If you think your work is done after you meet the May 2018 deadline for the General Data Protection Regulation (GDPR), you’re in for a surprise.
The impact of GDPR reaches beyond the last two years of scrambling to get people, processes, and technology into place. The aftermath of GDPR means living with the new normal—privacy by design, constant compliance, and thinking about security from a business operations perspective. It’s not just deploying the latest technology to protect data and securing the endless number of connected devices coming to the workplace.
Follow the compliance continuum
You can’t be faulted for breathing a sigh of relief on May 25 if you’re confident you’ve put all the pieces into place to deal with the impact of GDPR. But like any privacy legislation, GDPR is a living entity that will likely be updated and revised in the coming years to reflect evolving technologies, how businesses are using customer data, and the threats to that data.
The aftermath of GDPR also provides a chance to reevaluate whether you can meet the rigours of other legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which is due for revisions to address breach notification, as well as keeping happy any regulatory bodies keeping a watchful eye on your industry.
Turn to privacy by design
The new normal means you can only hold and process data that’s necessary to complete a specific task, be able to tell a person exactly how their data is being used and shared, and confidently delete that data on request. In other words, you need to start thinking about privacy first—not after the fact.
Although GDPR is a tipping point for privacy by design, the idea goes back to the 1990s, coined by then Information and Privacy Commissioner of Ontario, Ann Cavoukian. She developed the concept to “address the ever-growing and systemic effects of information and communication technologies, and of large-scale networked data systems.”
Privacy by design has seven foundational principles. The first of which is that it’s proactive, not reactive—it’s preventative, not remedial, aiming to prevent privacy infractions from even incurring. Second, privacy is the default setting in that personal data is automatically protected in any given IT system or business practice. Even if an individual does nothing, their privacy should remain intact, which dovetails well with the spirit of GDPR. This is aided by the third principle: Privacy is embedded into the design and architecture of IT systems and business practices, not bolted on after the fact.
A key theme of privacy by design is that good security does not need to create barriers. Per Cavoukian, it’s positive-sum, not zero-sum. The fourth principle is full functionality, aiming to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner. The fifth principle builds on the previous ones in that security is end-to-end and provides full lifecycle protection of the data—again, it anticipates the spirit of GDPR. The sixth principle, meanwhile, seeks to assure all stakeholders that whatever the business practice or technology involved, everything is operating with transparency and can pass third-party verification.
The seventh and final principle of privacy by design hammers home the importance of the data subject, just as GDPR aims to protect the privacy interests of the citizen. Privacy by design “requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.”
Essentially, IT needs to make security and privacy user-centric, but while it’s a laudable goal in theory, it must be operationalized.
Allow your security to become more agile
If privacy by design equates to being proactive and embedding security end to end, then it can’t be a separate discipline. Rather than keeping IT security as a separate group, as is often the case, there’s an argument to be made for better integration through the DevOps model—having developers, IT professionals, and business users work as a team to build, test, and release software with security in mind.
The “Application Security and DevOps Report” found that 99 percent of all respondents agreed adopting a DevOps culture presents an opportunity to improve application security. The reality, however, was that only 20 percent were embracing this approach. Counter to the privacy by design principles, businesses continue to rely on security technologies downstream. But the increasingly porous nature of business networks, the adoption of more agile development methodology and GDPR require security teams to become more flexible. In the process, you can create the win-win situations as laid out by privacy by design, and you can successfully build security tools into the workflow of your organization.
Get your settings right
Combining privacy by design and a DevOps mindset for application security doesn’t mean you can just stop doing the tried and true. Although your people and processes are big contributors to GPDR compliance, technology still has its place. Given that Bring Your Own Device policies have been the new normal for a while and the Internet of Things (IoT) is experiencing inevitable growth, you need to take advantage of the security inherent in the many endpoints and devices throughout your organization. The good news is the manufacturers of these smarter devices are recognizing the need to deliver products with embedded security and support proactive monitoring that contributes to the level of privacy sought by GDPR.
But that doesn’t mean you should set and forget. Many of the vulnerabilities exploited by hackers and other threat actors are created by convenient features in the various devices connected to your network, and it only takes one gap to enable someone to sneak in and gain increasing levels of access to compromise personally identifiable information. Not only should you take advantage of the embedded security in devices, be it conventional PCs or emerging IoT endpoints, but you must also perform holistic penetration testing to put your people, processes, and technology through their paces. They all play a role in GDPR compliance.
Unlike the Millennium bug, which was largely inconsequential in the long run, GDPR compliance is something that will continue to affect how you architect IT systems and collaborate with lines of business, regardless of how it evolves over time. If anything, it demonstrates the merits of privacy by design and the need to be ready for privacy legislation in any form.
Missed our first segments about GDPR? Check out, “Be ready to play the long game when preparing for GDPR,” to learn what you need to tackle in the short term to prepare for GDPR, and then, turn to your ultimate guide for data protection with, “Prep for a GDPR audit by building a GDPR compliance checklist.” For more IT security insights from Tektonika, click subscribe at the top of the page.