Managing the risks of compliance
Organisations required to comply with the EU’s General Data Protection Regulation (GDPR) should by now be seriously examining how their processes match up to the Regulation’s requirements – if they do at all. The GDPR is a complex beast, though, and while it’s quite clearly written and there are blogs aplenty to explain some of its finer points, there is still something of a knowledge vacuum regarding the bigger picture.
There has been a lot of focus on the detail of the Regulation: how do we secure informed consent? Do we need a data protection officer? How should we handle breach notifications? Meanwhile, however, discussions around the broader issues of compliance talk about how the organisation needs technical and organisational measures but lack any real examination of what that means or how they contribute to overall compliance.
The simple fact is that compliance is about more than just the detail. Ideally, it is managed by a data protection compliance framework that ensures the organisation not only complies with the GDPR, but also continues to comply and to adapt its various measures to meet the latest challenges.
Compliance is a lifecycle
To really ensure personal data is protected in the long term, you need to be certain that your organisation takes a lifecycle approach. The Regulation itself recognises this in its insistence on two key elements: data protection impact assessments (DPIAs), and data protection by design and by default. These assert that there is a duty to ensure that data protection is accounted for before the organisation even takes possession of the personal data.
For organisations that have a data protection officer (DPO), there is the further requirement for the DPO to “have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.” In conjunction with the importance of the DPO, this highlights how critical it is to predict how personal data could come to harm: the organisation is expected to understand, before even receiving personal data, how to protect it from damage, loss and disclosure.
Furthermore, personal data will also need to be protected from the organisation itself. That is, you need to ensure there are blocks in place to prevent your organisation from further processing the information without authorisation. In line with the principle of purpose limitation, the organisation will need to be sure that personal data is not at risk of being misused by the company itself.
These elements are matters of risk management: identifying the risks to personal data before they occur and taking steps to avoid or mitigate those risks. Within the GDPR, the primary concern is “risks to the rights and freedoms of data subjects”, which is a phrase that should chill the heart of anyone charged with compliance. Under the Regulation, the steepest fines (up to €20 million or 4% of the organisation’s annual global turnover) apply to breaches of the requirements directly related to data subjects’ rights.
Best-practice risk management
In order to protect personal data, of course, you need to understand how that data can be harmed. The scale of the GDPR’s administrative fines should be warning enough that simply building a system and assuming you can patch any errors later would be foolish – you need to take a systematic approach to determining potential harm.
We often talk about ISO 27001 as a best-practice approach to data protection and information security, and it’s no coincidence that the Standard demands rigorous risk management. ISO 27001’s methodology for risk management is based on principles that have been tried and tested, and are appropriate to all organisations. They are not overly prescriptive, so any business could reasonably follow them, and can be adapted to blend in with a broader risk management programme.
Risk assessment is the process of identifying risks, tallying them against a set of defined criteria, determining your response on the basis of those criteria, and then selecting appropriate controls to treat them. It’s not a new concept for most businesses – almost all organisations weigh up risks, whether consciously or not – but ensuring it is adequately systematic and effective could be novel.
Risk assessments also need to take regulatory, legal and contractual requirements into account. In addition to whatever GDPR obligations you might have – and how the risk assessment ties into DPIAs and data protection by design and by default – your risk assessments should recognise the risk of non-compliance itself. In many instances, just like the GDPR, these obligations feed into risk management. For example, organisations that bid for UK government contracts involving the handling of sensitive information will need to ensure they apply the five information security controls in the Cyber Essentials scheme; organisations that do business with branches of the US federal government may need to apply the controls from NIST SP 800-53; and so on.
This brings us to a valid point about the treatment of risks in relation to the GDPR: that the controls should be appropriate to the organisation. Businesses that don’t take data protection seriously are likely to pay lip service to risk management and simply use whatever default set of controls they come across, relying on them for all of their needs. Sensible organisations, however, will consider the controls and control sets on the basis of their specific environment. For instance, it would be remiss for a Cloud service provider to ignore the Cloud Security Alliance’s Cloud Controls Matrix (CSA CCM).
All of these controls need to be planned, catalogued and tracked in order for the risk management programme to be successful. This is important both for the purposes of following up on your decisions to determine how effective they are and as evidence of your efforts to secure personal data. In determining the scale of administrative fines, the GDPR instructs supervisory authorities to take into account “any action taken by the controller or processor to mitigate the damage suffered by data subjects” as well as the technical and organisational measures that have been implemented. Having a formal, effective risk management programme founded on best practice isn’t just an argument for risk management professionals, it’s a sensible approach to business.
It is important to remember that risk management is not just a tick-box exercise in compliance: it is a crucial practice to protect not just data subjects, but also your organisation. Beyond the damage that fines for breaches of the GDPR could lead to, organisations face the prospect of other fines from regulators and civil suits, further damage to their reputation, and potential repercussions from partners and suppliers.
If you would like to find out more about the risk assessment process, please download our free white paper 5 critical steps to successful ISO 27001 risk assessments >>