Editor in Chief Bill Coffin talks with Steve Durbin, managing director for the Information Security Forum, an independent, not-for-profit organization dedicated to investigating, clarifying, and resolving key issues in information security and risk management.

Despite all that has been written on GDPR so far, there are still plenty of compliance officers who do not really know what GDPR is all about, and why they should care.

I’m not surprised, to be honest. If we look at the level of readiness that organizations have within the European Union, let alone outside of the European Union, the majority is still nowhere near where they need to be in terms of GDPR compliance. This is a very wide-reaching piece of legislation that touches on so many different pieces of data that an organization has been gathered over many years. And let’s face it: Quite a lot of organizations don’t know where some of that information is. They don’t have control over it. Many users may have been storing information in the cloud that may not be readily known to the IT or security department. But that is all covered by GDPR, and the organization is responsible for it.

In terms of breadth and coverage, the European Union starts from a very different position from the United States. The European Union starts from a position that says citizens’ rights are paramount. The right of the citizen is where we begin in terms of information and data related to that citizen. Here in the United States, you have a much more corporate-focused view. But the GDPR protects a citizen’s data irrespective of who might be holding it. If a hotel in the United States holds information on an EU citizen for the purposes of checking in, the GDPR covers it. If a U.S.-based organization has an operation in Europe and is dealing with EU system data, the GDPR covers it.

Given how many multinational companies do business within the European Union, it seems like the GDPR is a de facto global standard.

You’re absolutely right. What we’re seeing is a number of different countries applying either a similar standard or defaulting to the GDPR as the way in which personal information should be protected. The GDPR is exceptionally far-reaching. The legislators and regulators have significant powers over organizations, irrespective of where they may be based, to fine them for non-compliance.

Now, a conversation I have had here in the United States is, “Well, we’re an American corporation, how are they possibly going to track us down?” That’s a very American way of looking at it. The reality is, they will. My advice is to spend your time looking at how you might comply with GDPR rather than whether or not you can get away with it. Because there are various agreements among global regulators on this. The European Union tends to be very picky in this kind of environment.

The fines they can levy can go up to 4 percent of global turnover. If you’re in the Fortune 500, that’s a significant amount of money. Nobody expects the regulators to apply those fines on Day One, of course, but what they’re looking for is for people to make right moves toward compliance. They want to see that you have taken the right steps and that you have begun to analyze where your data resides. That you have put in place reasonable protection around it. That you can remove data in a reasonable timeframe upon request. That you are able to report breaches within 72 hours. That you have taken all reasonable steps to make sure that the information you share with other parties is also protected.

That takes us into quite an interesting and problematic area, and that is third-party sharing of information. It’s one thing to look at it within your own corporation. But if you look at the way in which we share information generally, there isn’t a business that isn’t sharing information in some way, shape or form. How do you ensure that the third parties that you’re working with are applying the correct level of security to comply? Organizations have struggled for quite some while in terms of managing third-party security, particularly with smaller enterprises. There is no size limit to the GDPR. You still have to protect the information.

It’s about clarity and understanding where the information is. It’s about conducting a robust challenge to the business in terms of how information is going to be collected, stored, managed and used, going forward. It is about making sure that you’ve got a continual review process in place around it. And it’s about education, making sure that individuals and business leaders understand the implications associated with this.

