tadamichi - Fotolia

Think beyond tick-box compliance

A year on since GDPR, many organisations are yet to stop fretting over fines and focus instead on business value

Just over a year since the European Union’s General Data Protection Regulation (GDPR) came into force, many organisations still have a lot of work to do to make real changes and shift focus away from fines and instead to business value, according to PwC.

When it comes to compliance with the GDPR and the UK’s updated Data Protection Act (DPA), Mike Gillespie, managing director and co-founder of independent security consultancy Advent IM, says no information security professional should be driving the conversation through dialogue about potential fines. In his experience, this is both defeatist and counter-productive when dealing with senior leadership figures.

Instead, he says: “We need to focus on all the benefits that can be realised by embracing data protection as an integral and necessary business process, which is fully embedded into our business as usual.”

Gillespie urges IT security professionals to start all information security and data protection activities with the organisation’s business objectives in mind. He argues that security, including data protection, should demonstratively benefit the organisation and ultimately result in information being utilised and exploited in a positive way, therefore enabling the right people to have access to the right information at the point of need.

“To achieve this, it is absolutely vital to fully understand what personal information is being collected by the organisation, from where, and for what explicit purpose,” says Gillespie. “The business needs to ask: Is it strictly necessary? If it isn’t, then it must stop. If it is, then the next step is to identify what fair and lawful purposes are going to apply to processing this information and ensure that it is properly documented. By doing this, information security professionals can then work with the organisation to develop strategies to ensure that the information is capable of being used by legitimate users.”

To information security professionals, however, this can seem like a monumental task. As a result, it is an area that is frequently shied away from, in Gillespie’s experience. Rather than assign a task to an information security professional, he says businesses need to effectively integrate the role of “information asset owner” into their organisations and make the senior leadership team themselves responsible for implementing and embedding this structure.

According to Gillespie, this will enable management, using a combination of common sense, pragmatism and professional judgement, to make risk-based decisions over the collection, processing, sharing and disposal of information, with security and privacy professionals acting in a tactical advisor role, as and when required.

Beyond tick-box compliance

Now the GDPR deadline has passed, Maxine Holt, research director at Ovum, says many enterprises are reflecting that a simplistic tick-box approach to compliance, with GDPR specifically and regulatory requirements generally, has failed to gain potential benefits. Even when limiting outcomes to a compliance perspective, she says many will realise that their efforts have failed to provide flexibility and scalability to cater for the expectation that more and more stringent data protection regulations will continue to evolve around the world.

Benefits of GDPR

1. Better control over data. This can be achieved by the following.

– Creating and filling a data protection officer post or role;
– Identifying a defined owner for each data type (eg, human resources, finance, project);
– Clearly defining who can create, access and modify specific datasets (a function of the data owner).

2. Providing better protection of data (both physical and electronic) through:
– The creation of a data asset register;
– Data cleansing which would lead to the elimination of duplication, create data consistency, and identify and remove illicit copies of data;
– Implementation of fit-for-purpose access controls (for example, rigorously applying the ‘need to know’ principle);
– Regular data protection impact assessments (DPIAs).

3. The ability to prove due diligence in GDPR compliance – this would be valuable should the worst happen and there was a leak of personal data (for example, in terms of the level of any levied fines).

4. To create a positive marketing message as a follow-on from being able to prove compliance and due diligence.

Source: Peter Wenham, member of the BCS Security Community of Expertise

However, Holt says an approach that moves towards aligning business objectives with compliance requirements can provide organisations with better control of data. Such an approach offers the enterprise the potential to exploit benefits across all its data-driven initiatives, aligning compliance objectives with forward-looking business goals. “Compliance, and the effective leverage of data for business benefit, share the same essential requirement: absolute, granular control of data,” she says. “Ultimately, this synergy will provide the high-level opportunity to restructure the people, processes and technology within the organisation to maximise both the protection and value of information.”

According to Holt, compliance, alongside the need to recognise and leverage the business value of data, are data control challenges. In her experience, viewing them in this way makes the alignment of business and compliance objectives much less of a problem.

“Organisations can begin to identify existing use cases and processes that depend on this control, and form interdisciplinary teams involving stakeholders from both compliance and other business roles to collaborate on shared outcomes and objectives. From this comes shared processes and workflows, shared technology, and – to some extent – shared budgets. By intertwining compliance goals within the broader enterprise initiative for data control and value realisation, there’s the potential for compliance to cease being a cost centre over time,” says Holt.

“Benefits, such as improved customer relations and consumer trust, provide ‘softer’ returns that are often difficult to quantitatively measure over a short-term period, but can be significant and should not be neglected in calculations,” she adds.

Holt says that by addressing these problems at their root, the enterprise can simultaneously improve the ability to comply with regulations such as GDPR along with the ability to leverage data for business value.

Understanding customer data

Peter Wenham, a member of the BCS Security Community of Expertise and director of information assurance consultancy at Trusted Management, suggests that a GDPR audit is a good starting point to understanding data and data risks. As well as identifying companies that offer commercial GDPR audit services, an internet search on GDPR audits should also provide a wealth of advice, including the Information Commissioner’s Office website.

“A GDPR audit could be added to an ISO 27001 review for large companies,” says Wenham. “For the smaller companies, undertaking an IASME Governance self-assessment is recommended as it includes both Cyber Essentials and GDPR questions. Of course, the IASME Governance self-assessment would be an excellent starting point for any organisation, irrespective of their longer-term audit and certification plans.”

Beyond auditing, Wenham says the need to improve control over personal data could be obtained through better use of the security features found in access control systems such as Microsoft Active Directory. Using such access control not only locks down access to personal data, but also leads to an improvement in secure IT infrastructure.

Having a thorough understanding of what personal data exists in the organisation and the risks and opportunities associated with that data can deliver huge benefits, according to Advent IM‘s Gillespie. For instance, organisations can reduce their storage costs and create clarity about who should be able to access what in order to be efficient. “It can reveal poor employee practice and highlight training issues, therefore improving business quality,” he says.

“We should be focusing on the benefits when we talk to our senior leaders, and the potential for fines – which is a risk and therefore cannot be ignored – should be supplementary,” says Gillespie. “Only by doing it this way can we start to get our organisations to see data protection in a positive light as something they want to do, not something they grudgingly do to tick a box.”

Read more on IT risk management

Data Center
Data Management