George Gerchow is Chief Security Officer at Sumo Logic and Adjunct Honorary Lecturer at Cloud Academy. View the on-demand recording of our recent webinar, Establishing a Privacy Program: GDPR Compliance & Beyond with Mr. Gerchow and Jen Brown, Data Protection Officer at Sumo Logic.
In 2016, my Data Protection Officer and I felt like the InfoSec version of the Northmen in GOT telling everyone “GDPR is coming” while the rest of the world basked in the sun and sort of laughed it off as myth. Throughout 2017, as we took practical steps to ease the pain of the root-canal-that-is-GDPR and continued warning our peers, it seemed like most of the world was still not preparing. So here we are, less than two months away from the “White Walkers” of Privacy and privacy panic just got real.
Organizations are trying to educate themselves and put solutions in place at the same time. Some are over rotating, reading up on all 99 articles, trying to interpret them, and wondering how they will be affected. Others are blasting out 100-page Data Processing Addenda (DPA) at a frantic rate, asking for processors to put their organization’s agility and profit on the line without thinking through what is really needed.
Don’t get me wrong, we are not perfect, but throughout this continuous journey, we have learned a thing or two that might be useful to others. One of the most important is that we should all be transparent and collaborate. In that spirit, I wanted to share a few practical tips on what you should do today to jump-start your journey to GDPR compliance and privacy best practices.
Let me take a step back to 2016 and start from the beginning. When whispers of GDPR started hitting our radar during an EU Privacy Shield assessment, our team started digging into very specific low cost, zero-friction action items that could make this process easier. So, what actions did we take to address GDPR compliance? We decided the first things we needed to do were to:
- Appoint a Data Privacy Officer or DPO
- Build a ”privacy by design” program
- Establish a Data Processing Addendum or DPA
- Define and maintain a continuous privacy roadmap
By prioritizing these items and being transparent while showing the best level of effort, we knew GDPR readiness for our organization could be achieved without crippling our business.
Let’s break each one of these down.
Appoint a Data Privacy Officer
Whether you hire, appoint, or use a contract DPO, this might be the most critical action you take towards GDPR goodness. A DPO will guide your organization down the privacy path and help bridge the gaps in knowledge while serving as a one-stop shop for refining process and procedure. Your DPO should work with each business unit to cover data processing and data classification best practices that go well beyond GDPR. Also know that if you do business across the pond, you need to appoint a DPO representative who lives in EMEA. If you employ more than 10 people in Germany, you need a DPO physically present in Germany as well.
Privacy by Design
When you ask any CISO, CSO, or CIO if they care about GDPR, you will get mixed results. If you ask those same individuals if they care about privacy, the answer will be “yes, 100% of the time.” All organizations care about the privacy of data, personally identifiable information (PII), intellectual property (IP), and regulatory requirements. If you build a mature privacy program that accounts for the development and procurement of new services and lines of business, you will have established an operational baseline that addresses the fundamentals of future regulations like GDPR. Moving forward, all you need to do is a gap analysis with risk acceptance and remediation to achieve compliance with the new regulation.
Data Processing Addenda
Most organizations need two: one as a processor, one as a controller. As a processor, this legal document will be your stance on how you handle customer data. It is best practice to be thorough in describing topics like how you process and secure data, subject data rights, transfer of personal data, and identifying sub processors. Be sure to proactively address any foreseeable objections in the DPA. It is key to create your own DPAs — you do not want all of your customer’s or controller’s legal language around data privacy to cripple your organization’s resources with red lines across legal, contract, security, and compliance. As a controller, it doesn’t hurt to have your own DPA on hand, but give the processor’s a shot first before you make the investment. Also, make sure to do deep reviews of the DPA with your Privacy Attorney.
Define and Maintain a Privacy Roadmap
The journey to GDPR Compliance is never-ending, so a continuous roadmap with realistic timelines is a necessity. Items on that roadmap may include the right to erasure, technology requirements like encryption, or data loss protection (DLP). I have seen several forward-thinking companies list a yearly Data Protection Impact Assessment (DPIA) on the roadmap to show third-party validation and gap analysis. It is almost impossible to be 100% compliant 100% of the time. What the auditors want to see is a gap analysis and a roadmap that shows your plan to close or significantly improve your posture on privacy. DPIA’s will be key for your organization to understand the current state and to ease any concerns other organizations may have when evaluating your readiness. We cannot overstate how important transparency and level of best effort will be when it comes to privacy and GDPR. If you are honest with where your organization currently is and have clear and documented steps on how your organization and team will make progress throughout the year, life will be good. In addition to everything we already listed, you might want to read our 4 Best Practices to Get Your Cloud Deployments GDPR Ready.
Moving forward, we will dive deeper into ways you can streamline GDPR readiness by becoming familiar with key concepts in a “privacy by design” model, which articles matter, what recitals are, and how you can start planning for a DPIA while building a roadmap for the future. GDPR is just the beginning of what’s to come with data privacy regulations. Already, Japan is starting to lead the way in Asia with its “Act on the Protection of Personal Information” (APPI). By sharing knowledge, using many things we have in place, and working together, we can be the “Night’s Watch” of privacy.
If you want to learn more about GDPR, check out our Learning Path on Using AWS Compliance Enabling Services.