On May 25, 2018, a major new piece of data protection regulation will come into effect across the European Union (EU), and with it comes the potential for hefty fines or penalties for your organization. Even if you do not directly operate in the EU, chances are that the General Data Protection Regulation (GDPR) still pertains to your company.
The regulation covers any entity that processes the personal data of EU citizens (referred to as “data subjects”), even if the organization does not provide goods or services to EU citizens and only handles or processes their data. Unless you are categorically sure that your organization does not and will not process EU citizens’ personal data, compliance is not optional.
The fine for an infringement can be €20 million (approximately $23 million at today’s exchange rate), or 4 percent of your worldwide annual turnover, depending on which is the higher amount. It is essential for directors to pay attention to the data and information security practices in place to ensure that the organization is prepared and compliant.
The Policy Details of GDPR
The GDPR was written to ensure that organizations:
protect the personal data of ‘EU Natural Persons’ (i.e. living people);
are transparent, fair, and lawful about the processing of personal data;
only request and process necessary personal data;
do not share data with third parties or countries unless the correct legal agreements and processes are implemented; and
gain consent from data subjects to process their data.
Personal data is defined in the policy as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
There are six principles that apply to the processing of personal data. According to the policy, personal data shall be:
processed lawfully, fairly, and in a transparent manner;
collected for specified, explicit, and legitimate purposes;
adequate, relevant, and limited to what is necessary;
accurate and, where necessary, kept up to date;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
processed in a manner that ensures appropriate security of the personal data.
Data subjects are provided with a set of legal rights under GDPR, including the right:
Each EU member state has a designated supervisory authority. These regulatory bodies are responsible for monitoring the application of GDPR, and have the power to audit organizations and determine relevant warnings, reprimands, and fines for violations of the organization. When breaches of personal data occur, companies will be subject to a high level of scrutiny, and will have only a 72-hour window to report on the breach. A personal data breach is described as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
There is a requirement for some organizations to appoint a data protection officer (DPO), whose responsibility it is to advise and inform on GDPR and to monitor compliance within the organization. The DPO acts as the main contact for both data subjects and the supervisory authority, must report to the highest level of management within the organization, and cannot perform any tasks or duties which result in a conflict of interest.
You need to ensure your organization has fully investigated the nuances of the requirements to ascertain whether you need to appoint such a role or prepare to meet other personnel or technical demands.
Where do we start?
Your organization first needs to define the team that will drive GDPR compliance and management. Within the C-suite this should include the chief information officer and the chief information security officer, in addition to representatives from legal counsel, human resources, risk and compliance, and privacy. Determine if you need to appoint a DPO. Once your team is assembled, assess your current state, so that you can plan next steps accordingly. This team should present results at least to your board’s audit committee, if not the full board, given the financial and reputational risks involved.
Understand your personal data retention
You should ask your GDPR team the following questions to determine what categories of personal data your organization is dealing with:
To whom does data you collect and retain pertain?
Is it necessary to collect and keep this data?
If so, how long do you need to keep it?
Do you have permission from the data subject to process the data?
How is consent obtained from data subjects for each method of personal data collection?
Encourage your team to follow others’ personal data on its journey through and beyond the organization. Doing so will help the GDPR team understand how the data is collected, stored, transmitted, accessed, and secured, and understand where and how it is passed on to any third parties.
Review how your organization collects consent from individuals to process their personal data
EU citizens must be able to give and rescind consent for their personal data to be processed. Consent means any “freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In a contractual situation, the provision of a service may require personal data to be processed in order for the service to function correctly. In this case, this has to be made clear to the data subject when they register for the service.
Identify partner and supplier risk
Review third party legal agreements to ensure the EU citizen’s personal data provided to a third party is handled in a compliant manner. Otherwise, your organization will be held accountable for vendors’ data breaches or a data loss scenario. If you process personal data on behalf of another organization, you will need to demonstrate your compliance with GDPR, and ensure your legal agreements reflect this accordingly.
Ensure your cybersecurity programs are up to par
Your security posture and processes impact the journey and security of personal data, and should be assessed accordingly. GDPR Article 32 stipulates that you must ensure a level of security appropriate to the risk involved with the data. This might require adjustments to your security program, especially if you have weighted your security setup to focus primarily on prevention and are lighter in the areas of detection and correction. Visibility across your ecosystem is vital for determining risk. Knowing your weak points will help you understand where to bolster your security, and testing out your processes will determine whether they are fit for purpose.
Get regular updates on progress and status
As individual reviews are completed, have each leader report back to the core and leadership teams with a set of prioritized actions and milestones. Set up a frequent cycle of reporting to understand the progress of your GDPR compliance status. The spring of 2018 is clearly too late to be finding problems.
