You Got It Wrong. GDPR Is A Data Protection Problem More Than A Privacy One

How many times does the word privacy appear in the EU’s General data protection regulation? You may think it would appear a couple of dozens, or at least 10. Apparently, the actual number is a big, round zero.

According to Merriam-Webster dictionary, privacy is “freedom from unauthorized intrusion,” which resonates well within the GDPR. However, the fundamental pillar of the GDPR is data protection by design (which appears six times in the regulation), so preventing unauthorized access is a mere requirement of a broader set of requirements.

In many cases, it is not clear who is the one in charge of GDPR compliance inside the company. Some companies will let their lawyers document and define new processing, while some will hire a CPO (Chief Privacy Officer) and let him handle it, or even assign this issue to the legal teams. The truth is, GDPR is a joint effort across departments and management team. Yet in a case of data breach, with unprecedented fines reaching up to 4% of the company’s annual revenue, the CEO is going to call the CISO first.

The CISO is a key stakeholder, who has the access to all of the data and security controls. Security teams are the most experienced in implementing and maintaining data protection systems and they are the most fitted in introducing new technologies emerged from the GDPR.

GDPR closes the gap between IT and cyber-security teams to the core business.

A research done in our team shows that the vast majority of organizations don’t know where their critical data assets reside. One of the key problems is that the people who are liable to protecting critical business data assets, are not sure exactly what this data even looks like. For instance, a CISO of a financial research organization might not be able to tell which document is considered a trade secret and which describes common knowledge.

Furthermore, Data Protection Impact Assessment (DPIA) must be done whenever new data is processed. DPIA is the requirement to “implement appropriate technical and organizational measures… and … integrate the necessary safeguards” (Article 25). DPIA is a clear joint effort between the compliance, IT and security teams.

Data Subject Rights are the by-product of sound data security framework.

According to a research conducted by Crowd Research Partners, based-on input from 530 global cyber security experts, 49% of the participants answered that their first GDPR initiative is to establish an inventory of user data and map it to protected EU GDPR categories.

Customers details are often considered one of the most critical data assets in many industries, such as health and financial sectors. But frankly, how many security teams are confident that there are no sensitive excel spreadsheets — containing customers’ information — within the HR department?

The GDPR grants customers the right to know what data is collected on them and even to delete data records. The GDPR requires security professionals to rethink data security, from defending against malicious actors to securing data at its source. Once a comprehensive visibility to sensitive data assets is established, data subject rights can be fully exercised.

GDPR sets a new standard in case of a security breach.

Article 33 of the GDPR states that, whenever feasible, a breach notification to the relevant data protection authority (DPA) will be no later than 72 hours after the breached party is aware of the incident. Affected clients may also be notified in case that “data breach is likely to result in a high risk to the(ir) rights and freedoms.”

A data breach is one of the worst things that could happen to a company today. Setting a notification timeline is a new bar for data security. For instance, Uber’s data breach, which affected 57 million people, happened in October 2016, but was only disclosed in November 2017.

New technology is required.

The GDPR PII is defined as “any information relating to an identified or identifiable natural person”, so “John Doe from the Acme cooperation” is now a PII. This create a new challenge for security teams and data protection officers (DPOs).

Moreover, data proliferation and endless data types in isolated data silos take an immense effort from stakeholders. Together with the cyber-security skill-gap and the ever-growing demand to better IT security — a new generation of technology is now emerging. Actionable Cognitive Computing might be a better method for achieving comprehensive GDPR compliance in days, not months.

About Cognigo:
Cognigo helps leading organizations to achieve GDPR compliance in days, not months — through Cognitive Computing. Cognigo is the first and only solution to combine AI-powered PII recognition, privacy management, automated policy enforcement and GDPR-questionnaires.