Compliance, risk and the coming EU data protection framework: a CISO's perspective

Compliance and risk managers in Europe are facing one of the biggest challenges for decades as the region moves to a new data protection framework

This article can also be found in the Premium Editorial Download: IT in Europe: Compliance and risk

Compliance and risk managers in Europe are facing one of the biggest challenges for decades as the region moves towards a new data protection framework.

Since the draft legislation was published in January, EU member states have been debating and negotiating changes to the way the principles will be implemented, which they believe could be fraught with difficulties.

But while negotiations continue in Brussels, compliance and risk managers have no time to waste in preparing for the new rules that could come into force as soon as 2013.  

Despite the pressure on businesses and organisations in Europe to get their houses in order, the new rules may not be as big a challenge as most people think, according to Matthew Lord, chief information security officer at business services firm Steria UK.

In fact, he believes, much of what is contained in the new regulations will be business as usual, and while other elements will require change, that change may not be as big as people think and could help support internal security risk management processes.

Challenges will remain, however, especially if those lobbying Brussels are unable to get any real concessions on controversial requirements such as data breach notification within 24 hours.

This could be challenging for many organisations, especially those that have traditionally accepted higher levels of risk by choosing to delay breach notifications or not to notify at all. They would rather risk being found out than risk damage to the company's reputation through disclosure.

Once enforced, the new rules will make breach disclosure mandatory in a short period of time, possibly forcing unnecessary disclosures or over-disclosures as organisations will have little time to assess the real extent of the breach and establish exactly what data has been leaked.

"Security controls will at some point in time change the way you do business from the perspective that it won't be as dynamic as it once was. When you put in place risk processes, they make people consider the impact of what they are about to do, and in some cases will stop certain behaviour which therefore limits parts of the business," said Lord.

Erasing personal data

The right to be forgotten is another principle introduced by the EU that will be tricky to enforce. It dictates that individuals can require erasure of their personal data and abstention from further distribution by the data controller -- that is, the organisation that has recorded their personal data. Where data was made public, the controller shall take all reasonable steps to inform third parties to erase links to, or copies of the data, and where the controller authorised the publication, it remains responsible.

Security controls will at some point in time change the way you do business.
Matthew LordCISO, Steria UK

"The IT impact of that could be horrendous. I think [in the negotiations in Brussels] there is a piece about balancing up what is truly sensitive and what is not," said Lord.

A good way for chief information security officers (CISOs) to tackle the coming changes, he believes, is to look at what is going to be required and to use that a guide for best practice where it differs from what the organisation is doing already.

Much of the debate will be about the 24-hour period for notification, but European businesses will almost certainly join their peers in most US states in having to comply with mandatory breach disclosure, said Lord, so it would be a good idea to start preparing for that if they have not done so already.

But for forward-thinking organisations, this should not be something new. At worst, it should be a question of re-prioritisation.

"Incident management is something that I think all companies work on to get right. All incidents follow a different path, but the cornerstone of how you handle incidents is pretty much the same: you get the right decision-makers in the room; you act on the information available, choosing to manage expectations internally and externally or not; then you begin the remediation path," said Lord.

Incident management

The effect of the proposed data protection framework should not be to introduce something new, but to highlight the importance of incident management and the need to improve existing processes.

"One of the first things I did when I came to Steria was to get ready people with the right expertise, internally and externally, should we ever need them," said Lord.

Accountability is another key principle of the proposed data protection framework, and it requires data controllers to maintain documentation of all processing operations, conduct a data protection impact assessment for risky processing, and implement data protection by design and by default.

"Again, this is business as usual for me because as a CISO I am always going to say we should implement things securely," said Lord.

But the new regulations, like the payment card industry data security standard (PCI DSS) and ISO 27001 data security standard, he said, will give CISOs added authority when they tell developers and other teams in the business that it is important to build IT systems that are secure by design because it is no longer good enough to react after an event or to trade off security against functionality.

"Is this changing the way I do things? Not at the moment. But it does realign a couple of projects that I was going to do anyway. It formalises things, puts them on the starting blocks and gives me momentum to do it, in the same way that PCI DSS and ISO 27001 have done," said Lord.

In fact, he says that standards like these are in a way the bigger challenge being faced by organisations in Europe than the proposed new data protection or any other regulation. 

"What I am seeing increasing, particularly from our clients, is the need to sign up to and conform to multiple forms of regulation or standards. I am seeing more traction from the PCI/ISO 27001 type standards than I am from any specific piece of regulation outside banking, finance and government, which tend to have their own niche standards."

According to Lord, one of the big dilemmas he faces as a CISO is all the conflicting regulation and standards he has to face, but he has a solution: "I think you have to track back and stick to the basics. If you look at frameworks like ISO 27001, they give you a very good set of controls to operate to. If you set about putting those in place and make sure that you are disciplined about implementing those, then you stand a good chance of passing a lot of the regulation out there."

Harmonising data protection

Another "big headache" for CISOs is that data protection rules in some parts of Europe are extremely rigid and prescriptive in contrast with the UK and other jurisdictions where the approach is more objective-based. Lord believes the new data protection framework will make life a lot easier by harmonising these requirements across Europe, reducing the amount of consultation he will have to do with in-country legal teams to ensure local compliance.

This, however, will not necessarily solve the risk and compliance challenges posed by the UK's Computer Misuse Act and its equivalent in Europe, where each country has specific requirements. In Germany, for example, any results of security or penetration testing have to stay inside Germany.

Steria's solution is to implement a set of general security controls that fit most organisations' requirements, both government and commercial, which works for over 80% of clients and provides an easy measure for compliance. Where clients have additional requirements Steria implements those to ensure a 100% fit.

"Sometime we will adopt a country's specific control because that is the right thing to do and we will change our global practice to align with that versus another control where we might say that that is quite prescriptive by nature versus the risk," said Lord.

Where we find that another country's piece of legislation conflicts [with Steria's default standard] and they want to set the bar higher, we normally consult with the in-country legal team to decide whether we have to do that or not," he said.

From a CISO's perspective then, the coming EU data protection regulations should not mean radical change, but will help formalise, prioritise, support and ease the implementation best practice in data management and compliance by providing a single framework across all EU member states.

Read more on Privacy and data protection