The next
BriefingsDirect security market transformation discussion focuses on the implications of the European Parliament’s
recent approval of the
General Data Protection Regulation or GDPR.
This
sweeping April 2016 law establishes a fundamental right to personal
data protection for European Union (EU) citizens. It gives enterprises
that hold personal data on any of these people just two years to reach
privacy compliance -- or face stiff financial penalties.
But
while organizations must work quickly to comply with GDPR, the
strategic benefits of doing so could stretch far beyond data-privacy
issues alone. Attaining a far stronger general security posture -- one
that also provides a business competitive advantage -- may well be the
more impactful implication.
We've
assembled a panel of cybersecurity and legal experts to explore the new
EU data privacy regulation and discuss ways that companies can begin to
extend these needed compliance measures into essential business
benefits.
Here to help us sort through the practical path of working within the requirements of a single digital market for the EU are:
Tim Grieveson, Chief Cyber and Security Strategist, Enterprise Security Products EMEA, at
Hewlett Packard Enterprise (HPE);
David Kemp, EMEA Specialist Business Consultant at HPE, and
Stewart Room, Global Head of Cybersecurity and Data Protection at
PwC Legal. The discussion is moderated by me,
Dana Gardner, Principal Analyst at
Interarbor Solutions.
Here are some excerpts:
Gardner:
Tim, the GDPR could mean significant financial penalties in
less than two years if organizations don’t protect all of their targeted data. But
how can large organizations look at this under a larger umbrella,
perhaps looking at this as a way of improving their own security
posture?
Grieveson:
It’s a great opportunity for organizations to take a step back and
review the handling of personal information and security as a whole.
Historically, security has been about locking things down and saying no.
We need to break that mold. But, this is an
opportunity, because it’s pan-European, to take a step back, look at the
controls that we have in place, look at the people, look at the
technology holistically, and look at identifying opportunities where we
can help to drive new revenues for the organization, but doing it in a
safe and secure manner.
Gardner: David, is there
much difference between
privacy and
security? If one has to comply with
a regulation, doesn’t that also give them the ability to better master
and control their own internal destiny when it comes to digital assets?
Kemp:
Well, that’s precisely what a major European insurance company
headquartered in London said to us the other day. They regard GDPR as a
catalyst for their own organization to appreciate that the records
management at the heart of their organization is chaotic. Furthermore,
what they're looking at, hopefully with guidance from
PwC Legal, is for
us to provide them with an ability to enforce the policy of GDPR, but
expand this out further into a major records-management facility.
Gardner:
And Stewart, wouldn’t your own legal requirements for any number of
reasons be bolstered by having this better management and privacy
capability?
The Changing Face of Risk
Protect Your Digital Enterprise
Watch the Video to Get Started
Room: The GDPR obviously is
a legal regime. So it’s going to make the legal focus much, much greater in
organizations. The idea that the GDPR can be a catalyst for wider
business-enabling change must be right. There are a lot of people we see
on the client side who have been waiting for the big story, to get over
the silos, to develop more holistic treatment for data and security.
This is just going to be great -- regardless of the legal components -- for
businesses that want to approach it with the right kind of mindset.
Kemp:
Just to complement that is a recognition that I heard the other day,
which was of a corporate client saying, "I get it. If we could install a
facility that would help us with this particular regulation, to a
certain extent relying once again on external counsel to assist us, we
could almost feed any other regulation into the same engine."
That is very material in term of getting sponsorship,
buy in, interest from the front of the business, because this isn’t a
facility just simply for this one, particular type of regulation.
There’s so much more that could be engaged on.
Room:
The important part, though, is that it’s a cultural shift, a mindset.
It’s not a box-ticking exercise. It’s absolutely an opportunity, if you
think of it in that mindset, of looking holistically. You can really
maximize the opportunities that are out there.
Gardner:
And because we have a global audience for our discussion, I think
that this might be the point on the arrow for a much larger market than
the EU. Let’s learn about what this entails, because not everyone is
familiar with it yet. So in a nutshell, what does this new law require
large companies to do? Tim, would you like to take that?
