GDPR Compliance and the Bottom Line
A recent BriefingsDirect security market discussion focused on the approval of the General Data Protection Regulation (GDPR). This law was passed in April 2016 and established a right to protection for personal data within the European Union. Enterprises that hold personal data have two years to comply with the new privacy regulation or they will face financial penalties.
Dana Gardner, Principal Analyst at Interarbor Solutions, joined a panel of cybersecurity and legal experts to discuss GDPR and ways that companies might begin to extend compliance measures into business benefits.
Sitting on the panel of cybersecurity and legal experts were: Tim Grieveson, chief Cyber and Security Strategist, Enterprise Security Products EMEA at HPE; David Kemp, EMEA Specialist business Consultant at HPE, and Stewart Room, Global Head of Cybersecurity and Data Protection at PwC Legal.
Here are a few excerpts:
Gardner: David, is there much difference between privacy and security? If one has to comply with a regulation, doesn’t that also give them the ability to better master and control their own internal destiny when it comes to digital assets?
Kemp: Well, that’s precisely what a major European insurance company headquartered in London said to us the other day. They regard GDPR as a catalyst for their own organization to appreciate that the records management at the heart of their organization is chaotic. Furthermore, what they’re looking at, hopefully with guidance from PwC Legal, is for us to provide them with an ability to enforce the policy of GDPR, but expand this out further into a major records-management facility.
Gardener: Stewart, how does this affect companies that might not just be based in the EU countries, companies that deal with any customers, or supply chain partners, alliances, the ecosystem. Give us a sense of the concentric circles of impact that this pertains to inside the EU and beyond?
Room: Yes, the law has global effect. It’s not about just regulating European activities or protecting or controlling European data. The way it works is that any entity or data controller that’s outside of Europe and that targets Europe for goods and services will be directly regulated. It doesn’t need to have an establishment, a physical presence, in Europe. It targets the goods and services. Or, if that entity pre-files and tracks the activity of European citizens on the web, they’re regulated as well. So, there are entities that are physically not in Europe.
Any entity outside of Europe that receives European data or data from Europe for data processing is regulated as well. Then, any entity that’s outside of Europe that exports data into Europe is going to be regulated as well.
So it has a global effect. It’s not about the physical boundaries of Europe or the presence only of data in Europe. It’s whether there is an effect on Europe or an effect on European people’s data.
Gardner: At HPE, do you have any examples or perhaps you can describe why we think that doing this correctly could get you into a better competitive business position? What is it about doing this that not only allows you to be legally compliant, but also puts you in an advantageous position in a market and in terms of innovation and execution?
Kemp: There are about six major reasons for paying strict and urgent attention to this particular subject. One of them, listening to my clients, has to do with compliance. That is the most obvious one. That is the one that has the biggest sanction. But there are another five arguments which have to do with advancement of the business. The second aspect, which I anticipated, but I’ve also heard from corporations, is that in due course, if it’s not here already, there might be a case where governments would say that if you’re not GDPR compliant, then you can’t bid on our contracts.
The third might be, what if you wanted to make the best use of this information? There’s even a possibility of corporations taking the PII, making sure it’s fully anonymous or pseudo-anonymized, and then mixing it with other freely available information, such as Facebook, and actually saying to a customer, we would like to use your PII, fully anonymized. We can prove to you that we have followed the PwC legal guidance. And furthermore, if we do use this information and use it for analytics, we might even want to pay you for this. You are increasing the bonding and loyalty with your customers.
So, we should think about the upsides of the business advancement, which ironically is coming out of a regulation, which may not be so obvious.
Gardner: How should one approach this from the security culture perspective, and how should one start?
Grieveson: This is not a single product or a point solution. You really have to bake it into the culture of your organization and focus not just on single solutions, but actually the end-to-end interactions between the user, the data, and the application of the data.
If you do that, what you’re starting to look at is how to build things in a safe, secure manner, but also how do you build them to enable your business to do something? There’s no point in building a data lake, for example, and gathering all this data unless you actually have from that data some insight, which is actionable and measured back to the business outcomes.
The second thing is to understand what is it that you’re going to protect and why, where does it reside, and then stop to build the culture from the top down and also from the bottom up. It’s not just the data protection office’s problem or issue to deal with. It’s not just the CIO or the CISO, but it’s building a culture in your organization where it becomes normal everyday business. Good security is good business.