If your organization employs, partners with, or serves people who are citizens of the European Union, you are subject to GDPR. Given the detailed stipulations of the regulation, along with the threatening risk of steep fines, it’s not something you can get away with ignoring or procrastinating. As a board member, you’ll want to ensure the organizations you serve are prepared to meet the challenge and reduce the risk.
Corey E. Thomas is president and CEO of Rapid7. He is director of Blue Cross Blue Shield of Massachusetts and the Greater Boston Chamber of Commerce.
NACD held its third annual Cyber Summit in Chicago on June 21, 2017, in partnership with the Internet Security Alliance (ISA). This year’s event followed in the wake of cyber incidents such as WannaCry and the hacking of the Democratic National Committee’s email account, as well as Europe’s adoption of the General Data Protection Regulation (GDPR) and the implementation of China’s Cybersecurity Law.
NACD members left the Cyber Summit with valuable lessons to share with their colleagues.
Speakers acknowledged this context and focused on topics such as building a cyber-risk culture, insider threats, cyber-risk regulation, the threat of state-sponsored attacks, and the economics of cybersecurity. (Click here for a list of event sessions and speakers.)
Five key takeaways emerged for director attendees at the 2017 NACD Cyber Summit:
1. Actively learn from cyber incidents at other companies. A bill that aims to require cyber expertise on public company boards has surfaced twice in Congress since 2015. However, Melissa Hathaway—president at Hathaway Global Strategies and senior advisor at Harvard Kennedy School’s Belfer Center for Science and International Affairs—believes boards do not necessarily need to have a director who is an expert in cybersecurity. Hathaway, who delivered a keynote at the cyber summit, suggests boards regularly hold conversations about current events in cybersecurity, and review a cyber-event case study at each quarterly meeting.
2. Work toward a public-private partnership. Hathaway emphasized the benefit of forming a public-private partnership in the United States to serve as a medium for information sharing about cyberattacks. Canadians have already formed such an organization. The Canadian Cyber Threat Exchange is an independent nonprofit that functions as a middleman between the public and private sectors. According to Hathaway, the U.S. government itself has been a victim of a number of cyberattacks exposing personal data, which has cost it credibility with the private sector. Thus far, U.S. corporations have been largely reluctant to share information about cyberattacks with a government that may not be seen as equipped to adequately respond. At the same time, the government classifies data on cyberattacks that limits information sharing with the private sector.
3. Consider having the CISO report directly to the board. The 2016–2017 NACD Public Company Governance Survey indicates that only 31 percent of boards receive reports directly from the chief information security officer (CISO), despite the increased prevalence and importance of the role. Bret Arsenault, corporate vice president and CISO at Microsoft, indicated that the frequency of meetings between the CISO and the board depends on the board’s existing cyber knowledge. As Microsoft’s CISO, Arsenault conducts a quarterly review with both the full board and the audit committee, in addition to meeting with the CEO and the full leadership team for a half hour once each week. Having all members of senior management involved in the conversation helps set the tone at the top around cyber culture. See the 2017 Cyber-Risk Oversight Handbook for guidance on building a relationship with the CISO (p. 38) and questions for the board to ask management about cybersecurity (p. 21).
4. Strengthen a culture of secure behaviors. In providing oversight of cybersecurity, one aspect of the board’s role is to ensure that the organizational culture reinforces healthy cybersecurity behaviors. For this culture to take hold, it is essential that any cybersecurity-related issues be explained to the board—and employees—in a clear, understandable way. For example, the CISO should speak in business terms to the board and avoid using technical language, according to Arsenault. John Lhota, managing principal for global cybersecurity consulting services at SecureWorks, also suggested using gamification for employee cyber education programs. Directors should evaluate whether a culture of awareness about the importance of cybersecurity truly exists, beginning at the board level. See NACD’s Cyber-Risk Oversight Handbook for tools on assessing the board’s cybersecurity culture (p. 27) and establishing board-level cybersecurity metrics (p. 28).
5. Ensure access rights are limited and continuously monitored. Directors should discuss with management what the company’s most critical data assets—or, “crown jewels”—are, and who could access them. Many high-profile breaches have been carried out by employees or contractors with access to company networks. Robert Clyde, vice chair of ISACA and managing director for Clyde Consulting LLC, indicated the hiring process can aid in selecting trustworthy employees, but employees with administrative privileges (i.e., the ability to install certain software, access certain files, or change configuration settings) can become very destructive if they retaliate against the company after a job loss or make a mistake. The board should check with the CISO to make sure there are a very small number of employees that have administrative privileges on an everyday basis, with slightly more given access in an emergency. Adding secondary approvals—so that two people must be involved in a process—further constrains the possibility of someone accidentally deleting data or removing it on purpose. Access for those with administrative privileges should be amended the second those individuals change jobs, according to Robert Zandoli, director of the ISA and global chief information security officer at BUNGE Ltd.