Protecting information
Grieveson:
It’s ultimately about protecting European citizens' private and
personal information. The legislation gives some guidance around how to
protect data. It talks about encryption and
anonymization of the information, should that inevitable breach happen, but it also talks
about how to enable a quicker response for a breach.
To
go back to David’s point earlier on, the key part of this is really
around
records management. It’s understanding what information you have
where and classifying that information. What you need to do with it is
key to this, ultimately because of the bad guys out there. In my world
as an ex-CIO and as an ex-CISO, I was always looking to try and protect
myself from the bad guys who were changing their process to monetize.
They're ultimately out to steal something, whether it be credit card information, personal information, or
intellectual property (IP).
Organizations often don’t understand what information they have where
or who owns it, and quite often, they don’t actually value that data.
So, this is a great approach to help them do that.
Gardner: And what happens if they don’t comply? This is a fairly stiff penalty.
Grieveson:
It is. Up to four percent of the parent company’s annual revenue is
exposed as part of a fine, but also there's a mandatory breach
notification, where companies need to inform the authorities within 72
hours of a breach.
We're seeing that trend going in the wrong direction. We're seeing it
getting more expensive. On average, a breach costs in excess of $7.7
million, but we are also seeing the time to remediate going up.
If we think of the
Ponemon Report,
the average time that the bad guy is inside an organization is 243
days, so clearly that’s going to be challenge for lots of organizations
who don’t know they have been breached, but also that remediation
afterwards once that inevitable breach happens, on average, globally, is
anywhere from 40 to 47 days.
We're seeing that trend
going in the wrong direction. We're seeing it getting more expensive. On
average, a breach costs in excess of US$7.7 million, but we are also
seeing the time to remediate going up.
This is what I
talked about with this cultural change in thinking. We need to get much
smarter about understanding the data we have and, when we have that
inevitable breach, protecting the data.
Gardner:
Stewart, how does this affect companies that might not just be based in
the EU countries, companies that deal with any customers, or supply
chain partners, alliances, the ecosystem. Give us a sense of the
concentric circles of impact that this pertains to inside the EU and
beyond?
Room: Yes, the law has global effect.
It’s not about just regulating European activities or protecting or
controlling European data. The way it works is that any entity or data
controller that’s outside of Europe and that targets Europe for goods
and services will be directly regulated. It doesn’t need to have an
establishment, a physical presence, in Europe. It targets the goods and
services. Or, if that entity pre-files and tracks the activity of
European citizens on the web, they're regulated as well. So, there are
entities that are physically not in Europe.
Any entity
outside of Europe that receives European data or data from Europe for
data processing is regulated as well. Then, any entity that’s outside of
Europe that exports data into Europe is going to be regulated as well.
So
it has global effect. It’s not about the physical boundaries of Europe
or the presence only of data in Europe. It’s whether there is an effect
on Europe or an effect on European people’s data.
Fringes of the EU
Kemp:
If I could add to that, the other point is about those on the fringes
of the EU, because that is where this is originating from, places such
as Norway and Switzerland, and even South Africa, with the
POPI
legislation. These countries are not part of the EU, but as Stewart was
saying, because a lot of their trade is going through the EU, they're
adopting local regulation in order to mirror it in order to provide a
level playing field for their corporate.
Gardner:
And this notion of a fundamental right to personal data protection, is
that something new? Is that a departure and does that vary greatly from
country to country or region to region?
Room:
This is not a new concept. The
European data-protection law was first
promulgated in the late 1960s. So, that’s when it was all invented. And
the first European legislative instruments about data privacy were in
1973 and 1974.
We've had international data-protection legislation in place since 1980, with the
OECD, the
Council of Europe in 1981, the
Data Protection Directive of 1995. So, we're talking about stuff that is almost two generations old in terms of priority and effect.
The
idea that there is a fundamental right to data protection has been
articulated expressly within the EU treaties for a while now. So, it’s
important that entities don’t fall into the trap of feeling that they're
dealing with something new. They're actually doing something with a
huge amount of history, and because it has a huge amount of history,
both the problems and the solutions are well understood.
