be little progress on the compliance effort to date, as poor acceptance of accountability across organizations suggests a belief that the task ahead is one for the specialists – either legal or technical.
(ISC)2’s EMEA Advisory Council (EAC) has established an international GDPR Task Force of members from around the world who are actively charged with implementing GDPR to track and curate front-line experience with the compliance effort. The membership and work is relevant globally, as any company that works with, or processes personal data of, EU citizens must comply. Our aim is to work with the global membership of (ISC)² to share the insights, tools and strategies they are deploying to meet the May 2018 compliance deadline.
First observations from our group reveal that too many projects are falling at the first hurdle, with implementation teams unclear on or unable to secure business support or the budgets needed for compliance. Specialist knowledge is going into auditing and determining what is required, but it is being met with a lack of will or acceptance at a business unit level to move forward with projects that have been outlined. Progress that is being made tends to be linked to the roll out of new initiatives, leaving gaps in addressing existing systems and processes.
If business leaders are not appreciating the requirements placed on them, the effort now must shift to helping them be more clear about their role in the process and the resources (both people and financial) required. This involves us all taking a step back from the expert knowledge we may have about what is required and thinking about how to communicate the scope of the task ahead and why it is so important.
A first measure is to ensure GDPR gains a priority ranking on the corporate and board-level risk register. This is justified by both the impact of failing to comply and the likelihood of a breach in the current threat landscape. The impact goes beyond the now well-cited maximum fine of four percent of worldwide turnover. Individuals have gained new rights to demand action and compensation for damages linked to a breach of their rights, while the definition of what is considered “personal data” includes many new forms of electronic data, IP addresses and the like, that can lead back to them. Data Protection Day will certainly serve to help more understand this.
The second measure is to emphasize the scope of what is required. This is not a simple “audit and adjust” exercise. The GDPR places greater emphasis on the documentation and existence of processes in place for the governance of personal data, and demands companies define how they will deal with user requests related to many new individual rights; the most cited of which is perhaps the right to remove their data from their systems. The (ISC)² EAC GDPR Task Force has published an overview of the basics that can be used as a tool to help everyone understand and communicate the scope of what is required.
The (ISC)² EAC GDPR Task Force is a grassroots effort. We are all volunteers who come together virtually every month to discuss the challenges and build a repository of experience. We welcome more input. (ISC)2 members interested in joining the effort are encouraged to contact me directly at [email protected], or (ISC)² EMEA managing director Adrian Davis at [email protected].