Professional Documents
Culture Documents
GDPR Beyond Compliance PDF
GDPR Beyond Compliance PDF
Beyond Compliance
How RESILIA™can help you
build trust and add value
Contents Introduction: RESILIA and GDPR
Even if there were no laws about privacy or of a forum or channel the company provides
an individual’s right for their personal data to to communicate with their friends or fellow
be handled appropriately, there would still be customers.Equally, there are many reasons
tension between the desire of ordinary people to why an organization might wish to retain
maintain some degree of privacy and the desire personal data about their customers. As we
of organizations to access their personal data. have seen, some personal data is essential
Organizations want this access to enable them if they are to deliver goods and services.
to offer goods and services to customers, to help Other data enables them to analyze previous
them target their offers at the right people, to sales and improve their business. They may want
manage their staff, to meet legal obligations, and to contact people to tell them about new goods
for many other purposes. Clearly this is not, in or services, or to personalize the customer’s
itself, a bad thing. Customers and employees are experience of their website. They may simply
generally happy to share some of their personal need the data to provide a forum or channel
data so they can interact with companies more where people can interact with each other.
effectively, and receive and make use of the
goods and services they offer. Consider a very However, if sharing information leads to a deluge
simple case of someone making an online of unsolicited letters, text messages, phone calls,
purchase. They need to provide their name and or emails offering products they are not interested
address to the company they are buying from in, people will not be happy. It’s even worse
so the goods can be dispatched and invoiced to if customers find out that their data has been
the correct person and address. They may also shared with third parties without their express
be comfortable providing their phone number or permission, or has been leaked and exploited by
email address in order to receive notifications other actors. They may tell everyone they know
regarding the status of their purchase. This is to avoid sharing information with the organization
all private information, but people are happy to concerned because it can’t be trusted. If this
share it because it means they get value that they happens often enough then the reputational
would otherwise not receive. damage can be so severe that the organization
may find it hard to remain in business.
There are many other reasons why a customer Organizations need people to share their personal
might agree to share their personal data with information; people need to trust the organization
an organization. They may want the company before they are happy to share. Such trust can be
to retain their data to make it easier to buy hard to build and is easily lost. It takes time and
goods and services in the future, to receive effort, but the return is increased value for both
regular marketing information, or to make use the organization and its customers.
g
A
e
S ec
-dat
Many governments around the world have
introduced regulations to help protect the way
urity
Up-to
personal data is used. In some countries, like the
USA, there are industry-specific regulations, such as
the Health Insurance Portability and Accountability
Act (HIPAA) which protects personal data about To achieve
health. In other countries, such as those in the GDPR compliance,
European Union, there is a more general right to organizations need
privacy. Until May 2018, each European country
policy
to be familiar
ete
will manage its own data protection laws, although
the laws are all similar as they must conform with with a number of key
the existing EU Data Protection Directive. Compl terms and concepts,
cy
these include:
From May 2018, there will be a single EU-wide
Priva
law (GDPR) that will apply to all EU countries and
all organizations doing business in those countries.
This includes the UK, as ‘the government has
confirmed that the UK’s decision to leave the EU
will not affect the commencement of the GDPR’.
Acc
ss ul
ro la r
ing
ce w f
nd Fai
ou
y p
ili
• Ask permission
t
2 Maintain trust
If you ask your neighbour for permission to borrow their car to go
to the shops then they would not expect you to use it to take your
family on holiday, or allowed someone else to drive it, and they would
be obviously be outraged if you attempted to sell it! Similarly, when
you use someone’s personal data, you must ensure fair and lawful
processing, no abusing or sharing without further consent.
RESILIA?
between the people who plan and manage IT services, and
04 the people who plan and manage information security”
Table; RESILIA starts from the ITIL lifecycle to approach the management of
cyber resilience risks. This lifecycle starts with cyber resilience strategy, and
proceeds through design and transition to operation.
As the name suggests, RESILIA: RESILIA describes how an organization can might have been a minor embarrassment
Cyber Resilience Best Practice is a body of manage cyber-risk by integrating IT service can turn into a major catastrophe.
RESILIA: Cyber Resilience Best best practice that can help an organization to management (ITSM) processes and activities RESILIA encourages organizations to consider
Practice and the professional improve its cyber resilience. In particular, RESILIA with the required cyber resilience controls how they will detect breaches when they
certification which derives from guidance shows how an organization can build and activities. This may be done by creating occur, and how they will then respond.
it will prove extremely helpful a management system (i.e. the framework of a single joined-up process, or by identifying Planning and investment in controls designed
processes, policies and procedures that allow it to and managing the required interfaces and to prevent breaches should be balanced with
to any organization preparing achieve its goals) which encourages collaboration data-sharing between the related planning and investment in controls to
for GDPR, as the following between the people who plan and manage IT processes and controls. mp detect and correct them.
u a l i rove
section of this paper will services, and the people who plan and manage
tin me
illustrate. However, to appreciate information security. In the digital age without such 4.1 n nt 4.1.2
how RESILIA can help your
close collaboration between these parts of the The need Co D e si g n People, process
business, meeting the data protection requirements for balance and technology
organization achieve these goals, of GDPR is likely to prove very difficult. One of the main While investment in
we will begin by providing a brief organizing ideas security technology to
The most well-known best practice for ITSM is in RESILIA is the protect against cyber
explanation of what RESILIA is. ITIL®, and many organizations have adopted
ideas from ITIL to help them plan, build, and run
concept of balance.