If
the first time that you deal with data protection, you feel that this
is new, you're probably misaligned with the sophistication of those
people who would scrutinize you and be critical of you. It's been around
for a long time.
Grieveson: I think it’s fair
to say there is other legislation as well in certain industries that
make some organizations much better prepared for dealing with what’s in
the new legislation.
For example, in the finance industry, you have
payment card industry (PCI)
security around credit-card data. So, some companies are going to be
better prepared than others, but it still gives us an opportunity as an
auditor to go back and look at what you have and where it fits.
Gardner:
Let’s look at this through the solution lens. One of the
ways that the law apparently makes it possible for this information to
leave its protected environment is if it’s properly encrypted. Is there a
silver bullet here where if everything is encrypted, that solves your
problem, or does that oversimplify things?
No silver bullet
Grieveson:
I don’t think there is a silver bullet. Encryption is about disruption,
because ultimately, as I said earlier, the bad guys are out to steal
data, if I come from a
cyber-attack point of view, and even the most sophisticated technologies can at some point be bypassed.
But
what it does do is reduce that impact, and potentially the bad guys
will go elsewhere. But remember, this isn't just about the bad guys;
it’s also about people who may have done something inadvertently in
releasing the data.
Encryption has a part to play, but
it’s one of the components. On top of that, you have technology around
having the right people and the right process, having the
data-protection officer in place, and training your business users and
your customers and your suppliers.
The encryption part
isn't the only component, but it’s one of the tools in your kit bag to
help reduce the likelihood of the data actually being commoditized and
monetized.
The Changing Face of Risk
Protect Your Digital Enterprise
Watch the Video to Get Started
Gardner: And this concept of the
personally identifiable information (PII),
how does that play a role, and should companies that haven't been using
that as an emphasis perhaps rethink the types of
data and the types of identification with it?
Room: The idea of PII is known to US law. It lives
inside the US legal environment, and it’s mainly constrained to a number
of distinct datasets. My point is that the idea of PII is narrow.
The
[EU] data-protection regime is concerned with something else, personal data.
Personal data is any information relating to an identifiable living
individual. When you look at how the legislation is built, it’s much,
much more expansive than the idea of PII, which seems to be around
name, address, Social Security number, credit-card information, things
like that, into any online identifier that could be connected to an
individual.
The human genome is an example of personal
data. It’s important that listeners in a global sense understand the
expansiveness of the idea or rather understand that the EU definition of
personal data is intended to be highly, highly expansive.
Gardner: And, David Kemp, when we're thinking about where we should focus our efforts first, is this primarily about
business-to-consumer (B2C) data, is it about
business to business (B2B), less so or more so, or even internally for
business to employee (B2E)?
Is there a way for us to segment and prioritize among these groups as
to what is perhaps the most in peril of being in violation of this new regulation?
Commercial view
Kemp:
It’s more a commercial view rather than a legal one. The obvious
example will be B2C, where you're dealing with a supermarket like
Walmart in the US or
Coop or
Waitrose in Europe, for example. That is very clearly my personal information as I go to the supermarket.
Two weeks ago I was listening to the head of privacy at
Statoil,
the major Norwegian energy company, and they said we have no B2C, but
in fact, even just the employee information we have is critical to us
and we're taking this extremely seriously as the way in which we manage
that.
Of course, that means this applies to every
single corporate, that it is both an internal and an external
aggregation of information.
Grieveson: The
interesting thing is, as digital disruption comes to all organizations
and we start to see the proliferation and the tsunami of data being
gathered, it becomes more of a challenge or an opportunity, depending on
how you look at that. Literally, the new [business] perimeter is on your mobile
phone, on your cellphone, where people are accessing cloud services.
As digital disruption comes to all organizations and we start to see the
proliferation and the tsunami of data being gathered, it becomes more
of a challenge or an opportunity, depending on how you look at that.
If I use the
British Airways
app, for example, I'm literally accessing 18 cloud services through my
mobile phone. That then, makes it a target for that data to be gathered.
