5 GDPR Questions Keeping CISOs Awake at Night

We are fewer than 50 days away from the enforcement of the EU’s General Data Protection Regulation. CISOs and their security and risk management leaders still require clarity.

Are you ready yet? General Data Protection Regulation (GDPR) readiness has been top of mind for chief information security officers (CISOs) and privacy and risk management leaders for the past year. The regulation comes into effect, and will be enforced, May 25 2018 — which is now fewer than 50 days away.

Security and risk management leaders can’t ‘go at it alone,’ and must involve a multidisciplinary team to translate all the requirements of the GDPR

Some of you are still concerned about whether your organization will be fully compliant in time. “I receive an average of 30 inquiries a week from CIOs and security and risk management leaders who are still unsure about the steps they need to take to comply,” says Bart Willemsen, research director at Gartner.

“To enhance customer trust and avoid hefty fines, it is crucial for CIOs and business leaders to identify all business processes impacted by the GDPR, and for their security and risk management leaders to put in place a program for GDPR compliance.” 

To help organizations prepare, Willemsen answers the GDPR questions that are top of mind for CISOs.

Maximize your CX strategy
Gartner Customer Experience & Technologies Summit 2018
Learn More

What is “processing” of personal data?

Any action on data may be considered processing — from creating or obtaining the data to destruction at the end of its life cycle, and all the actions in between. These actions include copying, changing, pseudonimizing, transferring, storing and, more broadly, everything an organization does with the data. This may include showing data on the screen of a tablet in Dubai when the data actually sits in a Dutch data center.

Who in the organization is responsible for compliance?

Setting the stage for compliance requires setting up the organization to enable the correct mutual responsibilities. The organization should therefore appoint business process owners. Part of their responsibilities will consist of conducting privacy impact and risk assessments periodically, and addressing whether the outcome is within the mandated risk appetite. Therefore, they should also have the resources and discretion to mitigate accordingly.

The business representative explicitly accepts the residual risk, or increases mitigation until the residual risk is within acceptable limits

To enable any organization to make an informed decision based on the exercise dedicated to privacy awareness, security and risk management leaders must assess both privacy and business risks. They should then suggest mitigating measures to the business process owner to decide on, and implement as instructed. The business representative explicitly accepts the residual risk, or increases mitigation until the residual risk is within acceptable limits.

What personal data can I process?

With the proper controls, almost any data can be processed. However, an organization must first determine the legal grounds for processing, then document the purposes for processing that data. Once these purposes are determined, the organization can provide the reasoning behind what personal data must be processed to achieve them.

The sensitivity of any personal data that is processed should be observed in the processing context

The subsequent cross-relation of data processed in connection with the purposes that data serves, is subject to the retention scheme that contains the retention periods for each purpose. A retention scheme shows what data is allowed to be used in which context. Enabling only the authorized use of personal data, brings with it inherent requirements to prevent other disclosures. This, in turn, dictates authorization and access management and the application of pseudonymization tooling. As all purposes a record serves are achieved and the retention periods have expired, organizations should delete the personal data.

Time is a critical success factor for a data breach response. Retention periods are, ideally, as short as possible and only as long as can be justified as “necessary” in the context of the processing purpose. To enable adequate protection of personal data and allow insight into relevant privacy risks, the sensitivity of any personal data that is processed should be observed in the processing context.

Is there anything special about consent?

Yes. The characteristics of consent are quite specific. For one, it should be freely given, indicating there is no coercion, cross-selling or pressure. This not always straightforward. For example, some employees might be afraid to lose their job if they don’t consent to a specific processing activity. Employers should therefore tread carefully when relying solely on the agreement.

Consent, moreover, must be unambiguous, provided per purpose and “well informed,” requiring absolute clarity of the information provided where consent is obtained. It is also worth adding that proper consent management lies with the data controller and includes not only administration (logging) of the consent itself, but also the conditions under which it was provided.

Will we be fined for a data breach?

Not necessarily. Barring the absence of any processing activity, 100% security does not exist. Organizations should assume a data breach will happen. They are, however, responsible for the application of sufficient preventative, detective and other countermeasures.

Even the lack of notification may reveal noncompliance, which in turn can be reason for regulatory action

Although experiencing a data breach in itself is not sanctionable, a data breach — or “every unintended loss of (control over) personal data” — must be communicated to the regulatory authority within 72 hours of detection. When the breach has a potential impact on the subjects, the organization should notify those individuals as well. A subsequent investigation, or even the lack of notification, may reveal noncompliance, which in turn can be reason for regulatory action.

“It is clear that security and risk management leaders can’t ‘go at it alone,’ and must involve a multidisciplinary team to translate all the requirements of the GDPR and prioritize risk mitigation actions,” says Willemsen.

Willemsen_Bart

Gartner clients can read more in the report "GDPR Clarity: 19 Frequently Asked Questions Answered," by Bart Willemsen.

Get Smarter

Gartner Data & Analytics Summits

Get the tools and insights you need to build on the fundamentals of data and analytics.

Explore Gartner Events

100 Data and Analytics Predictions Through 2021

Over the next few years, data and analytics programs will become even more mission-critical throughout the business and across industries....

Read Free Research

Designing and Implementing a Cloud Strategy

Cloud is no longer an "if;" it's a "how" for most organizations. Many recognize they need cloud services to stay competitive, drive innovation...

Start Watching