Although EU GDPR adopts “risk-based compliance” (high/risk/low) and encourages formal risk analysis, it does not mention how organisations should evaluate, assess and measure the risk. Suggested concept of “privacy by design” by GDPR should be applicable to all new business initiatives and technology developments, but how to evaluate existing processes and environments? Since all operations must comply with GDPR regulations, how to assess and manage “legacy” designs and systems, till they reach their end-of-life?
Questions
Which industry framework is the most “compatible” with GDPR approach to risk?
How difficult is it to implemented it in practise?
Can this process or its individual components be automated?
Introduction
Risk Management can be described as “putting value on uncertainty”, that is not covered by standard/formal control mechanism established by governance and management of the organisation
Risk Management consists of similar steps (Identify, Assess, Control) and has common objective regardless of discipline that is under “risk management“: … to assure uncertainty does not deflect the endeavour from the business goals …
GDPR as data protection framework falls under the umbrella of InfoSec, and standards for Financial Services providers can serve as “conceptual guidance” in establishing formal frames and starting point for risk implementation to achieve compliance with GDPR
Practical, and short, description of risk concept adopted by GDPR can be found at IAPP website https://iapp.org/media/pdf/resource_center/GDPR_Study_Maldoff.pdf
1. Overall risk posture – risk profile of the organisation
How risky is the organisation in the light of GDPR? High risk, Risk, or Low risk?
Initial analysis of risk posture should be performed to establish “overall classification” of the organisation per EU data protection regulations, and which risk profile described in GDPR is applicable to the organisation
Since risk is always linked with the value, the size of the operations is the first and most important factor to consider – examples: scale and complexity of operations, number of records, dynamic of changes, frequency of access/update, channels for data collection and management (storing/processing, update/deletion), complexity and maturity of IT environment, external access or sharing of data with contractors, vendors, etc.
Formal base for risk profiling can be based on solid and practical FFIEC assessment tool, which is used to assess general posture of an organisation’s risk profile (cyber-security profile): "Federal Financial Institutions Examination Council" Cybersecurity Assessment Tool https://www.ffiec.gov/pdf/cybersecurity/FFIEC_CAT_May_2017.pdf
2. Assessment of specific risks - which business processes are the most “risky ones”, and how they should be managed
Initial assessment should start with “inventory of data/information“ that fall into the scope of GDPR - data mapping should enable to establish the exact scope for compliance – in other words, what must be protected, by whom, and how? (what data on what systems, managed by which processes/technology, and who is responsible)
To answer all questions in detail, a formal “scoping exercise” must be performed that will incorporate results from previous step, and should enable to assign overall monetary value to GDPR data under protection. After correlation of monetary value of data with potential amounts of fines, there should be a good indication of necessary budget and range of upgrades that must be implemented to balance the compliance changes with BAU (business as usual):
• Identify Risk – Application of GDPR to specifics of the organisation: definition of what type of data falls under the scope of GDPR in the organisation
• Assess Risk – Establishing the scope for GDPR (GDPR scope): “discovery” of data that fall under the scope of GDPR as part of formal business process, including external contractual agreements with 3rd parties, and across IT environment in the organisation – the final result should be in the form of detailed data inventory and information classification
• Control Risk – Protection of GDPR scope: implementation of adequate controls to ensure protection of information (confidentiality and integrity), with cost/benefit analysis that can be employed to choose the best value for the money, and associate regulatory requirements of data protection with technical and organisational budgets
3. Continues risk assessment – prevent ongoing risk of data compromise, modification, or loss
Any formal industry framework like US NIST RMF (Risk Management Framework) or (EU) ISO 27005 can be used to implement structured risk management – choice of specific tools depends on the industry and the organisation itself – below is subjective ranking of most popular standard and its usefulness to avoid data breach, which is in general the main point of GDPR:
• ISO 27001 – information security standard that should serve as main point of reference in case of concerns with formal/structured approach to data protection – the main criticism of the ISO 27001 standard is its “structured-only” approach, which is like GDPR – although objectives are defined in detail there is very little guidance on methods to achieve them (what to do rather than how to do it)
• ISO 27005 – implementation of information security based on a risk management approach, comprehensive standard for InfoSec management that is very prescriptive, but also helpful – objectives and systematic methods to achieve them are clearly defined
• RMF from NIST – also a very comprehensive framework but it is targeted to wider, “less technical” audience than ISO 27k family – it requires a less procedural approach during implementation and throughout day-to-day operations when comparing to other standards
• FFIEC – cyber security standard published by US financial regulator that approaches the risk dilemma by first establishing the “maturity” of the organisation, and assigning additional controls on that basis (or maintaining existing ones) – the objective is to fill the gaps in deficient areas first (the most risky ones) by implementing physical or logical/technical controls highlighted during initial evaluation – FFIEC is also mapped to NIST RMF which forms very efficient but also straight-forward guidance
• PCI DSS – card numbers fall in the scope of GDPR, but most importantly PCI standard itself can serve as excellent guidance in implementing complete set of technical and physical controls to protect sensitive data – on a very high level if defined “GDPR scope” would be protected by similar set of controls as card numbers, the risk of data compromise (internal and external) would be vastly reduced – application of PCI DSS controls to data protection must be associated however with data classification, since PCI only has two definition/classification: cardholder data and sensitive data; strong user authentication (PCI does not regulate consumer/end-user access, only non-consumer); user rights to access/update/delete personal records; and finally "inverse responsibility and ownership” of PCI service providers for data processed on behalf of 3rd parties in comparison to GDPR Data Controller/Processor
• FAIR (Factor Analysis of Information Risk) – the framework consists of ten steps in four phases, and relies mainly on qualitative assessment (factors and how they affect each other), unlike other standards that employ quantitative approach (amount/size/number) FAIR is “primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events”, and should be used to supplement and strengthen risk processes – in the context of GDPR data protection, FAIR’s main concept of risk focuses on probability of an event (rather than the uncertainty) and ties the loss to an asset, which directly aligns with GDPR core principle of risk-based approach to data loss
Conclusion
InfoSec offers many tools to automate individual tasks performed by organisations around risk management and data protection. Examples of tools include data discovery and mapping, strong authentication, data loss prevention, and comprehensive suits for risk management. GDPR brings additional compliance burden, but overall it should be considered as attempt to implement best InfoSec practises for personal data protection across businesses. Risk-based approach adopted by GDPR offers range of choices and flexibility in implementing the concept of data privacy and protection of sensitive information. Since every industry has got its specific frameworks, and every organisation has its unique characteristics, it could be impossible for the regulator to propose any more prescriptive procedures. Risk based approach usually offers the best trade in terms of value for money, and enables to direct the resources where they are most needed, both on macro scale (EU), but also on the company level. The choice of risk frameworks presented above should help with implementation of industry best practises to meet GDPR compliance, and after tailoring to custom conditions of each organisation they may provide the source of competitive advantage by lessening the burden for end-users and improving public confidence in organisation’s operations, brand, etc.