Do I really understand what’s being stored where? That’s where this
really helps, trying to formalize what information is stored where and
how it is being transacted and used.
Gardner: On
another level of segmentation, is this very much different for a
government, or public organization, versus a private? There might be some
verticals industries like finance or health, where they've become accustomed to
protecting data, but does this have implications for the public sector
as well?
Room: Yes, the public sector is
regulated by this. There's a separate directive that’s been adopted to
cover policing and law enforcement, but the public sector has been in
scope for a very long time now.
Gardner: How
does one go about the solution on a bit more granular level? Someone
mentioned the idea of the data-protection officer. Do we have any
examples or methodologies that make for a good approach to this, both at
the tactical level of compliance but also at the larger strategic level of a
better total data and security posture? What do we do, what’s the idea
of a data-protection officer or office, and is that a first step -- or how
does one begin?
Compliance issue
Room:
We're stressing to entities that data [management] view. This is a compliance issue,
and there are three legs to the stool. They need to understand the
economic goals that they have through the use of data or from data
itself. So, economically, what are they trying to do?
The
second issue is the question of risk, and where does our risk appetite
lie in the context of the economic issues? And then, the third is
obligation. So, compliance. It’s really important that these three
things be dealt with or considered at the very beginning and at the same
time.
Think about the idea simply of risk management.
If we were to look at risk management in isolation of an economic goal,
you could easily build a technology system that doesn’t actually deliver
any gain. A good example would be personalization and customer
insights. There is a huge amount of risk associated with that, and if
you didn’t have the economic voice within the conversation, you could
easily fail to build the right kind of insight or personalization
engine. So, bringing this together is really important.
Once
you've brought those things together in the conversation, the question
is what is your vision, what’s your desired end-state, what is it that
you're trying to achieve in light of those three things? Then, you build
it out from there. What a lot of entities are doing is making tactical
decisions absent the strategic decision. We know that, in a tactical
sense, it’s incredibly important to do data mapping and data analysis.
Once you've brought those things together in the conversation, the
question is what is your vision, what’s your desired end state, what is
it that you're trying to achieve in light of those three things? Then,
you build it out from there.
We feel at PwC that
that’s a really critical step to take, but you want to be doing that
data mapping in the context of a strategic view, because it affects the
order of priority and how you tackle the work. So, some non-obvious
matters will become clearer than data mapping might be if you take the
proper strategic view.
A specific example of that would
be complaint handling. Not many people have complaint handling on the
agenda -- how we operate inside the call center, for instance. If people
are cross, it's probably a much more important strategic decision in
the very beginning than some of the more obvious steps that you might
take. Bringing those things forward and having a desired vision for a
desired end-state will tell you the steps that you want to take and
mold.
Gardner: Tim, this isn’t something you buy
out of a box. The security implications of being able to establish that a
breach has taken place in as little 72 hours sounds to me like it
involves an awful lot more than a product or service. How should one approach this
from the security culture perspective, and how should one start?
Grieveson:
You're absolutely right. This is not a single product or a point
solution. You really have to bake it into the culture of your
organization and focus not just on single solutions, but actually the
end-to-end interactions between the user, the data, and the application
of the data.
If you do that, what you're starting to
look at is how to build things in a safe, secure manner, but also how do you
build them to enable your business to do something? There's no point in
building a data lake, for example, and gathering all this data unless
you actually have from that data some insight, which is actionable and
measured back to the business outcomes.
I actually
don't use the word “security” often when I am talking to customers. I'll
talk about "protection," whether that's protection of revenue or growing
new markets. I put it into business language, rather than using
technology language. I think it’s the first thing, because that puts
people off.
What are you protecting?
The
second thing is to understand what is it that you're going to protect
and why, where does it reside, and then stop to build the culture from
the top down and also from the bottom up. It’s not just the data
protection office's problem or issue to deal with. It’s not just the CIO
or the CISO, but it’s building a culture in your organization where it
becomes normal everyday business. Good security
is good business.
