SAN FRANCISCO -- Most of the conversation about the European Union's new General Data Protection Regulation --...
at RSA Conference 2018 and elsewhere -- focuses on the what: What rights are guaranteed to individual data subjects? What new obligations do companies have to fulfill? And what are the potential consequences of failing to comply?
However, it's not enough to understand the new law at a high level, according to Cindy Compert, CTO for the U.S. public sector market and CTO for data security and privacy at IBM Security, who talked about the how of the General Data Protection Regulation (GDPR). Donning a chef's hat as she offered practical tips for GDPR preparation in a cooking-show-inspired presentation, Compert shared important tips for getting up to speed with GDPR -- as well as some of her favorite recipes.
"A lot of great advice is out there, but a lot of it is very high-level," Compert said, explaining that she had been looking for more specific guidance for GDPR preparation.
To put GDPR preparation into perspective, Compert offered some preliminary results from IBM Research into how practitioners view GDPR. The full results are set to be released in May, close to the start of GDPR enforcement.
In a teaser video posted before RSA Conference, Compert noted that the results of IBM's research showed nearly half (49%) of respondents consider GDPR a "transformational moment," an opportunity to transform privacy, security and data management efforts. The prospect for positive, global change is good, especially because nearly a quarter (24%) view GDPR as a "catalyst to create new data-led business models." Another 25% take a less positive view that GDPR is simply "a mandatory regulation to be complied with," while a tiny minority -- just 2% -- consider the new regulation to be "an impediment to innovation and data-led business models."
Suggesting a strong adult beverage would help put one in the right frame of mind for getting down to business with GDPR preparation, Compert shared her favorite recipe for a mai tai as she debunked some myths about GDPR. Specifically, she pointed out that the GDPR applies to "any living, breathing person on European soil," so it could be anyone -- not just an EU citizen -- who gets the benefit of GDPR protections.
As for which companies are subject to the GDPR, Compert noted that any organization actively collecting data or marketing in the EU needs to comply, but not companies whose primary focus is elsewhere.
And one big myth Compert busted was that there would be an extension to the enforcement date, as so many companies are not prepared. Not going to happen, Compert said, though enforcement might be slow on May 25 -- a Friday -- with the U.K. celebrating a bank holiday on the following Monday, May 28.
Getting enterprises ready for GDPR
Compert said she sees three types of client when it comes to GDPR preparation: the hare, who started early with incremental preparations and is ready for the new law; the tortoise, who is still trying to figure things out, but is still making progress; and the ostrich, who is waiting to see what happens before getting started on doing anything.
Compert said employee awareness was key, and IBM requires that all employees take online GDPR training so they all understand the implications of being GDPR-compliant. Other steps companies can take for GDPR preparation include the following:
- Understand obligations under the new law;
- Create a cross-functional GDPR team;
- Appoint a data privacy officer;
- Inventory data; and
- Reviewing the company's approaches to data, including privacy policies and statements, consent and choice mechanisms, processes for allowing data subjects access to their data and schedules for data retention.
Compert also demonstrated some techniques for getting control of the GDPR preparation process, including using scanning tools on IT project management files as a way of understanding where all of the company's applications -- and data -- are being administered.
Other tips for GDPR preparation included building a sustainable audit trail, tracking where data is processed in the organization and building a template for incident response that includes breach notification that can accommodate the accelerated 72-hour breach notification window under GDPR. Automating the process, Compert said, would simplify the process, though she added that as long as it is clear the company is making an effort, there would likely be some leeway. "Regulators are reasonable folks and will work with you," she said, adding that they can answer questions and would likely be willing to collaborate with companies to be effective in protecting privacy.
Compert also demonstrated ways to automate the processes necessary for GDPR compliance, though she stressed that each company needs to come up with the practices that work for the organization. One approach Compert described is to use robotic process automation to take manual processes, like logging into a webpage or mailing a link, and automating the way they are handled based on data subject rights, so the right kind of data is preserved in audit trails.