GDPR has become a major focus for a majority of organizations. Whether it has been extensive business process mapping, understanding the purposes of personal data, or even defining what is in scope, the effort has been challenging and time-consuming.
The fear of large fines as well as the potential financial impact from losing customer trust has been driving compliance. Now, nearly three months past the May 25th effective date, what could possibly be next and what should information security practitioners focus on to be ready and keep the rest of the organization prepared so they’re not scrambling?
In this article, we’ll cover the following:
- New threat modeling opportunities
- Right to be forgotten considerations
- A privacy by design challenge
- The Data Protection Officer (DPO) role
- Data minimization adaptation
New Threat Modeling Opportunities
Threat modeling is about building models and using those models to help you think about what’s going to go wrong. As GDPR has required organizations to map their business processes to better understand what data they have and where it is housed, this presents a great opportunity to have more efficient, effective threat modeling. “Now that we have these data flows, organizations are spinning up large threat modeling initiatives. Security professionals can better structure these activities by taking advantage of all of the work that has been done. They can be more strategic, and add a lot more value,” says Adam Shostack, Founder, Shostack and Associates. “It gets security professionals to say here is the data, and here is where the threats are. This has the potential to transform how security works, from a tactical function to a strategic, risk-driven activity.”
Right To Be Forgotten Considerations
The right to be forgotten presents many challenges, from knowing what data is held and where it is, to actually erasing the data from all sources. Prepared organizations have implemented processes for complying with this principle, but what happens if an imposter requests the deletion of their supposed personal information? “What if a company erases my information, but it wasn’t me who requested it to be removed,” says Sean Atkinson, CISO at the Center for Internet Security. “We may see the need to implement two-factor authorization, by verifying access to an email address, or providing a code from a text message.” Also to be considered: what if a company fulfills a request, but then the erased information is related to a criminal activity and is requested by law enforcement? “I’m not sure we’ve seen the full impact yet of when data is requested for this purpose, yet it has already been removed,” Atkinson believes.
A Privacy By Design Challenge
While privacy professionals may have a good understanding of the privacy by design requirement, it is new concept for most individuals. Privacy has traditionally been an afterthought, and not a functional or non-functional requirement for companies when beginning new initiatives. From individuals designing a new business process to SDLC teams, privacy by design has to be understood, and for that understanding, there must be adequate training. “GDPR is not about information security, it is about privacy,” Atkinson says. “The privacy by design requirement has to be integrated appropriately. The training requirement is going to be new.” Information security practitioners should make sure they not only understand the concept of privacy by design but know how to effectively apply it to their specific function.
The DPO Role
The Data Protection Officer (DPO) role is extremely challenging in that it is all-encompassing. The appointed individual needs an understanding from the perspective of many departments, such as legal, technology, compliance, audit, and training. “The DPO must be trained from an organizational perspective as well as an industry best practice perspective. This is a tall order because there is a lot of consuming and processing of information,” explains Atkinson. “This is going to be a challenge for all sizes of organizations, even larger ones with teams of individuals in place.” The DPO must be continuously educated to understand each practice area and stay abreast of any necessary changes as companies begin to see enforcement of GDPR. Information security practitioners supporting the DPO will need to effectively train him or her on a continuous basis.
Data Minimization Adaptation
An element of data minimization, limiting the collection and storage of personal data to what is necessary in relation to the purposes for which it is processed, has created a challenge for information security practitioners and business people alike. An example of this is a fraud management system, which captures at times hundreds of data points on every customer. Certain data elements may no longer pass as necessary under GDPR and must be no longer captured, and erased from historical records. “From what I’ve seen, it turns out that in fraud management usually, only a small number of data points are important,” Shostack says. “The difficulty will be changing our business practices and adjusting to those changes.” As regulators begin strict enforcement, this could grow and require employees to continue to adapt.
Although it remains to be seen which requirements regulators will place the most emphasis on, the topics we’ve covered should help information security practitioners and organizations to prepare for what’s next.