Not everything you thought you knew about GDPR is correct, and a corporate governance approach to GDPR is better than a cyber-security approach says David Froud.
With the General Data Protection Regulation (GDPR) being introduced in May this year, time is of the essence. The aim of the GDPR is to better protect the privacy of EU citizens and enable transborder flows of data by harmonising the current data privacy laws across Europe. It is already a law, May marks the enforcement of it, including the oft-cited penalties.
However, it has introduced almost as much confusion as it has guidance, so for those looking for a summary of the key facts, here are my top four.
GDPR Fact 1: The regulation incorporates data breach fines of ‘up to four percent of global revenues' - right?
Absolutely not. There is so much panic-inducing ‘fake news' from online cyber-security publications, lawyers, cyber-security vendors and even cyber-insurance vendors that it is easy to see why this is becoming accepted knowledge. In reality:
The GDPR is >95 percent related to enforcing the RIGHT to privacy, not the potential LOSS of privacy through data breach;
The maximum fines for ANY organisation are two percent of ‘annual turnover' for the most egregious loss of data through breach, not four percent; and
Fines are entirely discretionary, and an appropriate security programme will very likely reduce any fines levied.
So while the ‘four percent' language is in the GDPR for breaches of the legal basis for processing, the context, intent and likely enforcement is a long way off this theoretical maximum number.
What about other common assertions, for example:
GDPR Fact Two: PCI DSS or ISO 27K measures can be extended to encompass GDPR Privacy requirements.
Sorry, but wrong again. Data security does not equal privacy. Just as loss of data through breach does not, in and of itself, equate to a loss of privacy. It's what's done with the data that was stolen that has the privacy implications. Furthermore, data security represents less than five percent of the 778 lines of the entire GDPR Articles, and the PCI DSS is – in my admittedly biased estimation – no more than 33 percent of a true security programme. The only way PCI can help with GDPR is to use the assigned budget to do security properly. In terms of focusing on say, risk management or encryption, and then strategically selecting and implementing the right technologies this does make sense. But highlighting this as the basis for the assertion when the overwhelming majority of the GDPR has no commonality with PCI or ISO 27K is a false premise. You will never reach GDPR ‘compliance' using PCI, but you will achieve both PCI and GDPR compliance (related to data security) on the way to real security.
GDPR Fact 3: GDPR should be approached as a corporate governance project, not a cyber-security project.
Agreed! The most important point to take on board is that the vast majority of the GDPR is concerned with obtaining a legal basis for the processing of personal data collected, and then only using that data for purposes in-line with the permissions received. GDPR should be approached as a corporate governance project, not a cyber-security project. My view would be to get this understanding clear first, then establish a team within the organisation, with stewardship from a privacy expert, but including sales, marketing, HR and of course, IT and Information Security. If you really are starting at square one then my Froud on Fraud blog provides plenty of discussion on all aspects of GDPR.
GDPR Fact 4: Every organisation should start out the exact same way: By mapping their business processes, at both the individual asset and ‘asset interdependency' level.
Agreed again: This part does not require a lawyer, and is something you should already be doing. If you don't even have this in place, you will likely never be able to demonstrate the appropriateness of the ‘extent and proportionality' of your data processing should things go wrong. If you have legacy Personal Data, document your plan to remove data over the course of a specific time frame. Even though GDPR and PCI have very little in common, from a data security standpoint, some of the concepts are similar. For example, removing legacy cardholder data is one of the initial PCI tasks and likewise, identifying Personal Data and questioning the need for holding it is an equally sensible task for GDPR.
In summary, there is still no such thing as 100 percent security, so the more you can demonstrate that your security programme is appropriate to the levels of risk, GDPR fines should be the least of your problems.
Contributed by David Froud, director & principal trainer at Core Concept Security, NTT.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.