Consent Control and eDiscovery: Devils in GDPR Detail
5.5.207 securityweek Privacy
The European General Data Protection Regulation will be in force in just over 12 months: May 25, 2018. This is the date by which all EU nations must have enacted the regulation. Gartner predicts that "by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements."
GDPR will affect all EU-based companies, and all US companies that have any trade with the EU. Despite the threat of hefty non-compliance fines, Gartner is not alone in finding a lack of preparatory urgency among organizations.
"The Gartner data aligns with a survey Imperva recently conducted of IT security professionals at RSA," Imperva's chief product strategist Terry Ray told SecurityWeek. "Our data showed an overall lack of urgency among the IT professionals surveyed, with only 43 percent of respondents indicating that they are evaluating or implementing change in preparation for GDPR."
An April 2017 NetApp survey that queried 750 CIOs, IT Managers and C-suite executives in France, Germany and the UK, found that around 10% of companies have yet to begin preparations. Seventy-three percent of respondents have some concern over meeting the GDPR deadline.
A new report (PDF) published Wednesday by Pierre Audoin Consultants (PAC) and sponsored by Reliance acsn also supports the idea that companies do not understand the urgent need for GDPR compliance. Paul Fisher, a research analyst and cyber security lead at PAC, suggests, "The fact that compliance and more especially, GDPR, has such a low priority among our respondents is worrying. I do not believe that they are burying their hands in the sand, more that the implications and complexity of GDPR compliance have not yet fully sunk in."
It is tempting to believe the lack of preparedness is due to a misunderstanding of the nature of the regulation -- a belief that so long as personal data is kept safe, compliance will be assured. This is not true with GDPR. "The big change is that organizations will be financially punished for violations of record keeping and privacy impact assessment obligations, and not just actual data breaches," explains the PAC analysis.
"The increasingly empowered position of individual data subjects tilts the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data," warns Gartner.
It is this data subject empowerment that particularly makes GDPR different and complex. Simply installing new layers of security will not ensure compliance.
Gartner suggests organizations should focus on "five high-priority changes to help them to get up to speed with GDPR requirements." These are:
Check for GDPR applicability
Appoint a data protection officer (DPO)
Demonstrate accountability in all processing activities
Check cross-border data flows
Prepare for data subjects exercising their rights
The devil is in the detail of that final recommendation. In full, Gartner says, "Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed (e.g., in case of a data breach). If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls." An additional right is the data subject's right to withdraw consent for personal data processing.
Compliance and security officers need to consider the effect of data subjects exercising their rights -- and in particular the two issues of withdrawal of consent and the right to be forgotten.
The first issue involves the provision and withdrawal of the data subject's consent. Implied consent and implied cessation are no longer sufficient -- consent must explicit. Being able to prove that consent was given and continues (that is, has not been withdrawn) is new and will require completely new procedures. Gartner says, "A clear and express action is needed that will require organizations to implement streamlined techniques to obtain and document consent and consent withdrawal." One option could be the Consent Receipt Specification being developed by the Kantara Initiative -- but whatever solution is adopted, maintaining the status quo is not an option.
The second issue -- the right to be forgotten -- requires that an organization should have absolute knowledge of where all EU personal data is stored, and be able to remove it. That is no simple task in the age of cloud and mobility.
The PAC report notes, "Compliance with GDPR will only be legally registered if an organization is able to identify exactly where data is, whether in its own data centres, in the cloud or with a third party. The data controller will be held responsible for data at all times."
This requirement is little different to eDiscovery; but the reality is that few organizations currently have fully effective eDiscovery. Historically, the primary motivation has been litigation and the threat of litigation -- with the implication that if you don't get sued, you don't need eDiscovery.
This will no longer be realistic. Any one of the European data subjects can request -- effectively on a whim -- that all data you hold on them be removed. Organizations will not merely be required to do that, they will need to be able to demonstrate that they can do that. A combination of data classification and eDiscovery needs to be in place by May of next year.
"One of the huge holes for GDPR compliance," Skyhigh's privacy spokesperson Nigel Hawthorn told SecurityWeek, "is third party data handling. Most organizations aren't sure how many third parties process data for them, whether that's an outsourcer or a cloud provider being used to crunch or collaborate on data. The Data Controller is ultimately responsible for data handling of all of their third-party data processors and needs to ensure that the data processor's data handling procedures are robust -- I am sure this will catch out a lot of people."
The message from Gartner, reinforced by many other surveys, is that the task is more complex, and the available time much less, than many organizations realize. Hawthorn adds, "Gartner's prediction that by the end of 2018 less than 50% of organizations will be in full compliance reminds everyone we need to accelerate our efforts now -- as the regulation will be been in force for over 6 months by the end of 2018 and the risks of non-compliance can be huge."
His advice is that "Organizations need to take an holistic approach to GDPR compliance involving teams from multiple departments, led by senior management. The Governance, Risk and Compliance teams need to lead the project but involve IT risk and security along with other teams that are heavy users of data, such as marketing and HR. Sadly, marketing, the team most likely to break the regulations, is rarely involved in the discussions."