For better or worse, GDPR and security are often wedded together, when the relationship in fact is slightly more complicated. Sarah Clarke, a specialist in privacy, security, governance risk and compliance with BH Consulting, has picked apart some myths and misconceptions around the subject. She kindly gave us permission to use material she published in her excellent Infospectives blog. It’s well worth reading for anyone whose role involves data protection or security.
In part one, she outlines the media backdrop (clickbait headlines and all). She then goes into detail about what the GDPR really says about security and covers security as a source of privacy risks.
Confusion and misunderstanding
Sarah decided to write the blog partly out of frustration from seeing discussions about privacy, GDPR, and the role of security, where facts were in short supply. “Confusion stems from security vendors and security experts misunderstanding the GDPR, not filtering out their security bias, or willingly leveraging GDPR furore to drive a security-centric agenda,” she wrote.
Privacy experts often note that just one principle in GDPR specifically references security. As Sarah argues, the picture is more nuanced. In the daily reality of many organisations, this works a little differently. Security and data protection intersect where people, process, or technical controls are necessary to minimise the risk of harm to data subjects resulting from a personal data breach – or business as usual processing. The two also meet where a security function’s own people, process, or technical controls involve processing personal data. What’s more, both need to work together when security teams must assess, oversee, and/or pay for GDPR-related change.
Minimising risk to data subjects
“If I had to draw out one fact from everything above that needs to be drilled into the heads of many security practitioners (including me in the early days), it’s this: Data Protection is NOT just about minimising the probability and impact of breaches. Data Protection IS about minimising the risk of unfair impact on data subjects resulting from historical data processing, processing done today, and processing you and your third parties might do in future.”
The second part of Sarah’s blog looks at three myths about GDPR. First, is that the regulation makes encryption mandatory, or whether using the technology negates other controls. Secondly, she tackles the assumption that being certified to ISO27001 effectively ensures compliance with GDPR. Third, she asks whether existing security-related risk management is fit for privacy purposes.
Encryption mandated nowhere
Expanding on the first point, Sarah says encryption is a vital tool but not a mandatory one. “The GDPR doesn’t mandate ANY specific controls. It mentions a couple, like pseudonymisation and encryption, but it is all about control selection based upon your local risks… Rendering data unintelligible is an incredibly effective mitigation for post breach data related harm to both data subjects and the organisation, but it in no way negates the need to apply other security and data protection controls.”
Next, she dismisses the idea that becoming certified to the information security standard ISO27001 is the same as GDPR compliance. However she adds that certification helps this way. “The Information Security Management System (ISMS), described in ISO27001, represents a robust way to scope, assess, articulate, document, and manage risks associated with all aspects of organisational security, including personal data security.
Assessing security risk from a privacy perspective
Lastly, Sarah debunks the misconception that security-related risk management is suitable for privacy purposes. The reason being that “the assessment of security related risk is pretty poor in general”. Outside certain fields like the military, healthcare, or energy, few consider the impact on individuals or groups of data subjects. As we’ve seen above, this consideration is central to GDPR.
Sarah outlines “unavoidable and critical steps” to determining the rights and freedoms of data subjects. Finally, she wraps up the post with seven practical steps for organisations to review where security, data processing, and privacy meet. Whether you work in a security role or on the privacy side, we encourage you to read the full posts. Both go into great detail and include helpful external links to other resources and discussion points. Our thanks to Sarah for sharing the material with us. You can read her blogs at www.infospectives.co.uk or follow her on Twitter.