GDPR security blueprint aids compliance with data privacy regulations

Complex rules govern data privacy

It’s not an exaggeration to say the European Union’s General Data Protection Regulation (GDPR) is the most complex and daunting set of rules governing data privacy ever written, with 99 individual articles and stiff penalties for noncompliance.

GDPR applies only to the data collected on individuals living in the 28 EU countries, but any company in the world that holds and processes an EU resident’s personal data is subject to the regulations. Not only that, but the GDPR movement is spreading, with at least seven states in the United States, most recently Washington, moving to adopt strict data privacy regulations modeled after GDPR. No wonder GDPR, which officially went into effect in May 2018, was a major concern for DXC Technology’s nearly 6,000 customers, most of whom receive managed IT and cloud services.

In response, DXC Security experts set to work creating a roadmap to compliance. The first step was to wade through the legalese of the GDPR and to determine exactly what actions were required by public and private entities covered by the law. They found that 42 of the 99 articles were administrative items not applicable to DXC customers. But there were 57 articles that did apply, and they fell generally into two main buckets: risk and compliance; and leadership and governance.

“GDPR is the most complex privacy-related set of regulations ever published. We sat down and read the regulations multiple times. Then we mapped the regulations to the DXC Cyber Reference Architecture at the capability level and determined what technical controls need to be implemented to effect compliance,” said Mark Hughes, senior vice president and general manager of Security at DXC.

What is GDPR all about?

GDPR standardized data protection laws across all 28 EU countries and imposed strict new rules on controlling and processing personally identifiable information (PII). Under GDPR, companies are expected to apply data privacy policies by design and by default.

The regulation also flipped control of customer data from the company to the individual. GDPR rules give individuals rights with respect to how their data is being handled. They have the right to access their personal data. They have the right to correct or delete data (the so-called right to be forgotten).

And they have the right to restrict the processing and portability of their data from one organization to another. In addition, GDPR rules say that companies are required to report a data breach within 72 hours of discovery. Penalties for noncompliance can go as high as 4 percent of a company’s annual global revenue or 20 million euros, whichever is greater.

Google became the first U.S. company to run afoul of GDPR regulations when it was fined $57 million in January 2019 for violations related to its Android phones. And Facebook is currently being investigated for a data breach that could result in fines of as much as $1.6 billon.

Of course, companies should already be protecting customer data, so that part of the regulation is more evolutionary than revolutionary. But GDPR imposes costly and complex requirements in terms of setting up processes for individuals to access and control their information, as well as documenting and verifying that those processes have been implemented in compliance with the regulations.

Nine-step approach

DXC security experts analyzed the GDPR requirements, mapping them against the DXC Cyber Reference Architecture (CRA), a framework of strategies, tactics and capabilities that provides a common language, a consistent approach and a longterm vision to help organizations align security strategies with the business. Companies have been using the CRA to move from a reactive mode to a high level of cyber maturity. The architecture guide helps companies define how to protect what matters to the business, optimize budgets, avoid financial loss and ensure compliance with laws and regulations. (In 2019, the CRA received a DXC Award for Technical Excellence.)

The result of these efforts is a comprehensive blueprint that lays out an ordered sequence of nine steps to GDPR compliance:

• Step 1: Strategy, Leadership and Governance: Select a digital protection officer, establish a GDPR program office, develop mission statements, objectives and policies, map security controls to GDPR and establish audit requirements.
• Step 2: Data Discovery and Mapping: Discover all personal data subject to GDPR, create an asset registry and establish an evidence repository.
• Step 3: Privacy Processes: Document data processing and data flows, process requests from individuals to view, correct or delete their personal data, and take steps to reduce the amount of personal data stored.
• Step 4: Data Governance: Establish cross-border data transfer agreements and conduct personal data risk assessments.
• Step 5: Data Protection: Implement privacy by design and by default, implement a data protection strategy and implementation plan.
• Step 6: Access Control Review: Improve identity governance and privileged access controls.
• Step 7: Data Life-cycle Management: Improve data backup and retention requirements, data minimization procedures, data life-cycle audit processes.
• Step 8: Data Disclosure Management: Implement private data breach monitoring and response capabilities.
• Step 9: Assess Data Protection: Conduct ongoing assessments of the impact of new technologies and applications on data protection.

DXC itself faced a compliance task equal to that of any multinational corporation. For DXC, there were three perspectives: as a data controller with responsibility for the human relations records of 155,000 employees; as a data processor that offers business process outsourcing for thousands of customers worldwide; and as a consumer of data services from service providers, partners and subcontractors.

Building trust with GDPR

DXC security experts used the methodology to identify and shore up any gaps in the existing security readiness of the company, then took that experience and applied it to the GDPR services being offered to customers.

“We foresaw that many customers already have robust data protection mechanisms and processes in place. The diagnostic questionnaire enables customers to identify where the gaps are and to use the specific work packages to quickly close those gaps,” Hughes added.

At its core, GDPR is about building trust between individuals and the organizations that collect their customer data. Companies that demonstrate adherence to sound principles of privacy, security and data protection will gain a competitive advantage.

Complying with GDPR is an effort that takes time and costs organizations money. But companies should consider it an opportunity to build closer relationships with customers and, by extending those same data protection concepts to all enterprise data, to improve the overall security posture of the company.

Services built around the blueprint, and the methodology that has grown out of it, are applicable anywhere in the world where new data privacy regulations take effect and can be extended beyond strict regulatory compliance to help companies protect all of their sensitive data.

Contact us to learn more about DXC GDPR Services.