GDPR, Reality Check, Executives, Corporate Directors, C-Levels – Who has “Duty of Care” to Avoid Complications from a “Data Breach”?

GDPR, General Data Regulatory Compliance, Reality Check, Executives & C Levels, it is time to be direct. Based on many recent surveys and my numerous contacts in the Data Privacy, compliance & Big Data world, you are likely vulnerable to be hacked, and perhaps fined by the EU GDPR Commission that appears to have finally entered the enforcement stage. C levels, it’s time to validate that your DPO, Stakeholders, IT Department and Third Party Consultancies have prepared your company properly for the inevitable intrusion and subsequent audit by regulators.  I am not trying to single out C levels for they have correctly delegated the responsibilities of Data Protection measures to proper experts. In my opinion many of those experts are not fulfilling their responsibilities to clearly report to C levels the real extent that customer’s personal data is exposed within your Company’s data environment.

Even though an idea proposed by a US Senator to add Jail Time for C Levels for certain regulatory reporting omissions, it has not yet been generally accepted by other Senators. However, there are many other penalties a regulator or the public can impose on a company that has suffered a successful hack; such as your company’s stock price, loss of customers, accrual of fines and decline in corporate image.  All of which would be accurately viewed as your responsibility to have prevented.

Perhaps as significant as the negative impact of a successful hack that allowed personal data to be stolen would be the positive affect of protecting your customers’ personal data and being able to show that even though you were hacked that only encrypted data was taken, and your customers are safe!  There are ethical and professional reasons to protect your Customers Personal Data because grave harm can result from theft of personal data but imagine how loyal customers would become if they knew you respected them enough to take the steps necessary to really protect them.

To give yourself a complete and accurate picture of your data vulnerabilities I would suggest that you consider outside resources to audit and validate your readiness. Look for a resource that can bring advanced technology to the task, has a deep understanding of GDPR and other Regulations, and is independent of other vendors in your company. If they report directly to you, their information will be honest and unfiltered so you can more easily accept it, and act upon it accordingly.

Why is advanced technology important?  Data is never stagnant, it keeps changing and new entries are made on a daily or actually second by second basis.  A ‘Clean, Secure’ data base can become ‘Dirty, Unsecure’ very quickly and you will need to re-evaluate your readiness on a regular basis. To complete the first assessment, choose a knowledgeable resource that can install software that will process your data and create reports identifying your weaknesses and strengths. Once the software and APIs are installed and proven to function in your environment you can re-process your data whenever you feel it is appropriate with your own resources.

Assessments of your current data environment are described as Data Protection Impact Assessments (DPIAs) and contain reports indicating where unencrypted, potentially exposed personal data exists in your environment. The DPIA also should include a plan to remediate the weaknesses discovered. It is possible to complete the original DPIA in just weeks to a month or two while updates might take just a week, depending of volume of company data assets of course. It has been reported that just having a DPIA in hand could greatly reduce your fines and penalties, even if that plan is not yet implemented.

For just a small fraction of the cost and time to become compliant, you have significantly reduced the potential fines that would otherwise be imposed. You also have a remediation plan created by an expert that you can use to compare against what you are being told form other sources. That expert may also be able to execute that remediation plan quicker based on their plan and application.

What has given me great optimism for eventual regulatory compliance by many of the largest 2000 companies is the increasingly large number of Big Data projects being initiated. It is my belief that Big Data is the best environment for true regulatory compliance Discovery and planning as it has enough storage and processing power to truly tackle the problem. It is simpler to generate, store and access the large volumes of Metadata required to identify exposed personal data and to point directly to the rows and columns where it was found. The metadata can be coupled with intelligent APIs to encrypt the personal data located in your existing production applications while securely connecting to decryption keys to decrypt a single customer’s data when it is needed for your Point of Sale, Analytics or customer service applications.

Many goals of Big Data projects being initiated today should include encryption and decryption of data while it is present in the Big Data Environment to protect against hackers. It is my opinion by using intelligent software, that protection can be extended to the data resident in a company’s legacy data as well. A good DPIA can show you just how to accomplish this.

I estimate the effort to become truly GDPR Compliant without comprehensive technology would be close to 3 years, while it might only require a year with the right architecture and software.

So as a C level what can you do? A first step is a Data Protection Impact Assessment. This can take place in just weeks or a couple of months. Next build the remediation plan. Yes, a bit more complex for many reasons. It has to include encryption or sequestering of data, and it needs to allow production Point of Sale, Customer Service and other related systems to operation as the always have. This process might also be accomplished in a month or two.The final stage is to implement the Remediation Plan which will very according to how well the plan was created and if the plan includes intelligent software and APIs.

Yes, I can deliver these services to you

Steven Meister steven@gdprcompliancymaster.com 847-440-4439 https://gdprapplication.blog/

BigDataRevealed more detailed view – https://youtu.be/aHTEnk0wAmE

clevel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s