Larger organizations are trying to get their arms around mission-critical information related to personally identifiable EU resident data and data that is generated from the European Union. And then we have the third-party situation, particularly as it applies to smaller companies. There is an onus on larger enterprises to work with third parties, especially smaller third parties, to make sure that they are compliant. Most smaller organizations don’t have information security people in place. It’s probably something shared with IT. Their major focus is keeping the lights on and generating revenue and, when they’ve done all of that, if they have spare time, they’ll get around to it. Most of them are using cloud and consumer devices to access the cloud. So, you’ve got some inherent vulnerabilities already coming into the mix when it comes to how do you preserve or ensure the integrity of personally identifiable information. There is a requirement for a high degree of collaboration across supply chains with larger organizations taking a lead in that to ensure that the information is protected at all different stages of the information life cycle. It isn’t sufficient to protect data at creation or the point of use. It also must be protected in transit, and when it has come to the end of its usefulness, it must be destroyed appropriately. If we think about that within a cloud environment, or a social media environment, then we begin to start to understand some of the challenge that organizations are facing in this particular space. GDPR is causing organizations to struggle around the volume of information, the speed at which it’s being shared, and the multiple locations in which it’s being housed. That’s why a lot of organizations are not GDPR-ready at the moment.

They also have to put in place a Data Protection Officer. Now, they don’t have to have that person on their own books. They can outsource that to a third party. But when you look at the actual job spec for a DPO, in an environment where we already have a pretty critical skill shortage, finding some of these people is pretty challenging. In Europe, we’ve gone through the discussion of who owns the DPO. There was an assumption that Legal would want to own the DPO. Well, surprise, surprise … they didn’t want to touch it. Then they thought maybe the risk officer would want it and they said: no, not so much.

We are seeing are quite a few information security officers holding the DPO, but this is a role for which it is difficult to find a natural home. Companies are going out to market looking for somebody with a legal background who understands the technology elements and is able to bring some audit control to the environment. You’ve got this real hybrid individual, and firms are struggling to find them.

In the United States, bellwether states like New York and California have either enacted or are working on their own data protection standards. Those states are such pivotal marketplaces that they become de facto national regulators, and not all of those states are in harmony with each other. How much does this further complicate overall GDPR compliance?

The landscape is becoming very cluttered from a compliance standpoint. When you have limited resources, how do you spend your time? You have to be compliant first. And then you can focus on some of the other things. If you have an increased compliance burden, that reduces the amount of time you have to spend on information security or security best practices. Then you get into ranking compliance in order of where you have to do business. From a compliance officer’s standpoint, life is not becoming any easier. If you have the misfortune of working for a multinational company, you’re spending a significant portion of your day just keeping abreast of different legislation around the world in which you’re active.

Compliance is a bit like driving a car only using the rear-view mirror; you are trying to establish regulations based on precedent to prevent bad things from happening in the future. If you apply that to a cyber-environment, cyber is very fast-moving. Very often, threats we have not seen before come out of left field. If you’re only focusing on what happened yesterday, you will miss some of these emerging threats or not have the amount of time that might be required to really put in place some measures to mitigate against their impact on your organization.

So, as we increase compliance, how do we ensure that we aren’t borrowing or stealing resources that would otherwise be usefully engaged? One of the complaints here in New York with Department of Financial Services Cyber-security Requirements was whether the regulators know what they are talking about. If I’m a large organization, of course I’m doing most of these things. Do I have a CISO? Yes, I’ve had one in place for a number of years. Do I have programs in place? Yes, of course. Do I have multifactor authentication? If I’m in the financial services space, I’ve got that. Am I working collaboratively with my third parties? I could probably do better in that space, but do you as a regulator know what you’re talking about when you ask me to do that?

You mentioned that nobody expects regulators to start imposing massive non-compliance fines right away, but at what point can we expect the penalties for non-compliance with GDPR to get more serious?

This is where we get into the reasonableness piece. What is reasonable? The reality is that until the regulator comes knocking, you’re not going to know what reasonableness is. The regulators are looking for solid progress to have been made in line with compliance. They understand the scope of what they’re asking for, you’re going to have to evidence that you have security by design within your operations. You’ll have to evidence things like audit trails and vulnerability assessments, risk assessments, that you know where the information is. That your board of directors is taking this seriously. In the instance where you have a breach, and the forensic investigation afterwards shows that you have not put in place some of those basic steps, you will be in trouble. And that’s where we’re going to start seeing some of the bigger fines. Because the view will be, look, you’ve chosen to completely ignore what we’ve been telling you, and you’ve had a breach that has caused damage not just to your corporation, but to individuals. The European Union is all about the individual. So therefore, you’re in big trouble. And the only way we can send a message to other organizations is by levying an appropriate fine. And they can go very high on that.


