Privacy by design: Ensuring GDPR achieves its security goals

Compliance is sometimes described as a box-ticking exercise. Bruce Jubb explains why the GDPR must be more than that.

Bruce Jubb, head of UK, Ireland & Nordics, WALLIX
Bruce Jubb, head of UK, Ireland & Nordics, WALLIX

The single biggest change to EU data protection law for two decades, the GDPR, came into force at the start of the year. Its stated aims have the privacy of citizens at its heart, but it's businesses that are facing the ramifications. Companies cannot risk failing an audit.  After all, the penalty for doing so could be up to four percent of global turnover.

When faced with a risky, sprawling, costly (time, resource, or both) undertaking such as this, some companies may be tempted to remain focused on the task at hand – compliance. Taking a step back, it is worth remembering the end goal. That is, making our personal data safer, which means when we as citizens hand over personal information it gets looked after correctly by all the organisations that are involved in it from that point and especially to keep it out of the hands of criminals for whom data is a commodity. In general terms, it is good thing that action is being taken now. The previous data protection laws dated from 1995 and served a world in which computing infrastructure was mainly fixed and in-house.  The sorts of data and the sheer quantities we deal with now were practically unimaginable 20 years ago.

The problem now is for the people on the ground who need to meet the new requirements. Today security architectures not only need to protect valuable assets, but also have to be able to show clearly how they are doing so and fulfill different security norms depending on the sector, industry, national and international regulatory jurisdictions. Accountability and audit mechanisms become increasingly important in the search for compliance. However we need to make sure our search for compliance is aligned with our search for security. Sounds obvious? It's not.

When tackling the GDPR, firms are going to need an inter-departmental task force. When the disparate forces of legal, financial, IT, compliance and for some, HR, assemble, it can be quite a battle to walk away with the solution that's best technically.

However even assuming the best solution is indeed put in place, by the time the GDPR comes into force it may achieve compliance but not confer leading-edge data security protection.  In fact, it is likely that the technology will have moved on by 2018, when the GDPR becomes enforceable.

Time and again in the field of IT security we see compliance setting standards inferior to the technical solutions easily available on the market. If compliance is to be seen as seal of quality rather than a bare minimum, companies need to aim higher than a box-ticking exercise. Only collaboration can deliver the best value solution overall.

IT security, operations, compliance: everyone is involved

The GDPR has (rightly) triggered in-depth reviews of data handling practices in affected companies. However, surely this exercise should also be seen as an opportunity for a strategic rethink of data security measures. I could point to any number of high-profile breaches in which the fundamental data protection procedures were flawed. Law firm Allen & Overy urges firms to adopt “privacy by design”, in which privacy measures are embedded into any new process or product. It considers “implementing privacy by design can both demonstrate compliance and create competitive advantage.”

All this has to happen in the age of digital integration in which more and more devices and users ask for access to network resources. Companies who take the GDPR as an opportunity to gain the very best security makeover possible would do well to start with the access arrangements and data trails available to the users who have the most privileged access: the IT admins, sys admins and super users.

As any number of recent data breaches shows, securing data should start with those who have most access. Privileged user and access management (PAM) is one way of tacking the issue and should include application onboarding, maintenance and offboarding. To cover the full life-cycle it has to start with initial integration into the system then include all changes during the life-time and end with the system-removal after decommissioning. PAM can check workflows of the users individually to see if their actions are legitimate.

Privileged user access is just one part of the GDPR compliance puzzle, but the example does illustrate how solutions need to both meet the needs of the GDPR, and hopefully future requirements, while also integrating into existing security architectures.

The benefits of upping security beyond the level dictated by compliance are not as tangible as the penalties of a failed audit. But the indirect consequences of poor security are exceedingly costly – just ask TalkTalk, VTech, Sony, Ashley Madison and so on. One way to incentivise ongoing privacy controls would be for the GDPR to recognise those firms who demonstrate best practice over and above the initial certification. From spring 2018, companies could face an inspection of their practices and procedures at very little notice. This has operated as the “stick” urging companies to achieve compliance. It would be great to see some “carrot” too, in the form of merit awarded when firms clearly take the privacy of their customers' personal data seriously.

Contributed by Bruce Jubb, head of UK, Ireland & Nordics, WALLIX