Each organization
Strategy breaches is essential,
investment in people
Ope
ion
IT services. Since RESILIA is based on the ITIL needs to take a and processes is
lifecycle, it is very easy for organizations who balanced approach equally important.
sit
rat
have already adopted ITIL to adopt RESILIA, to all aspects of on Although a major
an
Tr
i
facilitating collaboration between their ITSM and cyber resilience. contributor to most security
information security staff. However, it should be breaches is employees
stressed that organizations which do not use 4.1.1 unwittingly doing the wrong
ITIL-based practices can still harness real value Prevent, detect, thing, simply telling staff that they
by adopting RESILIA. respond and recover are the biggest threat to security, or
RESILIA recognizes that pointing fingers at culprits after the fact, will
RESILIA starts from the ITIL lifecycle to approach it is important to take appropriate not change their behaviour. RESILIA emphasizes
the management of cyber resilience risks. This precautions to prevent data breaches, whilst the need to bring about and sustain
lifecycle starts with cyber resilience strategy, acknowledging that, however much you invest organizational-wide behavioural change. Rather
and proceeds through design and transition in prevention, it is not possible to prevent than simply relying on the latest security software
to operation. It also considers continual every breach. Additionally, if it takes a long it is much better, indeed, essential, to also train
improvement of cyber resilience as a core time to detect the breach, and the wrong your people to become part of a ‘human firewall’,
competence. At each stage of this lifecycle, recovery actions are attempted, then what preventing, detecting and correcting incidents.
and many
depends on to protect its critical assets, were securing, recovery becomes difficult,
including, of course its customer data. time-consuming and expensive.
There are many processes that need to
work in synergy to deliver cyber resilience. Joiners, movers, and leavers
Some of the more important are:
organizations have
Organizations need to know who requires what
access to which systems and data, and to ensure
Patch management that such access is removed as soon as staff no
Many attacks succeed because organizations longer need it. Outdated credentials are often
have not installed patches that would have used in successful breaches. There are many
05
help you prepare resilience risks, leading
to breaches of personal
data, so it is essential to
for GDPR?
manage all changes to IT
systems and services”
As we have shown, many activities are needed data register and data handling policy) needed Governance Policy management
to prepare for GDPR, but an organization where for cyber resilience planning can be integrated Governance of IT ensures that the owners Many policies must be defined (and
staff have been trained in RESILIA, and where with the slightly different requirements of of the organization set the direction for followed) to enable compliance with
ideas have been adopted from RESILIA to inform ITSM asset and configuration management. everything that is done. There have been GDPR. For example, every organization
how staff work, will be in a great position to meet This integrated asset and configuration numerous cyber breaches which have resulted in must have a data protection policy, a privacy
this challenge and indeed prosper from it. management process can provide an fines or resignations at board level, and this helps policy and many others. GDPR provides guidance
authoritative source of information about to illustrate the importance of governance in cyber on the required content for these policies,
While this section of the paper is primarily about personal data for use in planning, as well as resilience. Boards will also be held accountable for RESILIA provides guidance on how the policies
the role that can be played by specific processes for audits when the organization needs to show breaches of GDPR, as well as for every other aspect can be effectively managed. Policies must be
or activities that are recommended by RESILIA, that they have undertaken due diligence and of data protection and cyber security, which means communicated to, and understood by, everybody
the most important overall idea to grasp is this: are handling their personal data with due care. that governance is essential for directing everything who needs to follow them. They must be
your organization needs a formal management done within IT. Integrated governance of IT followed, and there must be evidence to show
system, and this management system needs Collaboration between information security and and information security can help the board that they are being followed. Since so many
to be able to produce records that show both ITSM, and the integration of related activities (or equivalent body) to ensure the whole of these policies relate to how IT services are
what it planned to do, and that it has done what by the legal team and HR, can contribute to organization is working to common objectives, planned, built and operated, it is essential that
was planned. This is because a key difference meeting GDPR requirements in many ways. including common data protection objectives. these policies are integrated with the design and
between GDPR and earlier privacy laws is the GDPR is fundamentally about managing risk It is worth noting in this context that the maximum management of IT services and ITSM processes.
requirement to demonstrate that you have taken to personal data and complying with the rights fine for a breach of GDPR regulations can be Organizations can make use of the guidance
appropriate steps to identify and protect personal of data subjects. RESILIA is about managing extremely high, up to 4% of global turnover of offered by both ITIL and RESILIA to facilitate
data. In other words, you must be able to provide risks to information, and many of these risks the organization for the worst offences. policy production and management.
