With GDPR coming into force less than 100 days, organisations need to make sure they are using best practices for security now to ensure they comply with forthcoming regulations, rather than meeting the bare minimum that current rules enforce, delegates heard at the SC Congress in London.
Speaking at a panel session, Peter Brown, group manager (technology policy) at the Information Commissioner's Office (ICO), told delegates that everything done as best practice today will now “be the legal minimum”.
“If you think forward to GDPR, it has the same principles. But the regulations appear in more places,” he said.
As an example, Brown mentioned article 32 which is the “big one on security processing which goes into a lot more detail than the equivalent article in the old Data Protection directive, article 17. And it does mention certain things like Pseudonymisation and encryption. IT brings the well-know CIA triad into data protection law for the first time.”
“What that all means is everything that is currently thought of as best practice becomes the legal minimum. So take that previous baseline, that's now the minimum and start to build beyond that.
Brown said he gets asked how an organisation, such as a small business, can go about this as it can be quite difficult with lots of different laws and frameworks.
Brown said this may pose challenges for smaller businesses but the best thing to do in this case was to get the basics right, such as following the Cyber Essentials basic set of technical controls.
“You need to consider the requirements specific to you and look to standard guidance and advice,” he said. He urged organisations to learn from the mistakes of others with widely available lists of common errors such as the OWASP top ten.
“In summary, do the basics, identify and improve, make sure you are testing, practicing, auditing, and getting things right. That's what we look at in terms of the technical areas of compliance.”
Also speaking on the panel debate was Ailidh Callander, Legal officer at Privacy International. She said that while a good deal of GDPR was dealing with issues raised by organisations such as hers, there were still problems and limitations.
“GDPR does go some way to protect data in a sense that in order for these rights to be effective, these obligation need to be taken seriously and put into practice in designing, planning, producing and maintaining systems and services.
“But GDPR doesn't go far enough in the sense that it is limited to an extent in its territorial scope. There are carve outs and exemptions. And there is this issue that it only protects what is defined as personal data.
“In practice, adequate consideration is often not given to whether an individual is indirectly identifiable, whether data is actually anonymised, or merely pseudonymised.
She said that we are faced with a problem of data exploitation in our daily lives, but at least GDPR offers some tools in addressing concerns by enforcing privacy by default, data minimisation and strengthening the rights of individuals, and security of data.