As GDPR Looms, Enterprises Must Lock Down Security, Data Privacy

A recent Advice from Counsel (AfC) study, released by FTI Technology, examined the latest data privacy and security concerns as well as best practices within large U.S. corporations. The study found that control, determining what’s important and helping to lead organizational change in light of the impending General Data Protection Regulation (GDPR) are key priorities for legal and IT teams. To understand how these issues are impacting in-house teams, in-house counsel at 30 organizations shared insights on key and intersecting topics: GDPR, information governance, information security and data remediation. This eWEEK slide show outlines top areas of concern and practical advice for teams looking to avoid common pitfalls and work toward implementing programs that better protect their organization from risk.

High-profile data breaches continue to dominate the business news, and uncertainties remain about how GDPR will be enforced. This is motivating companies of all stripes—versus just those in highly regulated industries such as health care and financial services—to begin implementing information governance programs focused on privacy and security. One study respondent urged, “Take it seriously. It is an area that can land you on the front page of The Wall Street Journal if it is not handled properly.”

Billions of dollars have been spent on cyber-security, though many in-house teams said they feel their organizations are not safer than five years ago because the human element has not been adequately addressed. Technology can only go so far, and organizations should be investing equally in change management, training and education as they do in technology implementation.

Eighty percent of organizations interviewed confirmed they will be impacted by GDPR, and many are grappling with how to focus on data security when regulations require so much attention. For many organizations, the same team focused on data breaches will also own GDPR compliance, forcing the team to juggle resources across two important projects. One respondent said, “You would prefer your information security experts to focus on preventing cyber-security compromises, but instead they have to dedicate so much time and energy to complying with the complex regulatory environment.”

The investment required to ensure GDPR compliance, and whether the required resources will detract from other activities, is a top concern, though AfC respondents were evenly divided in waiting to see what will happen versus trying to get out in front of any penalties. Some believe there is no way to get around funding privacy compliance, and that it will crowd out investment in innovation.

Regardless of a company’s footprint in Europe, data privacy is a growing global concern that should be addressed. Proactive companies interviewed in the study said they are evaluating their current processes, alongside hiring internal resources or an expert third party to help determine program gaps. An audit of processes helps update stale records retention programs, reduce storage costs, and ensure that employee and customer data remain secure.

However, executing these programs is not an easy task; it requires executive buy-in to get off the ground. Stakeholders must obtain C-level sponsorship to ensure change comes from the top down; otherwise, projects are likely to fizzle out. With company leadership on board, information governance teams can tap resources with deep technical and legal expertise to build a plan that fits the company’s unique needs and risk profile. 

For those evaluating whether and how to implement an information governance, security or privacy strategy, experts in the AfC study recommend focusing on the “crown jewels.” This ensures that the truly important information is protected. The NIST framework for cyber-security is a comprehensive resource that can help guide efforts, and will help with building a data loss prevention program around the most sensitive data assets. With this in place, teams can implement training and education programs to enable the strongest line of defense: company insiders.

As part of training and education, experts recommend simulating and practicing how the team and systems will respond when a real breach happens. Practice drills reinforce the importance of data security as part of the company’s culture. One study respondent said, “I am more careful and more thoughtful about the emails that I open” as a result of practice drills.

As organizations work toward addressing privacy and GDPR compliance, AfC respondents stressed the danger of blurring lines between IT and information security roles. Many believe these groups are too often viewed as interchangeable, but study responses were clear that it is critical to understand the difference between the skill sets. Legal, compliance and information governance stakeholders must know the right team to go to with various needs, as each group will approach issues differently.

With GDPR looming, more than half of study respondents had successfully conducted data remediation projects, while others were stuck with limited resources, lack of engagement from IT or failure to obtain C-level buy-in to move projects forward. Teams that had established solid footing recommended building a strong business case to gain executive buy-in and building a plan that addresses both the challenges of today and those anticipated to arise in the future.