records. Organizations that adopt practices are highly relevant to GDPR. Here are some
from RESILIA when they design their ITSM and examples of how practices from RESILIA can Risk management Business relationship
information security management systems will help an organization to meet the needs of The organization must be able to management and
be in a good position to produce these records as GDPR compliance. show that it has applied suitable risk stakeholder management
and when required. management to identifying, prioritizing These processes ensure that IT has
Lifecycle approach and managing cyber resilience risk, including risks to understood the requirements of their partners
It is likely that one of the early activities to management personal data. RESILIA describes a risk management and stakeholders, and that these requirements
undertaken in your organization’s preparations GDPR requires ‘privacy by design’. methodology that can be used for this purpose. are fed into the strategy and design of IT
for GDPR will be identifying all the personal data This means that privacy and data Many requirements of GDPR are about managing services and information security practices.
that your organization holds. Knowing what data protection compliance need to be built in to risks to personal data. It requires that formal risk Integrated business relationship management
you have, why you have it, and where it is projects and services from the start, rather than assessment and management is carried out, and and stakeholder management can ensure that
stored is essential to such planning. RESILIA being added on later. The RESILIA lifecycle starts that records exist to show that this has been done. cyber resilience requirements, including those
describes how the management of asset with strategy and design phases to ensure that The approach described in RESILIA could make requirements pertaining to personal data, are
information (including a clear and detailed this happens. a significant contribution to this requirement. considered alongside other requirements when
the organization is making investment decisions, aspects of managing those suppliers. considering each change and ensuring that the It also needs to be integrated with the business
or is planning new or changed IT services. The integrated approach described in RESILIA is potential impacts are understood. processes for continuity management and crisis
The RESILIA portfolio also provides awareness an ideal way to ensure that GDPR requirements management. One important aspect of incident
training and other materials that can be used for supplier management can be met. Testing management is rehearsals and scenario testing.
to help break down barriers between IT and Changes and releases should be
their customers (both internal and external), to Service level management tested to ensure that they behave as By running practice sessions with the staff who
ensure that there is a common language and GDPR has a number of specific expected, and clearly this must include are likely to be involved in managing a real
understanding of cyber risks. requirements that require organizations security testing. It is also essential to test cyber incident, the organization can help to ensure
to collect and collate information in resilience controls on a regular basis to ensure that people take the correct actions when
Recruitment and training limited timeframes. For example, they must that they are still performing as required. Even acting under pressure.
Staff who handle personal data must be respond to a subject access request (SAR) if cyber resilience testing is separate from other
trained in how it should be managed. within one month, providing a data subject with functional and operational tests, there needs to GDPR has a requirement that breaches are
Organizations that take into account information about all data held about them, and be a coordinated approach to ensure that test notified to the regulator within 72 hours.
cyber resilience when recruiting and training how it is used. A service level agreement between coverage is complete, test data is appropriate, This breach reporting must include information
people, especially IT, legal and HR staff who may the data owners in the business and the people and results of tests are communicated. about the people affected, the records breached,
have privileged access to sensitive data, will be in IT who can provide this information will help the potential consequences, and the actions that
able to ensure that the staff managing personal to ensure that these times can be met. Access management have been taken to manage the situation.
data are suitably trained. RESILIA explains the Granting and revoking access to
key issues that should be considered, and how Change and release IT systems and data should be an To do this requires efficient and effective
these should be integrated rather than carried management integral component of an HR joiners, incident management through which the
out as separate activities. Uncontrolled changes can introduce movers and leavers process, as well as with risk is contained and what has happened
major cyber resilience risks, leading the ITSM process used to fulfil service requests. is documented, all within this very short
Supplier management to breaches of personal data, so it is essential RESILIA describes the essential requirements timeframe. The approach to incident
There are many cyber resilience risks to manage all changes to IT systems and for this integration across different parts of management described in RESILIA can
related to the use of suppliers, and services. It is not possible to run two separate the organization. help to ensure this requirement is met.
some major breaches of personal data change management processes, one to consider
have been caused by ineffective supplier (third cyber resilience risks and another to manage Incident management and
party) management. Cyber resilience must be IT changes. There must be a single integrated continuity management
integrated with other aspects of how suppliers change management process that ensures the There are many different types and
are appointed and managed. Suppliers can be organization is protected. This does not mean sizes of security incident. An effective
a significant risk to personal data and GDPR that the organization needs an old-fashioned, security incident management process needs to
has various requirements that relate to the bureaucratic process with senior managers sitting include the ability to log and manage each of
management of suppliers. These requirements round a table to discuss every change, but it does them, ranging from a minor virus infection of a
cannot be managed in isolation from other mean that someone must be accountable for single laptop to a major breach of personal data.