Maksim Kabakou - Fotolia
Leading up to the 25 May 2018 General Data Protection Regulation (GDPR) compliance deadline, there was a flurry of activity to put GDPR policies in place, clarify privacy policies and obtain permission for continued use of users’ data that had previously not been obtained.
The headlines were about the huge fines that would emerge, but one year on, it is questionable how far personal privacy has actually been enhanced in real technical terms.
Regulation and the threat of fines typically led to a compliance box-ticking response to mitigate the threat of fines. Regulation and potential fines were probably critical in getting the attention of boards. To get real change, however, businesses need to make the cultural shift from basic compliance to look at privacy as a means to enhance the business purpose, not just through policies, but through implementation at the code and data level within systems.
Business purpose in this context is not just to deliver profit, but the purpose of the business in terms of what it delivers for its customers, its brand image, social responsibility, and so on. This should therefore be an opportunity to promote data as an asset that provides value to the business, and consequently to protect and promote it in the same way as any other asset.
For example, a bank needs to be seen as strong and secure, responding to public issues its customers and shareholders care about. We therefore need to identify how privacy can promote business purposes.
Several years ago, the tech giants saw such an opportunity after the Snowdon revelations on government monitoring of the internet and started routinely using HTTPS, where previously it had only been used for banking and to protect credit card information when checking out on shopping sites. Companies used this as a marketing tool – “protecting their customers from government snooping”.
Today, HTTPS is ubiquitous, with everything from google searches to news delivered over HTTPS, and the use of HTTPS is promoted by organisations such as the UK National Cyber Security Centre (NCSC). While, in reality, this provides little additional privacy – as the URLs still show what pages people are viewing – it did serve the business purpose of the organisations.
Security’s value proposition
Information security practitioners, like all professionals, long for their subject area to be recognised for the value it provides to the business. Thus GDPR should be a godsend to them, using “the stick” of fines as an incentive to get the business to take data security seriously.
The GDPR legislation mandates that, at the design phase of any processing operation, as well as at the time of the processing itself, organisations shall put in place appropriate technical and organisational measures designed to implement data protection in an effective manner, and to integrate the necessary safeguards into the processing of data. Therefore, those responsible for the development and delivery of data systems need to look at how proper privacy implementation can promote the business, as well as protect it from fines, and put this forward as a business enabler.
Paddy Francis, Airbus CyberSecurity
The business purpose of different organisations will vary, but change will be needed at the data and code level, so this will probably need to be driven by infosec professionals with a good understanding of the business. The benefits of privacy and data protection to the business therefore need to be identified and presented in a business context as a positive enabler rather than as a cost of avoiding fines.
This is an opportunity for information security professionals to highlight the financial benefits that come with these improved security measures, and engaging with the business can only help. While the additional cost to design in security is not discretionary, working with senior management to define and develop the business can increase support for the investment and raise the profile and perceived value of the security function.
Minimise data collection
One area often missed by many is minimisation of data collection, retaining only what is absolutely necessary and making the purpose clearly visible to users. This will both give users confidence and reduce the potential impact of any data breach.
For example, I find that when signing up for many new services, I am still asked for my date of birth and postcode, so that what is delivered can be tailored to my age and demographic. However, I am pretty sure that no algorithm exists that can differentiate content for me from that for people born the day before or the day after me (artificial intelligence really isn’t that good).
Similarly, postcode areas, which typically contain 15 households, are unlikely to be significantly different from those adjacent to them, so why insist on a full postcode? These organisations are clearly collecting more information than they need for their declared purpose – a potential breach of GDPR.
This also magnifies the consequence of a breach, because a date of birth and a postcode, supplemented by other information such as the electoral register, can make someone fully identifiable, even if they have only signed up with a screen name. What information is really needed is only known by the algorithm developers/database architects, but generally they are not included in the GDPR conversation and it is easier for them to use standard calls and database structures to collect full datasets.
Reducing the amount of data collected to only that which is really required will increase user trust and make them less likely to use false information (such as the fake date of birth I sometimes use), where they believe the data request is excessive, or presents a risk. Holding more than the minimum dataset also increases the potential for data aggregation, which in turn can turn a minor breach into a serious breach, meaning a declaration to the Information Commissioner’s Office (ICO) rather than self-recording the event.
Long way to go
A year on, things have improved, but there is much more to do. Companies have met their compliance obligations through the production of privacy policies and (grudgingly) gaining user permission for cookies, marketing emails, and so on.
But there is still a long way to go to achieve real data protection in terms of only holding appropriate data, making that data easily available and protection of that data.
To date, the response has been largely “compliance for compliance’s sake” to avoid fines. But the information security team has the chance to step up the approach to investment in protection of data to show the value it brings. This can be done by demonstrating the broader business case for information security and articulating that value in terms of supporting business purpose – customers, brand image, social responsibility, and so on.
Read more from Computer Weekly’s Security Think Tank about how to shift data protection focus to business benefits and success