Don't Confuse GDPR Compliance with Security
Overlooking the differences between compliance and security could be perilous, yet for many businesses the distinction may seem obscure under the new regime of the European Union’s General Data Protection Regulation (GDPR), enacted May 25, 2018.
Certainly, the two disciplines are complementary. If data is not secure, a business could end up in a non-compliant state, and vice versa. But just because data is compliant with GDPR regulations doesn’t necessarily mean it is secure. That may sound counterintuitive, but it’s not.
Part of the issue is terminology: data protection in the GDPR regulation is not a security term. It’s more about protecting the rights of individuals over the use of their personal data than it is about securing that data. Very little of the regulation actually applies to data security.
Unlike earlier EU regulations that applied only to “controllers” of data that is collected, the GDPR extends compliance to “processors” who process data on behalf of controllers. The data controller alone or jointly with others determines the purposes and means of the processing of personal data, while processors may be any entity involved in collecting, recording, organizing, storing, adapting, disseminating, disposing of, and consulting on operations involving that data.
In an era of cloud, managed services, and outsourcing, the roles of controllers and processors makes for a very encompassing net in which to get entangled.
It should be clear by now that GDPR doesn’t just apply to businesses inside the EU. Organizations outside the EU are subject to its requirements if they offer goods or services to, or monitor the behavior of, EU data subjects, even if the data itself is housed outside the Union.
Now in its third month, GDPR raises the stakes for protecting the privacy of EU citizens. As every company doing business with EU residents should be aware, “Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).” That’s a pretty big stick to wave in front of any business executive, although it’s unclear as yet how regulators will move forward in implementing penalties.
DPO: a defining role
One of the requirements of the GDPR is for the designation of a Data Protection Officer (DPO) if an organization’s core activities “consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale…”
Large organizations will likely create a new DPO function within their organizations or carve it out of an existing compliance department. Others may be tempted to designate the CISO or the CIO for this role, thus muddying the waters separating compliance and security. My estimate is that 80% of GDPR-related data isn’t even under the control of CISOs. And while the automation of data processing falls squarely within the CIO’s duties, the why and the what of data collection, usage, and disposition are largely the responsibilities of business departments.
While there is indeed a compliance discipline within IT, it applies to IT processes. Compliance in the GDPR definition applies to organizations companywide, such as IT, finance, marketing, and sales. Just because most data are digitized these days, doesn’t mean that IT understands the purpose or even content of the information being stored and processed.
It’s my experience that organizations get caught up in requirements for compliance sometimes at the expense of good security. Think of it this way: compliance is viewed with an outside-looking-in lens; in other words, are we doing what regulators require and expect of us? Security, however, should be viewed from an inside-looking-out perspective: what do I need to do to protect my data from unauthorized access?
The security function is there to apply controls commensurate with the classification of information, not to define it! Business departments, in cooperation with IT, are responsible for knowing why data is being collected, how long it is being retained, and how to ensure data subjects are able to execute their GDPR-mandated rights to their data.
Do you know where your data is?
From the security viewpoint, if you don’t know where your information is, which information is critical, and which isn’t, and who has access, then you are in a less secure situation than you should be, even if you are currently in compliance with GDPR or other regulations. That means knowing where and how your information moves, as well as who has access to it and what do they do with it.
Some of the issues that businesses should be focusing on include:
- Understand the roles of controller and processor in handling your data. Sounds simple, but the internet is chock full of articles and commentary that address the issue of roles without, in my opinion, providing much clarity.
- Make sure your service providers commit to GDPR compliance and are able to document what happens with your data, what type of information is collected and processed, how long it is held for, and in which countries this happens.
- Don’t mistake good compliance as a security blanket. Compliance involves documenting how you adhere to the regulations. Security is all about understanding how to identify and close the gaps that could compromise your data.
- Do ensure your GDPR readiness team is cross-functional. If you are required to install a DPO, don’t assume the CIO or CISO is the best candidate.
- Update your privacy and security policies and procedures.
- Update procedures and protocols regarding data breach notification.
Compliance is a requirement, not an option. Security can and should be an essential element of your GDPR strategy. Being able to control, enforce, and log what happens to your data will bolster your ability to comply with this new regulatory regime.
Larry Biagini is the Chief Technology Evangelist at Zscaler. This article originally appeared on Forbes.com.