Once
you've done that, this is not a project; it’s not do it once and forget
it. It’s really around building a journey, but this is an evolving
journey. It’s not just a matter of doing it, getting to the point where
you have that check box to say, yes, you are complying. It’s absolutely
around continuing to look at how you're doing your business, continuing
to look at your data as new markets come on or new data comes on.
You
have to reassess where you are in this structure. That’s really
important, but the key thing for me is that if you focus on that data
and those interactions, you have less of a conversation about the
technology. The technology is an enabler, but you do need a good mix of
people, process, and technology to deliver good security in a
data-driven organization.
The technology is an enabler, but you do need a good mix of people,
process, and technology to deliver good security in a data-driven
organization.
Gardner: Given that this
cuts across different groups within a large organization that may not
have had very much interaction in the past -- given that this is not just
technology but process and people, as Tim mentioned -- how does the
relationship between HPE and PwC come together to help organization
solve this? Perhaps, you can describe the alliance a bit for us.
Kemp:
I'm a lawyer by profession. I very much respect our ability to
collaborate with PwC, which is a global alliance [partner] of ours. On the basis
of that, I regard Stewart and his very considerable department as
providing a translation of the regulation into deliverables. What is it
that you want me to do, what does the regulation say? It may say that
you have to safeguard information. What does that entail? There are
three major steps here.
One, is the external counsel guidance on what the regulation means into set of deliverables.
Secondly,
a privacy audit. This has been around in terms of a cultural concept
since the 1960s. Where are you already in terms of your management of
PII? When that is complete, then we can introduce the technology that
you might need in order to make this work. That is really where HPE comes in. That’s the sequence.
Then, if we just look
very simply at the IT architecture, what’s needed? Well, as we said
right at the beginning, my view is that this is under the records management coherence strategy in an organization. One
of the first things is, can you connect to the sources of data around
your organization, given that most entities have grown up by acquisition
and not organically? Can you actually connect to and read the
information where it is, wherever it is around the world, in whatever
silo?
For example, Volkswagen, had a little
problem in relation to diesel emissions,
but one of the features there is not so much how do they defend
themselves, but how do they get to the basic information in many
countries as to whether a particular sales director knew about this
issue or not.
Capturing data
So,
connectivity is one point. The second thing is being able to capture
information without moving it across borders. That's where [data] technology,
which handles the metadata of the basic components of a particular piece
of digital information, [applies] and can [the data] be captured, whether it is structured or
unstructured. Let’s bear in mind that when we're talking about data, it
could be audio or visual or alphanumeric. Can we bring that together and
can we capture it?
Then, can we apply rules to it? If
you had to say in a nutshell what is HPE doing as a collaboration with
PwC, we're doing policy enforcement. Whatever Stewart and his
professional colleagues advise in relation to the deliverables, we are
seeking to affect that and make that work across the organization.
That's
an easy way to describe it, even to non-technical people. So, General
Counsel, Head of Compliance or Risk, they can appreciate the three steps of
the legal interpretation, the privacy audit, and then the architecture.
Then, second, this building up of the acquisition of information in
order to be able to make sure that the standards that are set by PwC
are actually being complied with.
If you had to say in a nutshell what is HPE doing as a collaboration with PwC, we're doing policy enforcement.
Gardner:
We're coming up toward the end of our time, but I really wanted to get
into some examples to describe what it looks like when an
organization does this correctly, what the metrics of success are. How
do you measure this state of compliance and attainment? Do
any of you have an example of an organization that has gone through many
of these paces, has acquired the right process, technology and culture,
and what that looks like when you get there?
Room:
There are various metrics that people have put in place, and it depends
which principles you're talking about. We obviously have security,
which we've spoken about quite a lot here, but there are other
principles: accuracy, retention, delete, transfers, and on and on.
But
one of the metrics that entities are putting in, which is non-security
controlled, is about the number of people who are successfully
participating in training sessions and passing the little examination at
the very end. The reason that
key performance indicator (KPI)
is important is that during enforcement cases, when things go wrong --
and there are lots and lots of these cases out there -- the same kind of
challenges are presented by the regulators and by litigants, and that's
an example of one of them.
