Understanding the Intersection Between GDPR and Cybersecurity

It's been about half a year since Europe's General Data Protection Regulation (GDPR) was activated, and corporate legal, privacy and compliance teams are beginning to adjust to the new lay of the land. We've seen early examples of enforcement activity, and those are helping organizations better understand the long-term landscape for compliance.

There are many facets of GDPR that may continue to be difficult to operationalize and manage, one being the intersection between the directive and cybersecurity practices. This includes enabling compliance with new laws around data breach prevention and notification, and requirements for measures taken to safeguard personal data.

GDPR outlines that to be compliant, companies must follow established cybersecurity practices, implementing “state of the art” approaches and “appropriate technical and organizational measures to ensure a level of security appropriate to the risk …” to prevent a breach of sensitive, protected data.

Some examples are described as to what this means, including using pseudonyms, data encryption and regularly testing security, but no minimum standards that explain exactly what is expected are defined. This presents a real challenge, given how quickly cybersecurity practices and technology change and threat actors evolve. The cybersecurity industry doesn't currently have a unified position on what qualifies as “state of the art,” leaving the burden on individual organizations to implement their view of strong cyber resilience and defend their position that they have in fact taken appropriate measures to secure their networks.

Further, under the new law, organizations are given a 72-hour window to notify impacted persons when a breach occurs. This is a tight turnaround; even identifying that a breach has occurred within 72 hours, much less notifying the entire population whose information may have been breached, is difficult.

A recent survey around GDPR readiness and concerns in the UK revealed that while respondents are taking GDPR related crises seriously — with 64% indicating they are establishing a response team and 54% regularly reviewing their incident response process — many have a lot of work to do to address cybersecurity implications. In the survey, less than a quarter had obtained cyber insurance and only 32% had performed table top exercises with crisis management response teams.

To execute strong privacy protections and the ability to enable quick identification and notification of data breaches, organizations must invest in a holistic cybersecurity program. Programs should encompass several key best practices, including:

• Risk assessment: There is no silver bullet for cybersecurity, so teams must conduct a thorough risk assessment to understand the unique threat landscape for their organizations. The findings from this evaluation can inform next steps for how to remediate the top risks and areas or data within the network that are particularly vulnerable. NIST standards are a good place to start to guide how to evaluate risks and build on the information gained from an assessment.
• Couple security with IG: Taking stock of the full scope of its overall data universe through information governance policies and best practices, an organization can determine what data can be deleted, what needs to be migrated to an inexpensive storage platform and what needs additional security and privacy protections. Sensitive data should be classified and appropriately stored and safeguarded. Leveraging information governance as part of cybersecurity also makes it much easier to establish processes for identifying breaches, remediating the effects and promptly notifying those impacted.
• Intelligence gathering: It is vital for organizations to keep the latest intelligence and attack trends in mind when approaching cybersecurity policies and internal data governance. This should include collaboration with other organizations in their industry and federal authorities to ensure knowledge of current threats. Every organization should maintain an intelligence platform that gathers all crucial cyber threat information and makes it accessible to analysts working on the front lines of defense.
• Rapid incident response: A comprehensive incident preparedness and response plan should be developed. Incident response should include, but not be limited to: 1) containing an incident as quickly as possible; 2) recovering operations with minimal disruption; and 3) ensuring that lessons learned are ingested into the intelligence repository for more proactive incident prediction in the future. This minimizes the overall impact, helps sustainably improve the network environment in a way that prevents repeat attacks and enables easier compliance with breach notification laws.

GDPR, as well as China's cybersecurity law may be just the tip of the iceberg in terms of future privacy legislation. Similar laws are emerging around the world — including several in the U.S. driven by lawmakers in states such as California and New York — establishing privacy as a mainstay in the future of global business.

Compliance is not to be viewed lightly. Aside from the financial risk of a violation, organizations must be more conscious than ever before of the reputational damage that can result from failing to take privacy seriously. Multinational corporations in particular must now stay abreast of the varying and emerging requirements and have a foundation in place to adjust programs and policies as the landscape evolves.

*****

Jake Frazier is a senior managing director and head of the Information Governance, Privacy & Security practice within the Technology segment at FTI Consulting. Anthony J. Ferrante is a senior managing director and global head of Cybersecurity at FTI Consulting. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.