For more information on providing cybersecurity oversight, please see the following NACD resources:
How much of your personal data is out there, available for companies to slice and dice—and potentially for hackers to find? Your username and password information to your e-mail account? Your medical records? Your government identification numbers? What about all of the information in your connected devices?
Many companies are moving toward a digital business model, which is generating a massive amount of data about customers. With that proliferation of customer data also comes valuable opportunities for companies to analyze and act upon it. But the explosion of data is also creating a very big, mostly invisible window into people’s private lives that may leave them very vulnerable to identity theft and other crimes.
New privacy laws and incidents of privacy violations, identity theft, and compromise of personal and sensitive information are compounding, which is pressuring companies to prioritize data privacy, security, and compliance. Failure to do so could mean damage to their brand and shareholder value—and even enforcement action by US federal agencies or class action lawsuits.
Data privacy is now a topic that boards need to stay on top of. Directors will want to regularly ask management questions about the company’s efforts to protect its customers’ personal information. Here are five questions boards can ask management about the topic.
1. What is our total dollar exposure to data privacy risk, exclusive of data security? Violating established privacy and data security practices can be costly. According to analysis of government data by PwC, in 2016, companies paid nearly $250 million in privacy and security related fines. It’s critical for the board meet with the right people to understand what steps the company is taking to protect its sensitive information. By meeting with the chief risk, information security, and privacy officers, the board can get a better picture of the state of privacy risk, including the dollar value of the worst possible data privacy risk event. The board also needs to determine if it is receiving the information it needs to oversee privacy risk. And if it’s not, the board needs to ask for and get it from management.
2. How effective is our data privacy strategy? Data is starting to change companies’ business strategies. Nearly two-thirds (64%) of CEOs believe that management of data will be a differentiating factor in the future. For some companies, it already is. The board should ask management to explain the company’s data privacy strategy and outline any goals around data collection and use. Is the data-driven business strategy to grow sales and revenue, improve customer experience, trust and relationships, differentiate the business, or get a competitive edge? Once the board understands that strategy, it can have discussions with management about whether the strategy is effective. The board will want to ask management for updates to that strategy and changes to any plans to achieve those data-related goals.
3. How ready is the company to provide evidence of compliance to privacy regulators? Companies that collect and use personal data need to pay close attention to privacy laws. The European Union’s General Data Protection Regulation (GDPR)—the world’s toughest privacy law—goes into effect in 2018, and the deadline for compliance is May of next year. It is notable that businesses that do not comply with GDPR face a potential fine of 4% of global revenues. Boards need to understand other laws and regulations around data privacy, too. They should ask management about what the company is doing to comply with data privacy laws. Is management ensuring the company stays on schedule to meet the law’s requirements and stays within budget for its compliance efforts? Boards should ask if the company has a data privacy compliance program, what the program entails, and how the company accounts for all the data the company collects, including where it’s housed. Boards need to be assured that management has the right processes and controls in place to mitigate any risk to that data.
4. Are the company’s plans for adopting new technologies and data analytics in sync with emerging global privacy regulations? Directors will want to look beyond compliance with current laws to the ethical issues that data use present. Just because a company collects data doesn’t mean it can—or should—use it, or allow third parties to access it. Data ethics standards are an emerging topic of practice, which means there aren’t always clear rules or laws outlining how companies can use personal customer data. Consider, for example, that some companies may use technologies such as artificial intelligence and machine learning to surveil for terrorist activity. There are few, if any, regulations around this type of implementation, which could leave these companies open to ethical scrutiny. Directors will want to discuss with management how to draw these ethical and privacy lines in the sand and how the company ensures they are not crossed. Boards will also want to ask how the company evaluates the privacy impact of new products or third-party partners.
5. Is the company’s privacy organization sufficiently resourced to enable its growth plan? Data privacy concerns may become bigger if the company grows. The more customers it attracts, the more data about them it may be collecting and analyzing. As the company’s data collection grows larger, the importance of having a data-use framework also grows. A good framework is one that outlines the collection of data, where and how it’s stored, how it’s protected, how it’s being used, any training on data privacy policies, and what the plan is if there is a breach. The board will want to meet with the chief information security and chief privacy officers to discuss the framework and ask how it’s being implemented, tracked, and enforced.
If the board regularly talks to management, asks questions, and gets answers and information, it will be in a good position to effectively oversee the company’s data privacy, protection, and compliance program.
Paula Loop is the leader of PwC’s Governance Insights Center and is a well-known speaker on a variety of governance topics. As a PwC partner and with more than 20 years of experience, Paula brings extensive knowledge in governance, technical accounting, and SEC and financial reporting matters to organizations.
Jay Cline is PwC’s Global Privacy Co-Lead. He has over 20 years of experience and is a nationally recognized thought leader in the privacy profession. He has deep knowledge of law, technology, and business, and specializes in all major privacy legislation and information security standards. In his work, Jay has helped private and public sector clients comply with data privacy and security regulations across nearly every sector.