Steve Durbin is the managing director for the Information Security Forum, an independent, not-for-profit organization whose membership includes many of the companies on the Fortune 500 and Forbes 2000 lists. The ISF is dedicated to investigating, clarifying, and resolving key issues in information security and risk management, so it comes as no surprise that the European Union’s General Data Protection Regulation (GDPR) is of great interest to the ISF.
Compliance Week met with Durbin in New York to discuss what GDPR compliance really entails, how much work organizations must do before the May 25, 2018, implementation deadline, what regulators are really expecting from organizations in terms of data protection, and why all of this compliance effort is really a blessing in disguise to companies both large and small.

Nobody wants to find themselves in a situation where they think they have done the right thing but find out the hard way during a crisis that they are, in fact, non-compliant and open to fines as well. How can companies work with regulators before the case to ensure that what they have done falls within that “reasonable” area?  

Some regulators don’t encourage that kind of collaborative approach because their view is: “We’ve set the guideline, you have to comply with it, and our job is to come in and pick holes in that.” I don’t think that’s a helpful stance. I think regulators need to take a much more collaborative approach. And with European regulators, that seems to be the stance they have adopted. So how do you gain assurance? It’s about conducting GDPR-based audits and getting an external third party in to run through some of the things that you’re doing.

Some organizations over here that are managing EU citizen data have gone through that process. In the media space, you have companies that are holding very interesting information, from a personal data standpoint. They’ve gone through that and have those checks done and feel a bit more comfortable than some other industries. That’s the only answer. You have to audit your approach, constantly review it and look at it within the context of how you’re going about running your business. If you are running a business that is heavily dependent on cloud technology, consumer-based devices with a road-warrior work force that is traveling the globe, then you’ve got some challenges around how you collect, store, and manage information. But they’re all surmountable. You just need to make sure that your processes are reflective of the GDPR legislative requirements and that you’re communicating that effectively with your staff.

It’s about clarity and understanding where the information is. It’s about conducting a robust challenge to the business in terms of how information is going to be collected, stored, managed and used, going forward. It is about making sure that you’ve got a continual review process in place around it. And it’s about education, making sure that individuals and business leaders understand the implications associated with this.

This is not the compliance officer’s problem. This is actually a good opportunity for a business to really get itself in shape in terms of how it managed personally identifiable information across the business. It’s an opportunity to review contracts that you might have in place with third parties around some of these things. It’s an opportunity to review some of the working practices that the business has in place. So, the organizations that are making the most headway in all of this are those that are looking at this from a positive business impact standpoint, rather than those that are thinking that this is just another piece of compliance to avoid falling afoul of the regulator. If this is fundamental to the way that you do business, if you have to be in a marketing or financial services, the retail environment … anything where the personal information is your lifeblood, then you’re going to have to make some changes. So, use it as an opportunity to enable some strategic change that will help you grow your business. That way is how you will get support from other members of the organization. This is about people understanding why it’s important and how they can contribute to supporting compliance for the good of the business.

How much time to organizations really need to comply with GDPR?

If organizations are holding EU citizen data and they haven’t yet started to consider some of the implications of this legislation, then they need to move it up the priority list pretty quickly. I was in a meeting in Helsinki some 12 to 15 months ago, and somebody asked about the minimum amount of time to build GDPR compliance. And a response from one of the larger members in the meeting was that if you have not started by now, you have already left it too late. Now, it depends on the size of the organization and how well structured your data management is across the enterprise. But if you look around, go to any conference that is related to security or risk, you will find vendors there offering GDPR services. Lawyers, management consultants, a whole range of service providers. Why? Because they know it takes a lot of work to comply with GDPR, and a lot of organizations have left it late.