Sriram Ranganathan, MBA,
Managing Consultant @ Capgemini
The upcoming GDPR implementation deadline – May 25, 2018 - is making organizations within Europe lose sleep over compliance, data breach protocols and rights of individuals regarding collection and use of their personal data. This article focuses on a (perhaps) unexpected consequence of the upcoming regulation:
Enhancing an organization’s security capabilities just got more difficult because of the panic being generated by the GDPR.
(Personal) Data protection in Europe has always been a relevant topic. History shows they have been enacting directives and regulations regarding this since the end of World War II. Now with the GDPR, a level of accountability is directly placed on the shoulders of data controllers and processors by defining uniform guidelines and protocols around collection and handling of personal data, right of individuals to participate (or not), data transfer across countries and obligations of controllers and processors to be transparent towards customers and regulators. All organizations are, in one form or other, data controllers for their own data and potentially data processors for the data of others. In that sense, the GDPR potentially touches 100% of organizations doing business in Europe today.
The best way to handle a data breach is to not have one in the first place. Not only does it make perfect sense to avoid having your business data (and your reputation) on the street for all to see and exploit, but in several countries, security compliance (ISO 27001) is a regulatory need for operating certain businesses. In a virtual game of cat and mouse, organizations are investing heavily in cybersecurity technologies to build “impregnable” walls around their data assets while cyber criminals are finding sneakier ways of gaining access to data.
Intelligent firewalls, encrypted laptops and mobile devices, mobile device management, network vulnerability scanning, next-generation / intelligent anti-malware, identity and access management tools, threat intelligence tools, SIEM solutions – organizations are using multiple technologies to protect their data against theft and leakages.
The cost of these technological solutions can often run into millions, depending on the size of the organization. Both from a ROI perspective and to actually have their information assets protected, organizations are naturally keen to have these platforms operational as soon as possible. That is where – with my Project Manager’s hat on – the GDPR just made my life more difficult. Our friend, the DPO (Data Protection Officer), has a very different view on organizational priorities than the CISO (Chief Information Security Officer). By the very nature of the beast, security platforms are highly intrusive platforms. They look into computer systems, mobile devices and networks, sniff data at rest or as it passes through the network, run analysis algorithms to detect anomalies and store tons of data - including personal data - for advanced analysis and threat intelligence. This helps them fight a war with cyber criminals where the rules of engagement change regularly. Technology changes, hackers launch newer attacks everyday with newer weapons and these platforms must guard the organization against (yet) unknown threats. From a security viewpoint, the highly intrusive behavior is (IMO) logical and required. From a privacy viewpoint, this smashes a key element of the GDPR (data protection) regulations – the rights of data subjects to be informed clearly regarding what data is being collected, for what reason, and how they can opt out if required (and any related consequences). Having once informed the data subject, the data collected must not be used for any other purpose without another round of informed consent. With a typical organizational security landscape comprising multiple security platforms from multiple third party vendors – and with the internal engineering of the platforms as a black box - this has all the ingredients required to give the DPO a big headache.
Typical questions asked by a DPO are:
What personal data is collected, where is it stored, for how long? Can we not “not collect” this data and still achieve our objective, or minimize it or anonymize it in any way? Has an informed user consent been taken w.r.t. collecting personal data? Can users say no or opt out later (tricky, tricky question)? Can the data be used for profiling purposes (even if it is not collected for that purpose) and what could be possible consequences of such profiling? Where is the vendor located? Does the vendor have access to this data? Does the vendor have non-European subcontractors who have access to the data?
Have the organization’s legal eagles signed off on the respective DTAs and DPAs? Remember, here we aren’t talking about application development where the PM has complete control over changes required to comply with GDPR requirements. Security platforms are (mostly) specialized software developed by specialized vendors, and while you can always configure the platform parameters, the ability to radically change the behavior of these platforms is highly limited. These are black boxes, often with their crime fighting intelligence shrouded in intellectual property, and supported by product documentation which is (to put it kindly) not ready for the GDPR world.
In the new GDPR world, till satisfactory answers can be provided for the above – and many other questions in similar vein – forget going live and operational. The Project Manager will spend the majority of his time trying (not) to strangle the DPO who will steadfastly point to provisions in the well intentioned GDPR to stop the PM from achieving his project objective (which is the CISO’s objective, which in turn is the organizational need – at least, that is what the Project Brief said).
The concern for Privacy is not new within Europe. Most mature organizations have long adopted “privacy by design” as a regular part of the requirement and design process.
