It’s a question that gets asked regularly; “Which IT security solution will help me with the GDPR (General Data Protection Regulation?” Well, answering that question isn’t so simple and to be honest, the question itself could demonstrate not only a lack of understanding of the GDPR, but also its potential impact.
The GDPR is focused around personal data, i.e. any information that can potentially identify a person, such as names, photographs, gender or eye colour, although the list is quite substantial. There are two key reasons why this is; firstly, it creates a set or rights for data subjects in the way their personal data is being collected and used. Secondly, it looks to take away the boundaries with European businesses and levels the playing field in respect of current individual laws in different countries, drawing them into one common standard that governs personal data.
The GDPR focuses on six core principals in collecting and processing personal data:
- Personal data must be processed fairly, lawfully and transparently.
- Personal data can only be collected for explicit, specified and legitimate purposes.
- Personal data must be relevant, adequate and limited to the necessary processing need.
- Personal data must be kept up-to-date.
- Personal data mustbe retained in a form where the data subject can only be identified for the necessary processing need.
- Personal data must be processed in a way that ensures and maintains its security.
Of the six core principals, the main focus is on the way in which a processor, or data handler is bound by the GDPR. If we look at the technology aspect, the GDPR refers directly to this need in terms of encryption, or even pseudonymisation, as appropriate. Security of personal data is only a requirement in Article 32 – the data processor must make sure relevant measures are in place to protect the integrity, confidentiality and availability of their processing systems.
When the GDPR was created, the use of technological solutions to comply with the directive was reduced as much as possible. Yes, some technology is required to ensure any organisation or business can ensure there is sufficient protection of data. But to focus on just this GDPR core principal in order to sell a specific GDPR or security solution is not in the spirit of the GDPR, or its purpose. It is about securing information, not IT security.
In reality, the GDPR has a recommendation that should the processing of any data be considered a high risk to the data subject, or contravenes one of the six core principals, the data processor should carry out a Data Protection Impact Assessment (DPIA) in order to assess the identified risk. This analysis will essentially highlight any areas of risk that can be addressed either by organisational controls, or by technology.
There are no shortcuts; no one size fits all,and it’s for this reason that the GDPR is not able to sell solutions. Each organisation will differ and each will develop a tailored process.
For more information on Cyber Management Alliance, assistance with GDPR Readiness, ISO 27001 Certification, their Live Online CISSP Training & Mentorship program and other courses, webinars, the Wisdom of Crowds live and virtual events, and their Insights with Cyber Leaders series of executive interviews, click here or contact us today.