At the latest with the advent of the EU’s General Data Protection Regulation (GDPR), compliance should no longer be an enforced exercise – since it is business-critical. How does company management approach a compliance and data protection project, in order to make it a success? Ideally, as a piece in four parts. But not one to be heard just a single time, but to be understood as a cycle.
The business-critical topics are management issues. Ergo compliance is a management issue. That’s because data breaches or IT systems that are at a standstill following successful attacks rapidly put the company’s success at risk. Added to that, only the company management can bring a compliance project to long-term success: such projects should never be ‘just’ in the hands of a department such as IT, Legal/Compliance or data protection. Rather, these specialists need to work across departments, since they all contribute to the solution.
But how does an organisation best approach the highly complex issue of data protection compliance? By structuring it into four part areas that cut across one another. This means that Part 2 builds on the outcomes from Part 1, and so on. And it’s important to take on board that the job is not done by running through this four-part piece a single time. Rather, it needs to be understood as a cycle that is repeatedly played through end to end if something has changed in terms of the corporate risks. If, for example, there is an emerging need for new data collections with personal (customer) data. Or if new internal IT systems are to be made accessible via the internet – and the Internet of Things cheerfully pops into view at this point.
The four parts mentioned above can be described as follows:
“Ascertain” means recording the critical data inventories (personal data, research & development, finance and so on) in the company, and classifying these inventories into “protection-worthy” and “less relevant, from the data protection viewpoint”. In addition to entries in customer databases, office documents (text, tables, presentations etc.) or e-mail content, the inspection should also include in photos, security camera recordings and HR databases. To that end, IT specialists absolutely need to collaborate with the various specialist departments, in order to locate all data.
Step 1 should flow into the creation of a Data Governance Plan, in order to be able to “control” the data. Meaning: the Plan needs to set down who is allowed to access which data when, and for what purpose – and what happens if datasets need to be deleted. That could be the case, for instance, because a customer invokes the right to erasure anchored in the GDPR.
Step 1 determines what needs to be “protected” in Step 3. How that protection looks in the individual instance is best determined by a gap analysis. There is more on this in our blog article. Current mechanisms typically look at protecting the data: password rules, encryption of data at rest and transferred data, fast installation of security updates, or the constant evaluation of log files.
In order to be able to “report” possible data breaches, it is not enough just to know what constitutes the critical data. There also need to be mechanisms that record actions – creation, access, forwarding, deletion – associated with the data to be protected. This is because, in the worst case scenario, the customers affected need to be notified and need to be clear about which critical data is now in the hands of unauthorised third parties. The more detailed the internal reporting system, the better incidents can be prevented in future – because potentially unknown storage locations (Step 1) or vulnerabilities (Steps 2 and 3) have been identified. That completes the circle.