By Frank Krieger, Vice-President, Governance, Risk and Compliance, iland.
It isn't often that compliance specialists get to be the heroes of the story, but in the last four years as we've been preparing for the implementation of the GDPR, we've found ourselves more frequently in the spotlight.
It is a fascinating time to be working in the sector, particularly when you're also part of the rapidly growing cloud industry. Our clients need to know that their investment in the cloud comes with a guarantee that their operations will be GDPR-compliant and that's why we have worked tirelessly to ensure that we can meet their expectations. We've built up a great deal of knowledge along the way and as we take the first steps forward on the journey of ongoing data privacy it seems like a good time to take stock of what we've learned as an organisation whose success depends on getting this right. There are some tips and pitfalls that we've encountered along the way that will help companies that are still establishing their GDPR strategy and structure.
GDPR is much more than an IT regulation – it is a change in corporate governance
There's a tendency to zero in on the area of GDPR most closely connected to your own area of operations, be that IT, HR, marketing, legal or finance. However, that siloed approach risks making your strategy fragmented, with no overarching principle behind it. The scope and risks associated with the GDPR mean that it should be viewed as a corporate governance issue in the Board's domain with the compliance programme driven from the top. That doesn't mean that every director needs an in-depth understanding of data sovereignty or cybersecurity, but it does mean that the Board needs to provide oversight to ensure that the business is treating data privacy with the importance it deserves, and that sufficient resources are in place to facilitate compliance.
There's no quick fix
We've been working on this regulation for four years, and one of the biggest takeaways is that there are really no shortcuts and no solution that you can buy off-the-shelf that will make you compliant. Compliance is achievable, but it needs work and a commitment to building in processes that will keep you compliant in the future. You can and should take advantage of the expertise that suppliers such as ourselves have built up in the area but when it comes right down to it, you will need to make sure that you have the resources to build and maintain your own compliance programme.
Due diligence extends down the supply chain
The data controller is responsible for ensuring the privacy of subject data all the way down the processing chain. This means that they must be able to prove that the data processors they use are operating to the same GDPR-compliant standards as the controller. If the processor uses third parties to subprocess data, as is common in cloud service providers, the controller must establish that these are also compliant. This means that contracts between customers and CSPs must be watertight and written in terms that both parties understand. If the controller handles protected data, this needs to be made clear to the processor so that the appropriate safeguards can be put in place.
Proactively demonstrating compliance is another key aspect of the regulation and this marks a change in the way IT departments usually operate. They tend to use a system that logs significant or unusual events and generates alerts when something unexpected happens. To demonstrate GDPR compliance, systems will have to monitor a lot more day-to-day activity, for example providing audit logs to prove that only authorised personnel are accessing data subject information. Basically, this will mean a lot more storage of activity/event data that must be accessible to demonstrate compliance. Providers must also be able to offer clients this level of monitoring and visibility, with robust processes in place to notify of data breaches.
Data Protection Officers – worth the investment
Even if your business has fewer than 250 employees and does not process specially protected data, appointing a Data Protection Officer (DPO) can help you put structure around your GDPR programme and underlines your commitment to compliance. We've found that having a senior, independent person responsible for GDPR helps to define structures and reporting lines so that everyone, from the Board through to the individual departments, has a central point of contact and expertise with whom to raise data protection and compliance issues.
Structuring your programme – don't reinvent the wheel
At iland we've taken a risk-based approach to GDPR using the standards that we have already achieved: ISO27001, SOC2 and CSA cloud guidance. This ensures proper governance and management of risk and security for all our data collection and processing – for us as a controller and for the data that we process for customers. We've also become the first cloud company to achieve the BS 10012:2017 UK Standard, which aligns us directly with GDPR. If your organisation already complies with all or some of these, you can utilise these frameworks to structure your GDPR compliance programme. Similarly, when looking for suppliers, choosing those that align with these standards is a good indication of their commitment to GDPR although it is still your responsibility to audit suppliers independently.
Leverage your legal department
Ensuring ongoing compliance with GDPR is going to mean that contracts between data controllers and processors will need to be carefully written and reviewed. While providers such as ourselves are happy to offer our advice it is incumbent on the data controller to verify that contracts cover all of the required elements of performance, audit and security and this means the legal department has to be resourced and ready to review contracts.
...and finally, it's good to talk
As with so many major business projects, communication is a critical factor. When you're working to understand the way that data flows through your organisation, it's one thing to look at a chart or process diagram, but you often get far more insight by sitting down with data handlers and letting them describe what they do with data every day. This can flag up those little siloes and workarounds that soon become embedded in workflows but which wouldn't show up in a conventional audit.
We've learned a huge amount in the past few years as we've worked to get iland GDPR-compliant for the benefit of our customers and our business. The next few years will show how this new system of governance will work in practice to keep personal information secure wherever it resides.