GDPR & INFOSEC: Setting the record straight...

Yes, infosec is an important field. I love it. I am proud to be part of that community.

But... There is a lot of FUD about with respect to the applicability of information security to GDPR endeavours. Many have said before me that the GDPR is not an infosec issue (solely), so I won’t labour the point (which I, incidentally, totally agree with!)...

All I want to do is give you an alternative view that actually proves this point, and perhaps help you in your forthcoming information security/ data protection/ data privacy/ risk management endeavours...

Also, for the purpose of this post, I will use the well known CIA triad:

• CONFIDENTIALITY: a set of rules that limits access to information;
• INTEGRITY: assurance that the information is trustworthy and accurate;
• AVAILABILITY: guarantee of reliable access to the information by authorised people.

First of all, the GDPR has 99 articles... If you haven't yet read the regulation, I suggest you start doing that now.

19 articles are specifically related to information security.

That is 19%.

Yes, only 19% of the GDPR articles are related to Information Security.

And of course, we have the Recitals. Please don’t underestimate the importance of the recitals. They appear in the regulation even before we get to Article 1! They help when interpreting the requirements, and of course will be used in a court of law, should it get to that, when trying to assess intent...

The GDPR has 173 recitals...

36 Recitals are related to information security and information risk management.

Yes, only 21% of the GDPR articles are related to Information Security.

And what I mean by information security, or the management thereof, is of course in the context of an Information Security Management System (ISMS, such as ISO 27001, for example). Again, I won't labour the point, but best practice and all that, you get the gist...

See for yourself:

(If you'd like a PDF copy of the above infographic, I'd be happy to provide)

So how did I come to this?... Simple, look at the information at the bottom of this post for the details (for both articles and recitals).

So... Roughly 20% of the GDPR is infosec related. But let's be clear, the operative word is "related", which means that those 20% are not the exclusive realm of infosec. It merely means that infosec pros need to be part of the overall endeavours and contribute to what is essentially a change management endeavour.

And of course, let's not forget our other beloved triad: People, Process & Technology (incidentally, have you noticed how little technology is mentioned in the whole of the GDPR?...).

Fundamentally, risk management practices will have to evolve to include - as well as managing the risks to the organisation itself - managing the risks to individuals. This is probably the most crucial change brought by the GDPR, and it is a welcome one.

I hope you found this of help and I would love to hear your thoughts!

Until next time,

neirajones

And now for the science...

GDPR Articles related to Infosec:

GDPR Recitals related to Infosec:

Recital 2: [...] right to the protection of personal data [...] contribute to the accomplishment of an area of freedom, security and justice [...]

Recital 4: [...] the protection of personal data [...]

Recital 6: [...] the protection of personal data [...]

Recital 7: [...] data protection framework [...]

Recital 9: [...] data protection across the Union [...]

Recital 11: [...] Effective protection of personal data [...]

Recital 26: [...] The principles of data protection [...]

Recital 28: [...] pseudonymisation [...]

Recital 29: [...] pseudonymisation [...]

Recital 31: [...] public authorities should comply with the applicable data-protection rules [...]

Recital 39: [...] the period for which the personal data are stored [...]

Recital 45: [...] the storage period [...]

Recital 49: [...] the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security [...]

Recital 56: [...] appropriate safeguards [...]

Recital 57: [...] through authentication mechanism [...]

Recital 63: [...] the period for which the personal data are processed [...]

Recital 64: [...] use all reasonable measures to verify the identity of a data subject [...]

Recital 65: [...] where the retention of such data [...]

Recital 71: [...] secure personal data in a manner that takes account of the potential risks [...]

Recital 72: [...] Profiling is subject to [...] data protection principles [...]

Recital 75: [...] The risk [...] identity theft or fraud [...] loss of confidentiality of personal data [...] unauthorised reversal of pseudonymisation [...]

Recital 76: [...] The likelihood and severity of the risk to the rights and freedoms of the data subject [...]

Recital 78: [...] data protection by design and data protection by default [...]create and improve security features [...] When developing, designing, selecting and using applications, services and products [...] take into account the right to data protection [...] make sure that controllers and processors are able to fulfil their data protection obligations [..] also be taken into consideration in the context of public tenders.

Recital 81: [...] To ensure compliance [...] in respect of the processing to be carried out by the processor on behalf of the controller [...] the controller should use only processors providing sufficient guarantees [...] to implement technical and organisational measures [...] for the security of processing. [...] After the completion of the processing on behalf of the controller, the processor should, at the choice of the controller, return or delete the personal data. [...]

Recital 83: In order to maintain security [...] the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

Recital 84: [...] the controller should be responsible for the carrying-out of a data protection impact assessment [...]

Recital 85: [...] as soon as the controller becomes aware that a personal data breach has occurred, the controller should notify the personal data breach to the supervisory authority [...]

Recital 86: [...] The controller should communicate to the data subject a personal data breach, without undue delay [...]

Recital 87: [...] all appropriate technological protection and organisational measures have been implemented to establish [...] whether a personal data breach has taken place [...]

Recital 88: [...] In setting detailed rules concerning the format and procedures applicable to the notification of personal data breaches, due consideration should be given to the circumstances of that breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse [...]

Recital 89: [...] processing operations which are likely to result in a high risk [...] those which in particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out [...] [must be notified to the supervisory authority].

Recital 90: In such cases, a data protection impact assessment should be carried out by the controller prior to the processing [...]should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data [...].

Recital 91: [...] large scale operations [...]

Recital 94: Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means [...] the supervisory authority should be consulted prior to the start of processing activities. [...]

Recital 95: The processor should assist the controller, [...] in ensuring compliance with the obligations deriving from the carrying out of data protection impact assessments [...].

Recital 108: [...] the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject [...] in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default.

If you've read this far, well done! I hope your GDPR endeavours are progressing well! If you work in financial services, I give a GDPR 101 training course specifically for finserv, fintech and payments. This course will not make you a GDPR expert in one day, but it will give you a solid grasp of the regulation, its organisational implications & correlations with other regulations (e.g. PSD2, AML), and how it applies to financial services and your own business. It will take you through the fundamentals of the GDPR, exploring concepts such as Consent and Fair and Lawful Processing, whilst busting some myths and preconceptions. It will also give you practical advice to take back, illustrated with real life examples and videos. It will also provide an extensive documentation reference. If you're interested, you can book here.