[BreachExchange] Don't Confuse GDPR Compliance with Security

Destry Winant destry at riskbasedsecurity.com
Mon Jul 23 20:06:57 EDT 2018


https://www.forbes.com/sites/ciocentral/2018/07/20/dont-confuse-gdpr-compliance-with-security/#7d0a5aa7613d

Overlooking the differences between compliance and security could be
perilous, yet for many businesses the distinction may seem obscure
under the new regime of the European Union’s General Data Protection
Regulation (GDPR), enacted May 25, 2018.

Certainly, the two disciplines are complementary. If data is not
secure, a business could end up in a non-compliant state, and vice
versa. But just because data is compliant with GDPR regulations
doesn’t necessarily mean it is secure. That may sound
counterintuitive, but it’s not.

Part of the issue is terminology: data protection in the GDPR
regulation is not a security term. It’s more about protecting the
rights of individuals over the use of their personal data than it is
about securing that data. Very little of the regulation actually
applies to data security.

Unlike earlier EU regulations that applied only to “controllers” of
data that is collected, the GDPR extends compliance to “processors”
who process data on behalf of controllers. The data controller alone
or jointly with others determines the purposes and means of the
processing of personal data, while processors may be any entity
involved in collecting, recording, organizing, storing, adapting,
disseminating, disposing of, and consulting on operations involving
that data.

In an era of cloud, managed services, and outsourcing, the roles of
controllers and processors makes for a very encompassing net in which
to get entangled.

It should be clear by now that GDPR doesn’t just apply to businesses
inside the EU.   Organizations outside the EU are subject to its
requirements if they offer goods or services to, or monitor the
behavior of, EU data subjects, even if the data itself is housed
outside the Union.

Now in its second month, GDPR raises the stakes for protecting the
privacy of EU citizens. As every company doing business with EU
residents should be aware, “Organizations in breach of GDPR can be
fined up to 4% of annual global turnover or €20 Million (whichever is
greater).” That’s a pretty big stick to wave in front of any business
executive, although it’s unclear as yet how regulators will move
forward in implementing penalties.

DPO: a defining role

One of the requirements of the GDPR is for the designation of a Data
Protection Officer (DPO) if an organization’s core activities “consist
of processing operations which, by virtue of their nature, their scope
and/or their purposes, require regular and systematic monitoring of
data subjects on a large scale…”

Large organizations will likely create a new DPO function within their
organizations or carve it out of an existing compliance department.
Others may be tempted to designate the CISO or the CIO for this role,
thus muddying the waters separating compliance and security. My
estimate is that 80% of GDPR-related data isn’t even under the control
of CISOs. And while the automation of data processing falls squarely
within the CIO’s duties, the why and the what of data collection,
usage, and disposition are largely the responsibilities of business
departments.

While there is indeed a compliance discipline within IT, it applies to
IT processes. Compliance in the GDPR definition applies to
organizations companywide, such as IT, finance, marketing, and sales.
Just because most data are digitized these days, doesn’t mean that IT
understands the purpose or even content of the information being
stored and processed.

It’s my experience that organizations get caught up in requirements
for compliance sometimes at the expense of good security. Think of it
this way: compliance is viewed with an outside-looking-in lens; in
other words, are we doing what regulators require and expect of us?
Security, however, should be viewed from an inside-looking-out
perspective: what do I need to do to protect my data from unauthorized
access?

The security function is there to apply controls commensurate with the
classification of information, not to define it! Business departments,
in cooperation with IT, are responsible for knowing why data is being
collected, how long it is being retained, and how to ensure data
subjects are able to execute their GDPR-mandated rights to their data.

Do you know where your data is?

>From the security viewpoint, if you don’t know where your information
is, which information is critical, and which isn’t, and who has
access, then you are in a less secure situation than you should be,
even if you are currently in compliance with GDPR or other
regulations. That means knowing where and how your information moves,
as well as who has access to it and what do they do with it.

Some of the issues that businesses should be focusing on include:

- Understanding the roles of controller and processor in handling your
data. Sounds simple, but the internet is chock full of articles and
commentary that addresses the issue of roles without, in my opinion,
providing much clarity.
- Make sure your service providers commit to GDPR compliance and are
able to document what happens with your data, what type of information
is collected and processed, how long it is held for, and in which
countries this happens.
- Don’t mistake good compliance as a security blanket. Compliance
involves documenting how you adhere to the regulations. Security is
all about understanding how to identify and close the gaps that could
compromise your data.
- Do ensure your GDPR readiness team is cross-functional. If you are
required to install a DPO, don’t assume the CIO or CISO is the best
candidate.
- Update your privacy and security policies and procedures
- Update procedures and protocols regarding data breach notification

Compliance is a requirement, not an option. Security can and should be
an essential element of your GDPR strategy. Being able to control,
enforce, and log what happens to your data will bolster your ability
to comply with this new regulatory regime.


More information about the BreachExchange mailing list