So, when you're building
your metrics and your KPIs, it's important to think not just about the
measures that would achieve operational privacy and operational
security, but also think about the metrics that people who would be
adverse to you would understand: judges, regulators, litigants, etc.
There are essentially two kinds of metrics, operational results metrics,
but also the judgment metrics that people may apply to you.
Gardner:
At HPE, do you have any examples or perhaps you can describe why we think
that doing this correctly could get you into a better competitive
business position? What is it about doing this that not only allows you
to be legally compliant, but also puts you in an advantageous position in a
market and in terms of innovation and execution?
Biggest sanction
Kemp:
If I could quote some of our clients, especially in the Nordic Region,
there are about six major reasons for paying strict and urgent attention
to this particular subject. One of them, listening to my clients, has
to do with compliance. That is the most obvious one. That is the one
that has the biggest sanction.
But there are another
five arguments -- I won't go into all of them -- which have to do with
advancement of the business. For example, a major media company in
Finland said, if we could only be able to say on our website that we
were GDPR-compliant that would increase materially the customer belief
in our respect for their information, and it would give us a market
advantage. So it's actually advancing the business.
The
second aspect, which I anticipated, but I've also heard from
corporations, is that in due course, if it's not here already, there might
be a case where governments would say that if you're not GDPR
compliant, then you can’t bid on our contracts.
The
third might be, as Tim was referring to earlier, what if you wanted to
make best use of this information? There’s even a possibility of
corporations taking the PII, making sure it's fully anonymous or
pseudo-anonymized, and then mixing it with other freely available
information, such as Facebook, and actually saying to a customer, David,
we would like to use your PII, fully anonymized. We can prove to you
that we have followed the PwC legal guidance. And furthermore, if we do
use this information and use it for analytics, we might even want to pay
you for this. What are you doing? You are increasing the bonding and
loyalty with your customers.
In due course, if it's not here already, there might be a case where
governments would say that if you're not GDPR compliant, then you can’t
bid on our contracts.
So, we should think about
the upsides of the business advancement, which ironically is coming out
of a regulation, which may not be so obvious.
Gardner:
Let’s close out with some practical hints as to how to get started,
where to find more resources, both on the GDPR, but also how to attain a better data privacy
capability. Any thoughts about where we go to begin the process?
Kemp: I would say that in the public domain, the EU is extremely good at
promulgating information about the regulation itself coming in and
providing some basic interpretation. But then, I would hand it on to
Stewart in terms of what PwC Legal is already providing in the public
domain.
Room: We have two accelerators that we've built to help entities go forward. The first is our
GDPR Readiness Assessment Tool (RAT), and lots of multinationals run the RAT at the very beginning of their GDPR programs.
The Changing Face of Risk
Protect Your Digital Enterprise
Watch the Video to Get Started
What
does it do? It asks 70 key questions against the two domains of
operation and legal privacy. Privacy architecture and privacy principles
are mapped into a maturity metric that assesses people’s confidence
about where they stand. All of that is then mapped into the articles and
recitals of the GDPR. Lots of our clients use the RAT.
The second accelerator is the
PwC Privacy and Security Enforcement Tracker.
We've been tracking the results of regulatory cases and litigation in
this area over many years. That gives us a very granular insight into
the real priorities of regulators and litigants in general.
Using those two tools at the very beginning gives you a good insight into where you are and what your risk priorities are.
Gardner: Last word to you, Tim. Any thoughts on getting started -- resources, places to go to get on your journey or further along?
The whole organization
Grieveson:
You need to involve the whole organization. As I said earlier on, it’s
not just about passing it over to the data-protection officer. You need
to have the buy-in from every part of the organization. Clearly, working
with organizations who understand the GDPR and the legal implications,
such as the collaboration between PwC and HPE, is where I would go.
When
I was in the seat as a CISO, I'm not a legal expert, so one of the first
things that I did was go and get that expertise and brought it in.
Probably the first place I would start is getting buy-in from the
business and making sure that you have the right people around the table
to help you on the journey.
Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript or download a copy. Sponsor: Hewlett Packard Enterprise.
You may also be interested in: