The challenge and process of data protection by design and default
Today, we welcome guest contributor, Allan Boardman, to the TITUS blog. Mr. Boardman is an active member of ISACA and has extensive experience in the areas of information risk management, security, and data protection. This post is the first in a series focused on compliance requirements and how organisations can get out of the rut of playing catch-up to emerging regulations and establish future-focused security programs that build trust while meeting the needs of the business.
The European Union’s General Data Protection Regulation (GDPR), which became effective in May 2018, is designed to unify data privacy requirements across the European Union (EU). It affects any organisation that markets to or processes the information of EU Data Subjects, which include end users, customers, and employees. Whilst organisations across Europe and wider afield have been scrambling to ensure that they conform to the GDPR rules, their work is far from done. That’s the not-so-good news. The better news is that the requirements of GDPR give organisations a blueprint to start thinking differently, and smarter, about how to build data protection into their processes by design and default.
What are the challenges to protecting data by design and default?
The sheer volume of data is a challenge, but that barely scratches the surface of the factors to be considered.
- Who are the owners of data?
- What data do you have?
- Where does it handled, processed, stored, archived?
- Who do you share it with and how do they get access to it
- What is it – sensitive or non-sensitive?
- How do you protect each category of data appropriately?
- Who’s using it and needs access?
- How do you help people understand the stakes and their role in data protection?
These are complex questions but you can’t build an effective data protection program without knowing the answers. You need real clarity about what you need to protect and how you’ll classify personal data right from the start. But how do you go about doing this?
1) Incorporate data protection design into your change management process
It’s simpler to work through data protection design requirements when you’re implementing new tools and processes. But many companies are working to retrofit new requirements into existing systems. It’s critical to get the right people at the table during the design phase. GDPR requires a data protection impact assessment, so engaging data owners and users in the process will help identify threats and risks that need to be addressed in the process.
Data owners and users can provide invaluable insights into the state of data – what you have, how it’s used. And an information security expert can help you understand and navigate the regulatory demands while giving insight to the best ways to protect your data.
It can seem like a great idea to protect everything the same way or encrypt it all. However, that doesn’t necessarily match the level of protection to the level of risk. By involving the right people in the planning and design phase, engaging the business and educating employees, you will begin to build a trusting relationship between your security team and your business units. And you’ll build a data security program designed to protect data appropriately at every stage.
2) Address data classification early and thoroughly
The business must be fully engaged in the threat identification and data classification stages or you won’t get the full benefits of a classification system or schema. Why? Because data classification provides a foundation for you to identify the data you have and its value to your business. The data classification piece needs to be clearly understood and fully addressed right from the start as this creates an important foundation for driving the level of protection required throughout the lifecycle of the data.
It is also important to clearly differentiate between specific categories of data including personal data because the associated risks may be different. And keep in mind that the value of data could be related to the impact of losing it rather than the business value of the data itself.
As a general rule, you should establish and have clear data classification rules without getting too granular. Know what you need to protect and how you want to handle that data within the framework of your policies.
3) Educate people to make proper judgment calls and informed decisions
For data classification to be successfully implemented, it is essential that the users are provided with clear guidelines and instructions which are easy to follow and understand. People need to understand what’s at stake so they have the context to make the right decisions when they’re handling data. Doing this effectively involves a combination of ongoing awareness, regular training, and comprehensive education.
This provides clarity of roles and responsibilities in protecting personal data. And the relationships established in the design phase with the security team will help to ensure that they will more easily communicate risks and help seek out solutions. The outcome? Your organisation will become more effective at being able to meet its compliance requirements and managing its information risks in a dynamic and evolving business environment.
The foundation of knowledge about the regulations, the types of data being collected and used in the organisation, and the risks associated with handling data make technological solutions for data security more effective too. Organisations can help people put that knowledge into action every day in the flow of work with the right tools. It takes those written policies that we’ve all signed off on and makes them come alive and in so doing empowers people to follow-through in their work.
Remember, start with intentional data protection by design and default
When you design your systems for data handling through the lens of protecting the data first, it sets your organisation up to be on the right path to establish to set up people, processes and technologies for success.
|Allan Boardman, CISA, CISM, CGEIT, CRISC, CISSP, is a seasoned business advisor focusing on information risk management, security, and data protection. He has served on ISACA International’s Board and is a regular speaker at conferences across the globe.|