Risk-Based GDPR Compliance with FAIR – Q&A with European Chapter Co-Chairs Christophe Foret and Tom Callaghan of C-Risk
With the third anniversary coming up for enforcement of the EU’s General Data Protection Regulation (GDPR), it’s a good time to check in with our European FAIR Institute Chapter Co-Chairs for a read on the regulatory climate.
The short answer: As the regulators get tougher, the need grows for the transparent, quantitative approach that FAIR™ (Factor Analysis of Information Risk) brings to risk management. Christophe Foret is President and Tom Callaghan Co-Founder, at C-Risk, the Paris-based risk management consultancy.
Q: GDPR regulations have been in force for three years now. What’s the maturity level of the organizations you deal with, in terms of compliance?
Tom: People start with the absolute minimum. They only do what they feel they must do to avoid getting sanctioned by the DPAs [the data protection agencies for each EU nation].
People tend to focus on their external-facing posture, working on the privacy policies of their websites, that’s easy to do. But they haven’t worked on classifying their data or training their workforce on how to process personal data.
The attitude for many has been “We’ve done nothing about it for years and nothing happened.” In the first few years, the DPAs just went after the big offenders but that’s going to change. They will increase their capability and get better at identifying non-compliance.
Join the FAIR Institute now - We have chapters all around the world.
Q: What are the common misconceptions about GDPR?
Christophe: When many people think about GDPR they think of the 4% revenue fine [the maximum penalty]. The reality is that out of more than 280.000 notifications, 600 fines were imposed, with 8 exceeding 10 million euros, the largest to this day being 50 million.
We try to explain to them that they should think in terms of risk scenarios to understand their actual exposure and what’s worth the investment. You have to protect personal information, but you can't do everything at once either. There needs to be some arbitration in what you deal with first.
The regulators recognize that it is a journey and they have recommended you take a risk-based approach when planning your internal processes and controls.
Q: Risk scenarios – sounds like a job for FAIR.
A good first step is also to identify the biggest PII data repositories, make sure your current business processes comply with regulations and there is a strong data breach incident policy. That’s a good starting point because if anything goes wrong, it’s the way the regulators will look at the incident.
Then we can define risk scenarios. A data breach of PII data is what most people think about but other scenarios exist. There are loss events in which regulators impose fines and judgements for failure to follow regulations, for instance on obtaining consent to collect data or giving data subjects access to their data.
From there we gather data as in a typical FAIR analysis and quantify the loss exposure, in particular drawing on the various levels of fines levied by DPAs.
Q: With loss exposure quantified, you can move on to identify controls investments or other mitigation.
Tom: Yes, now, there are no-brainer controls on the right side of the FAIR model. Something will go wrong, so you need a good incident response process where you engage the regulators straight away.
That's the most important thing in GDPR. If something goes wrong, you must call the regulators and be transparent and ask for their help. Document your processes and keep an audit trail – many of the potential fines come from not responding in a given time frame. And you can use FAIR to justify the choices you made.
Technical solutions might be DLP or encrypting data. The solution might more likely be changing business processes to only capture the minimum amount of PII for the task at hand. There also contractual controls such as ensuring third party data processors are identified and a data processing addendum is in place. GDPR is not an IT problem, it’s mainly a business process problem.
Q: What’s the most value from applying FAIR to GDPR compliance?
Christophe: Just as with any other risk, FAIR allows you to articulate the specific type of risk in terms understood by all stakeholders in the business as well as the regulators, and to take a step back and understand where is your risk and what drivers are influencing it. Otherwise, people just go into GDPR as if it’s a list of 50 things and I can only do 10, so I’ll do the first 10.