Technology platforms being intrusive is also not new; talk to security professionals over a cup of coffee and they will tell you stories that would make your hair curl. Take Google as the most simplest of examples of how our internet behavior is so well profiled. Another simple example would be trying to access unsuitable websites from your office network. And the Android and iOS apps on our phones that run constantly in the background… Let’s stop already! Of course, "they" can track your IP and see everything you do on the internet. Of course, you didn’t given an informed consent despite the 100 pages of tiny text you accepted. Of course, you cannot say no and still receive the same level of service.
So this problem isn’t new but the strengthened focus on the PIA (privacy impact assessment) findings is new ever since the GDPR became a household name. Traditionally, privacy impact was a check box that needed to be ticked but it wasn’t sexy enough to be a project showstopper. Everybody tried their best to comply with guidelines, and good enough was often good enough. Well, not any more!!!
Coming back to security platforms, while tracking and collecting of (personal) data isn’t really new, till now 100% compliance was largely ignored due to security being seen as a greater need. With the WannaCry, Locky and Petya ransomwares gaining wide notoriety and with Russia, North Korea and the US confusing the world over who hacked who – businesses needed to protect themselves, everyone understood that! What changed is the GDPR bringing in various categories of financial penalties as part of a controller’s (or processor’s) liability w.r.t. violations. In the GDPR world, these penalties can be virtually business ending penalties, with a maximum possible fine of €20 million or 4% of annual global revenue, whichever is higher.
Data Protection complexity is extrapolated many times over when you consider country specific regulations for companies operating in multiple EU countries. The GDPR is the minimum required, the country specific regulations come on top.
The DPO has an unenviable job on his hands. With a hugely understaffed team and GDPR regulations that are verbose and interpretative in multiple ways, he must evaluate every project that comes in, with the threat of that €20 million (or 4% global revenue) penalty hanging over his head. Try explaining to the CXO why you are being fined for non-compliance with a EU wide mandate which has been tom tom’ed from the high heavens since last year (still too late, IMO, but that is another story). Give a green signal to these security platforms that poke and peek into everything? Forget about it!
As a Project Manager, you do have less flexibility in the implementation of 3rd party vendor products than (for example) a new software application being built by your own project team. However, your hands are not really tied. The following are tips from my personal experiences:
Being GDPR aware helps, and you might even consider a lightweight study and certification to gain more knowledge – CIPP/E, for example. Understanding the DPO’s language will go a big way in helping you comply with his requirements. The GDPR’s guidance on legitimate interests of the data controller can be an extremely interesting topic to help you through the crisis. Especially for this discussion, get the DPO and CISO into one room and lock the door for a couple of hours (no toilet breaks). Both the DPO and the CISO have a legitimate viewpoint and their talking directly will save you tons of emails and fruitless conversations.
Less is better! Get the project team to go through the platform documentation with a fine tooth comb. You would be surprised by how broad most off-the-shelf products are in terms of capabilities – since they are selling worldwide, not only in Europe - which might not even be required by your organization.
Make the DPO a part of your project, rather than someone who you chase for an approval. Implement his suggestions on the best way to formulate governance processes for safeguarding against misuse, and for issues such as an informed user consent and consequences of opt-out. DPOs find it extremely important to see a defined governance process agreed to by all stakeholders.
3rd party vendors normally mean 3rd party cloud and / or 3rd party sub-processors for platform support and maintenance, many of which could be located outside Europe. Get your organization’s legal teams working on the DTA / DPAs as soon as possible; it isn’t as simple as it sounds.
Don't be afraid to be a hard-ass and demand answers if support is not forthcoming. Remember, an organization wanting tighter security controls isn’t doing anything illegal. Your project isn’t anti-GDPR and deserves answers and recommendations to support implementation (and not only questions and objections as sometimes happens).
The GDPR is an attempt to harmonize data protection regulations across Europe. Fines for non-compliance are huge. It requires a brave DPO to give a blanket approval for security platforms that can (in terms of capability, even if there is no intent) do everything from reading your email / SMS to profiling you on race, religion, political affiliation and so on. Don’t expect a blank cheque but work closely with your sponsor - in all likelihood, the CISO - and the DPO to work out what is necessary or not for the implementation to succeed. Information security / Cyber security is a legitimate business need that is well covered – with suitable modifications as requested by DPOs - under the legitimate interest clauses listed under the GDPR.