By its very nature, the EU’s General Data Protection Regulation, which comes into force in May 2018, is designed to considerably increase individuals’ rights on personal data.
In particular, it outlines special new provisions and compliance requirements for sensitive personal data, which includes genetic, biometric and health data, and information relating to sexual orientation, race, political opinions and so on.
Evidence gathered via the dark web suggests that sensitive personal data such as medical records is now more valuable for cyber criminals than financial information like credit card details.
If you’re responsible for cyber security, you should therefore be using GDPR as a golden opportunity to get a firmer grip on a key area where attacks are increasing. This is particularly true for organisations like councils, who routinely collect and share citizens’ sensitive data with other organisations, both public and private, to operate effectively. If confirmation were needed that this is the right path to take, it seems that central government agrees, because it recently confirmed in its Cyber Security Regulation and Incentives Review that it will also seek to improve cyber risk management through the implementation of the GDPR.
Under GDPR, compliance will depend in part on having explicit and specific consent for the exact purpose for which data is held or processed. This means that over the next year, organisations need to interrogate all the sensitive personal data they hold to find out whether they have the right level of consent. If they don’t, they will have to delete it. In cases where they don’t have consent but still have ‘legitimate reason’ to keep the data, then it’s likely that they will have to retrospectively pseudonymise or anonymise the data, which is the course of action the GDPR recommends for organisations to achieve compliance. In future they will need to ensure that these privacy practices are embedded by design.
While this will be time consuming, it’s also a great opportunity to reduce entry points and vulnerabilities that are currently exposed to cyber criminals and reduce overall ‘attack surface’. On top of this, organisations should ensure that they or at least their security suppliers have appropriate measures in place to provide active and protective monitoring as well as ongoing testing that will help identify new vulnerabilities as they arise.
One of the much-discussed elements of GDPR is that it requires many organisations to appoint a data protection officer (DPO) to achieve compliance. This includes all public authorities as well as all organisations that carry out “regular and systematic monitoring of data subjects on a large scale” or large-scale processing of “special categories of personal data”.
GDPR specifies that DPOs are responsible for activities including monitoring compliance, educating staff on their responsibilities, providing advice on privacy impact assessments and co-operating wherever necessary with the relevant supervisory authority.
In addition to this, I believe organisations should also ensure their DPOs are cyber security aware and trained. GDPR compliance implies implementing Cyber Security Regulations, so your DPO will need to be up to speed with the latest thinking on cyber security and broader organisational resilience. If they are, they will help to guarantee your data’s security, integrity and accessibility by disseminating cyber security best practice throughout your organisation.
One of the great maxims of cyber security today is that organisational and human factors are just as important as any technical barriers you put in place to prevent attack. The GDPR confirms this, stating that in order to achieve compliance, organisations need to demonstrate that they have robust processes in place for regularly testing, assessing and evaluating the effectiveness of not only technical measures but also the organisational measures for ensuring security.
More than ever, organisations should recognise that managing cyber security under GDPR is about manging processes and people as much as anything else, so they’ll need to think about providing security and GDPR awareness sessions that improve understanding of personal and sensitive data across the organisation. In addition, they should consider scenario based exercises, red teaming (viewing a problem from an adversary’s perspective) and advanced resilience testing based on both covert and overt scenarios
James Mulhern, chief information security officer, Eduserv