As you put together your governance, risk and compliance (GRC) framework, are you thinking about how the General Data Protection Regulation (GDPR) fits in? I’ve talked about GDPR a lot over the past year – the adoption is now just four months away! – but I’m surprised by the number of people I’ve spoken with who still think GDPR is just a European Union issue and American companies don’t need to bother.
So I talked to a few people about why GDPR has to be part of your GRC framework. Hyoun Park, CEO and principal analyst with Amalgam Insights, explained to me via email comment:https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
GDPR expands the scope of personal data that needs to protected, increases the company’s responsibility to delete and transfer personal data at the individual’s request, as well as forces the company to quickly alert both the European Union and all affected individuals in the case of a data breach. Because it affects all European Union citizens, regardless of location, GDPR in effect becomes a global data governance standard for any company seeking to do significant business in Europe.
GDPR will add another layer of rules and regulations that will have to be evaluated and followed for anyone who does any business within the EU – and that includes the European customer whose only contact with you is through your website. Ignoring GDPR and not making it a part of your GRC framework could have devastating results, as Park reminded me:
The formal consequences are fines of the higher of either 20 Million Euro or 4 percent of annual global revenues, which could be crushing even to companies like Apple, Samsung, Visa, Mastercard, or Facebook that could be affected by these regulations. But in addition, there is also the brand damage that can be created through a well-publicized breach.
Chris Gray, VP of Enterprise Risk and Compliance with Optiv, told me that GDPR spans all three GRC components and is an example of the new framework style that tells organizations what they must do, but not how to do it. He added that there are three core business areas whose integrated efforts are necessary to achieve GDPR compliance: legal definitions, IT capabilities and security requirements.
- Legal definitions: This includes defining what’s in the scope of GDRP, where a company has vulnerabilities and if data is being used properly, along with making sure everything is in order from a contracts standpoint.
- Information Technology capabilities: IT systems, services and technology must be configured to protect customer data and be in compliance with outlined regulations.
- Security requirements: Security systems need to be able to quickly mitigate breach risk. This is best achieved by concentrating efforts related to six key cybersecurity pillars – data governance, data classification, data discovery, data access, data handling and data protection.
As Gray stated:
Legal, IT and security teams must work together to determine their risk profile, define processes and security controls based on the associated risk, demonstrate compliance, and put governance practices in place to validate GRC and security strategies on a continuous basis.
Have you added GDPR to your GRC framework? The clock is ticking.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba