Personal data protection in 2018 and beyond: Q&A with Doug Snow

Kelly O’Dwyer-Manuel    ·      Thursday, August 2nd, 2018

Recently, Titus hosted an ISACA webinar, where Doug Snow, Vice President of Customer Success discussed how to achieve sustained GDPR compliance. Doug provided a number of ways organizations can get executive buy-in and sponsorship, engage and empower end users through change management, and tips for data discovery and mapping.

The audience asked so many great questions that we didn’t have time to answer them all, so we sat down with Doug to address some of the most common questions here.

Do you foresee a GDPR-like regulation being put into place in the US?

Yes, you can count on it. We’re already seeing increased data privacy and protection regulations coming into play in the US: The New York Department of Financial Services (NYDFS) Cybersecurity regulation, and the California Consumer Privacy Act (CCPA) have been introduced and the CCPA went through the legislature in record time. Although we may not see things move as quickly at the national level, there is certainly discussion around the importance of personal data protection.

GDPR set the standard for personal data protection regulations, and the emerging regulations globally reflect the same functional requirements.

With the increasing presence of automation, what are some of the core concerns for data security?

Automation plays an important role in all information security practices, including classification, so it’s entirely possible to categorize metadata objects based on context, such as your directory or information about the type of file. However, it’s important to involve end users because there are many instances where a machine cannot accurately determine the sensitivity of the material.

You will absolutely be putting more automation into your data security programs, but you can’t take the human element out of the picture completely. As I discussed in the webinar, humans will be integral to refining the algorithms being used as people make decisions about sensitivity of data and lead to fewer false positives.

Why can’t an organization encrypt everything? Would that not lead to GDPR compliance?

If we could encrypt everything and still get work done, it would have been done already. We can’t do it yet. During the webinar, I mentioned a great paper, “Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client”, that outlines the challenge in sharing the key to encrypted data.

Usability of encryption across systems is still challenging and, given that we invested in information security to enable business to move faster, the last thing you want is to introduce the frustrations with trying to handle encrypted or locked documents. You’ve lost the value of electronic information, the speed of information technology and you’ve impaired the business. So, while encryption is the first thing that comes to mind for a lot of folks, it’s not a practical solution to solve the whole problem. You must encrypt the sensitive material, but only the sensitive material and you need to know the classification first to accomplish that action.

Is there a trust badge for companies that can be shared on their platforms or websites to state that they are GDPR compliant?

I think that’s a brilliant idea to be able to have a third-party authority that can measure your trustworthiness. After all, it’s a competitive differentiator. But the exact definition of GDPR compliance is still evolving so it might not be possible to achieve that badge yet in today’s world.

Perhaps in the future there will be auditors that can validate that you’ve implemented classification, controls, and cultural change (all reportable), that can be tidily displayed in a scorecard or some attestation of your organization’s level of trustworthiness. I would start with a maturity model. There are many emerging around privacy, including the CMMI Cybersecurity Maturity Model. As you advance in maturity, you can earn badges.

How do I commence the process of effective data classification in my organization?

The most important thing to do is to have all end users start classifying newly created and recently accessed content from this day forward. It isn’t practical or physically achievable to freeze frame an organization and try to discover all its content, the meaning of the content, and apply a classification level to it. The grounds will be shifting under your feet as users are creating new content 24/7 around the globe.

Deploying a tool like Titus Data Classification is done in conjunction with a few other steps:

You need to have an agreed-upon classification schema that’s been accepted as policy inside the organization and shared across business units. This should be part of an information security policy that addresses the handling procedures and provides guidance on the controls you can put in place.

Most importantly, though, is communication with your user base. Let them know the importance of classification, how you’ll be using it, and what the benefits are to them and the business. This really is a change management initiative – driving a security culture, with privacy built in by design and default.

Based on your experience, what is the duration of a data-mapping classification program, and what are the pitfalls?

Like any project, the speed a project gets deployed depends on the ability to make decisions. Once you have your decisions made, you know what you want your classification schema to look like, and you have the right approvals, deploying a tool can be as fast as you can physically get it out there.

In terms of pitfalls, one of the most important things to watch for is the dependency on default classifications. It’s tempting not to involve end users so many organizations move to a default classification. The challenge with that is that you’ll end up classifying all of your content with that same default value. Going this route means missing many opportunities: Culture change, education, and accurately mapping the content to the right categories to ensure appropriate protection.

The second biggest pitfall is not having an executive sponsor and failing to leverage a change management program. You need both so your organization can make the important cultural and behavioural changes to protect personal data and comply with GDPR, leveraging whatever technology you choose.

Data protection doesn’t have to be complicated

But it does need a thoughtful approach that involves taking the right steps at the right time. If you missed the ISACA webinar, you can watch the recording here. And be sure to leave us a comment if you have any questions we didn’t cover.