Happy Birthday GDPR! – Defending Against Illegitimate Complaints

By John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, Assurance Investigatory Fellow – Cloud Security Alliance

On May 25^th we will celebrate the first birthday of GDPR. Yes, one year ago GDPR was sort of a four-letter word (or acronym if you will). People were in a panic of how they were going to comply and worse yet, many didn’t even know if they had to and even worse yet, some just ignored it all together.

The European Data Protection board (EDPB) published an infographic on compliance and enforcement of the GDPR from May 2018 to January 2019. It shows that 95,180 complaints have been made to EU national data protection authorities by individuals who believe their rights under the GDPR have been violated. Two thirds of the most common of these complaints had to do with telemarketing and promotional emails which practically every organization uses as the main tools for communication.

Now, we can discuss the some of the biggest fines levied like Google and Facebook, but that’s been done to death and quite frankly the largest percentage of companies globally don’t fall into the category of Google and Facebook, nor due their budgets even come close.

I would prefer to concentrate on a topic you don’t see covered in the news much…complaints and the time effort and cost to defend yourself even if you’re not guilty.

Think about it, anybody can log a complaint. Whether or not you are in violation is one issue, proving you are not is another. While this is a troubling issue for large enterprises, small and medium size organizations can have a particularly tough time as time money and resources are at a premium. As the EDPB report mentioned, 95,180 complaints have been made to EU national data protection authorities by individuals who “believe” their rights under the GDPR have been violated. As you can imagine this can send a company scrambling to pull all the data and evidence together to not only prove compliance, but to prove the effectiveness of the system. Further, what if you are called out, technically not guilty of the specific infraction logged, but in the course of the investigation major non-conformities are found in your process?

So what is the best way to protect yourself and ensure not only compliance, but readiness, both from a process and forensic perspective?

Ensure you have a good solid data governance program in place that covers both security and privacy aspects of your organization. While there are many ways to attack this, cloud service providers and users need to make sure the proper sector specific controls are in place not just generic ones and that your scope is fit-for-purpose. It must cover all of people, process and technology to ensure holistic coverage.

CSA has been researching solutions to address these issues and since 2011 CSA STAR has evolved into a total GRC solution for cloud service providers and it continues to improve.

The Security, Trust, Assurance, and Risk (STAR) Program was developed by the Cloud Security Alliance in order to provide the industry a standard for which enterprises procuring cloud services could make informed data driven decisions.

The STAR program encompasses four key principles of transparency, rigorous auditing, all-inclusive and harmonization of standards providing a single program and a comprehensive suite that covers both security and privacy compliance.

So what level is best for you? You can read our quick reference guide, but gap assessments are always the best starting point. Measure where you are at against where you want to go and act on the differences! Also, this allows you to give yourself credit for your strengths. Many organizations have a lot of good things going on, so just don’t assume you have a major hurdle. A combination of STAR Level 1 and the GDPR Code of Conduct self-assessment (or code of practice) is the one-two punch to the road of due diligence. If you are already certified to ISO/IEC 27001 or you get regular SOC2 assessments, then you may want to also consider STAR Level 2 certification or attestation which not only increases your level of transparency but also assurance because it is third party tested and certified. The GDPR COC is still in the self-assessment stage, but a third-party certification will be available as soon as the European Data Protection Board finalizes all the annexes related to accreditation and certification (est. Q4). However, your submission is vetted thoroughly by our GDPR experts and once approved, you can file a PLA Code of Conduct (CoC): Statement of Adherence Self-Assessment and your organization will be posted on the registry. After publication, your company will receive authorized use of a Compliance Mark, valid for 1 year. You are then expected to revise your assessment every time there is a change to the company policies or practices related to the service under assessment.

There is a small fee to cover administration, maintenance and the vetting process, but it shows due diligence and when you consider the potential millions of Euros in fines you face ( or % of annual global turnover – whichever is higher) for non-compliance[1], the fee is a drop in the bucket for some piece of mind. If you already think you are compliant then the GDPR COC self-assessment can serve as another set of eyes and also provide a public statement of transparency.

It makes sense no matter where you fall in the supply chain to take data privacy seriously. The CSA GDPR COC can help you establish a security-conscious culture. GDPR requires organizations to identify their security strategy and adopt adequate administrative and technical measures to protect personal data. Thanks to CSA’s research, the CSA GDPR COC provides the roadmap that will facilitate your organizations efforts to ensure, your processes will become more consolidated, ensuring good governance, compliance and prove that all important due diligence. Additionally, your data will be easier to use, and you will realize an underling value and ROI.

For more information and to discuss with one of our experts, contact us at [email protected]

[1] Up to €10 million, or 2% annual global turnover – whichever is higher; or for higher violations

Up to €20 million, or 4% annual global turnover – whichever is higher.