Changes to GDPR and Implications on Security & Risk Management

Europe takes data seriously. The introduction of GDPR significantly strengthened protections for data owners and increased the penalties for data holders who didn’t take sufficient care of, or who knowingly abused the data in their custody.

It is vital that any organization handling data concerning subjects within the EU 27 nations – even if that organization is based outside of the EU – performs impact assessments, risk assessment and mitigation, in accordance with article 35 of the GDPR regulations.

However, GDPR is far from the only set of regulations that organizations must bear in mind when formulating their protocol for managing data – and, with regulations changing on a frequent basis, they must ensure that any measures they put in place keep up.

“Risk management does not alter rights or obligations,” said the Centre for Information Policy Leadership. “Rather, it is a valuable tool for calibrating the implementation of and compliance with privacy requirements, prioritizing action, raising and informing awareness about risks [and] identifying appropriate mitigation measures.”

Risk management and firms & security

Businesses rely on data. They need to collect, store, analyze and manipulate it in their daily operations. It’s not realistic, therefore, for any organization to overlook the need for a comprehensive risk management strategy. They must consider whether they are gathering an appropriate amount of data, and whether they could achieve their goals while collecting less data – and thus reducing any risk of non-compliance, and the amount of work involved in staying within current regulations.

It’s essential that they audit any external partners on which they rely, so they are always aware of where their data resides at rest, and the routes it takes as it moves from one place to another. Are endpoints, including servers and laptops, adequately protected? Are removable drives a weak point, and are appropriate ELT processes in place to ensure data is transported between platforms in a secure manner?

Infrastructure and data flow

With organizations increasingly relying on SaaS and PaaS they must, to a degree, rely on third parties to be responsible actors on their behalf. However, in selecting service providers they still have a responsibility to ensure that wherever the data resides, and whichever paths it follows, doesn’t expose the data controller – the organization that ‘owns’ it – to risk of non-compliance. Fortunately, all major SaaS and PaaS providers are aware of their obligations in this area and understand that failure on their part where one client is concerned can have a detrimental impact as other clients look elsewhere.

DevOps and data

Is data security a core consideration in the organization’s DevOps strategy? If not, why not? DevOps not only shortens development cycles, but makes them iterative, so it’s essential that as the systems that emerge from the DevOps process evolve, they remain compliant. As such, compliance with changing regulations should be at least as strong a driver of change as native business requirements. If not, it risks the viability of the organization as a whole.

Tools that can assist with data risk management

Largely using bullets, this section will look at the various tools that organizations can use to manage their risk where data is concerned. This will include measures that need to be implemented to comply with existing legislation, such as pseudonymisation and defined processes for opting out, data inspection and removal. It will also point to specific data risk management tools, such as IBM Data Risk Manager, and common business practices, including SWOT analysis, establishing a risk register, and using a probability and impact matrix to assess and grade potential issues, and devise strategies for mitigation.

Vulnerabilities, and reducing risk

Roughly a quarter of incoming bug reports received in one bounty scheme could impact consumer data, and thus put any organization running the associated apps at risk of non-compliance with European data regulations. This would not be considered a mitigating circumstance, and neither would many other situations in which an organization found itself to have been exposed by its suppliers.

However, where penalties can be harsh, being able to demonstrate that an organization has taken every reasonable step to audit its processes, systems and infrastructure demonstrates responsible custodianship, and will likely count in the organization’s favor. In this section, we will look at other measures an organization can take on an ongoing basis so that, should it be found to have breached any requirements, it can make an effective best-faith argument.