The European Union’s General Data Protection Regulation (GDPR), which comes with potentially high fines for noncompliance, is forcing chief information security officers (CISOs) at organizations of all sizes to rethink how they manage data privacy. Yet many still don’t have a data security governance strategy.
“Although GDPR guidelines have been in effect since 25 May 2018, it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” says Deborah Kish, principal research analyst at Gartner.
GDPR is a wake-up call for CISOs to draft new data security strategies
Their delay in formulating a strategy is due to a myriad challenges. These include compliance mandates such as the NIST Cybersecurity Framework in the U.S., Australia’s new breach notification law, and Japan’s Act on the Protection of Personal Information (APPI), national access laws and international staff access requirements. As a result, organizations are at different levels of GDPR compliance.
“None of them are completely GDPR ready,” explains Kish. She adds that “CISOs should remember that GDPR is not the ‘silver bullet’ that will resolve all their security governance issues. They need to evolve their organization’s guidelines to ensure data security governance.”
Develop a data security governance strategy
Before drafting a security strategy, CISOs need to consider several key questions, such as how to prioritize the subject’s rights. As these questions cannot be answered solely by the security team, CISOs need to collaborate with other data security governance stakeholders who, for example, have an understanding of the data stored or processed on the organization’s systems.
Kish recommends that CISOs take the following five steps to develop a data security governance strategy and make their organization GDPR-compliant.
- Perform risk assessments to identify different data residency, compliance and security threats, and prioritize these threats using a financial assessment.
- Identify which datasets and risks need to be addressed, as not all datasets need the same level of security. Some may not need any.
- Define an appropriate set of security policies and associated procedures and security architectures for each business risk. Ensure each policy balances the needs of people or entities to access relevant datasets across all available digital business environments.
- Use these functions to set the requirements for products that need to be deployed across the organization’s IT infrastructure.
- Create access and usage policies for each dataset that are consistent, as data flows across all available digital business environments, applications and endpoints.
“CISOs need to realize that GDPR can be the foundational privacy and data security standard, and can function as a standard approach to protect other datasets,” says Kish.