GDPR is Borderless: A Q&A With Protiviti’s Andrew Retrum

Protiviti's Andrew Retrum explains the misconceptions around the upcoming General Data Protection Regulation (GDPR) and tips on developing a comprehensive compliance program.


With potential fines of up to 4% of a company’s global revenues for noncompliance, it’s critical that organizations understand the implications of the General Data Protection Regulation (GDPR) and how they can navigate this new legislation which will be implemented in only 2 months (May 25, 2018) and represents the most important change in data regulation in 20 years.

FEI Daily spoke with Andrew Retrum, Managing Director with Protiviti, about the new legislature: from who needs to adhere to the regulations to the risk associated with third party vendors.

FEI Daily: In your conversations with executives, what alarms you most when it comes to GDPR?

Andrew Retrum: First and foremost there is or, at least, has been a misconception around who needs to adhere to the GDPR regulations. We have heard a lot that 'we are not an EU company' or 'we don’t have legal entities in the EU so it doesn’t apply to us,' for example.

And GDPR is borderless, it does not necessarily matter whether you have a legal entity in the EU, it just matters if you have EU data subjects that you have data for.
Another good example of that is ‘we’re primarily a b2b company, so GDPR doesn’t apply to us because we don’t have customer/consumer information. When we think of privacy and data protection here in the states, we jump to the consumer-side of things, the direct customer interaction and GDPR is not constrained to that. So your employees, if you have employees that are defined as EU data subjects, or if you're a b2b company and you have business customers and business contact information, GDPR applies to you as well. We’re still seeing companies that are just now coming to the realization that this is a concern for them.

FEI Daily: For those unfamiliar, what are the main elements of GDPR?

Retrum: There are a couple key points of consideration. First is, in order to fully comply with the regulation, you have to have a clear understanding of what data you have and where it is located. And that’s easier said than done when you start to peel back the onion and think about your business processes and all of the applications, data stores and third parties that may access that information. There are two pieces to that. There’s the direct requirement, article 30 within GDPR, which essentially says you need an inventory of all your processing activities that contain and scope data. But that’s just a small piece of it. Indirectly, you need to make sure that you are implementing controls to meet the regulations around data protection or some of the data subject rights like right to access information, right to be forgotten. In order to deliver on those regulatory obligations you need to have a very clear picture of where that data is located.

For instance, if Protiviti is engaged with a client of ours, there is an upfront effort that can be a decent amount of time to go through process by process and start to map out what systems and what third parties are in scope so that there’s that clear inventory to start from.

The second important point is that, in order to comply, you need stakeholder engagement throughout the organization. Sometimes we see that this is just a compliance exercise. Sometimes we see it driven by the CISO or security leader for the organization. It really impacts operational activities, like HR. It needs involvement from Compliance, and Legal and Privacy. There are IT considerations in terms of how you're considering privacy in your application-development process and how you're protecting information within the environment today and certainly the business plays a role because they need to be aware that certain data can only be used for specific purposes and make available to their customers, whether it be business customers or employees or consumers, the information that they have subject rights that may be made available to them and then you gather consent, etc. so that stakeholder engagement across the enterprise is also very important.

FEI Daily: Why should special attention be paid to third party vendors who process company data?

Retrum: I spend a lot of time helping clients with their GDPR obligations, but by nature I'm a security practitioner and one of the key risks that gets realized when it comes to a breach of information is that a lot of times - depending on the study, somewhere around 50 percent of the time - when there’s a breach it’s not the company that’s been exploited. It’s the company’s third party vendors. The reality of the situation is that that’s not who makes the news, it’s the company whose data was compromised. If you think about that, if you think about half the breaches coming from vendors, most companies underinvest in managing that third party risk and I think that GDPR regulations put out by the EU is reinforcing the importance of that point, that you are obligated to make sure your vendors are doing the right thing with your data, whether it’s protecting it or using it appropriately. You're not passing along that risk to them when you're sharing that information with them.

FEI Daily: What recommendations do you have for developing a comprehensive GDPR compliance program?

Retrum: How you approach ongoing compliance is very different for companies that have other similar privacy obligations so those that have PCI or if they're in financial services or healthcare, they have other privacy obligations. In those instances, you want to integrate GDPR with your ongoing activities. If you are conducting an annual risk assessment, for example. If you are assessing your applications for security risk because of other obligations, you should be integrating what’s required by GDPR into those existing processes. So you're not creating something new and onerous on the various parts of the business so much as embedding these practices into what already exists.

I think that makes a lot of sense for companies that have other regulatory obligations around privacy and data protection. If you're a b2b company and this is your rude introduction to the world of data privacy and protection, you're going to have to stand up some sort of ongoing monitoring function, likely in compliance or legal, that can support ongoing validation that the GDPR obligations are being upheld throughout the organization.

The EU recently published a new website around the GDPR regulation and it provides some easily-digestible infographics that are good for a variety of audiences, certainly the CFO and accounting folks can gain something from taking a look at that.