100 days to GDPR: How Box got ready
While most of the tech world is aware of and working toward GDPR compliance — though many are behind schedule with only 100 days to go — the vagueness of the regulation has caused a lot of uncertainty for tech leaders.
The demands of GDPR require a company to understand who data belongs to, to afford these individuals the right to erasure and access, and to build protection in by design and default, among other requirements.
Compliance and noncompliance can each incur a lot of money and resources, but with fines up to 4% of global annual turnover, the latter is a nonoption. But how is the average CIO, CTO or IT decision maker supposed to know how to get there? It's no small feat, to be sure.
Companies need to look at data protection as a combination of data security and data privacy, according to Crispen Maung, VP of compliance at Box, in an interview with CIO Dive.
The cloud content management company occupies a unique space as both a data processor and data controller and began its compliance journey in 2014 by reaching out to regulators to find out "where the line in the sand was in regards to effective data protection."
How did Box do it?
Looking at data protection protocols already in place can help an organization develop its compliance strategy.
Box settled on the ISO 27002 and ISO 27018 guidelines for their prescriptive measures, and understanding industry-specific data regulations such as PCI and HIPAA can help ensure that controls meet all the necessary bars, according to Maung.
"An organization needs to look at, internationally, what regulations are out there based on the industries that have very precise definitions of controls and is that at a high enough bar that everything else kind of flows in underneath," said Maung.
One measure Box undertook to work with regulators was establishing Binding Corporate Rules (BCR), a mechanism whereby a company defines its data protection policies and submits them to a Data Protection Authority (DPA), which is an independent public authority for each EU member state that advises on data protection and handles GDPR violations.
Over a two to three year process, Box submitted its data protection package to a DPA, which reviewed it and passed it off to two more DPAs for another deep dive; the package was then submitted to the other DPAs for review before finally being approved, according to Maung.
BCRs are the "gold standard for the cross-border transfer of data," and to ensure continuity of BCRs, DPAs have the right to audit companies anytime to ensure practices are up to par.
But compliance outside the borders of a company also matters. GDPR creates contractual pressures between organizations to become compliant because a company can be found at fault if it is sharing data with a noncompliant partner.
To assess its vendors, Box looks at SOC 1 and SOC 2 reports and rate risks the vendor based on its security controls, but the level of scrutiny a vendor is subject to varies depending on the nature of the data associated with it, said Maung.
For example, Box leverages AWS S3 to store content, but all information AWS is sent is encrypted and AWS does not have the encryption key. AWS would be subject to less scrutiny or auditing than another vendor with access to data that is difficult or impossible to encrypt, according to Maung.
GDPR compliance is complex and an ongoing process, but at the end of the day European data regulators are simply trying to make sure that comprehensive data protections are in place and that a company understands what data it has, how that data is being used and what controls are in place to ensure data security and privacy.
The intersection of compliance and leadership
Who carries out compliance can be a source of some confusion.
The average company does not necessarily need leadership with "compliance" in their title, but it does need leadership that understands data and how it is moving through the company, whether that be the CIO, CTO or some other position, according to Maung. Additionally, compliance leadership needs the authority and resources to make changes to how data is being managed.
Right now, a lot of compliance leadership is primarily focused on putting security controls in place, but for effective compliance they need to step back and ask bigger picture questions, according to Maung. These include:
- What is happening with the data?
- How is that data being used?
- Is it being used appropriately, or in accordance with the expectations of the controller or owner of that data?
By answering these questions, a company can get a clear picture of data usage in their organization and the compliance demands it is placing on the technology stack and suppliers.
Follow Alex Hickey on Twitter