Maksim Kabakou - Fotolia

Security Think Tank: How infosec pros should influence prep for GDPR

What is the role of information security professionals in ensuring organisations comply with the EU General Data Protection Regulation (GDPR) by 25 May 2018?

The General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and most companies have a long way to go before they can consider themselves compliant. 

Full compliance with GDPR will be a big challenge and, in practice, most organisations will undertake steps towards compliance while determining a level of residual risk of non-compliance they are comfortable with. Infosec professionals have an important role to play in helping to define their organisation's response to GDPR and the practical steps their company needs to take to improve compliance.  

Below I have outlined a few examples of areas where I think they can be influential in their organisation's GDPR preparations:

Data inventory

Develop an inventory of data held across the organisation to understand what, if any, impact the GDPR will have on your organisation's treatment of the data. This is a critical and challenging aspect of an organisation's preparation for GDPR. Infosec professionals have undertaken similar exercises for various other purposes (for example, PCI compliance) and will have a lot of re-usable content as well as tried and tested methodologies for data classification – they have an important role to play in this activity.

Privacy by design 

Putting data privacy first and at the heart of IT system design may be new to some organisations, but many have had to undertake a similar change management exercise to ensure that IT security is given an appropriate level of priority in their IT projects. In responding to this challenge, infosec professionals will have developed a number of organisation-specific change management strategies that could be re-used to respond to the requirement for privacy by design that GPDR specifies.

Privacy impact assessments

While defining an organisation's approach to privacy impact assessments (PIAs) is likely to be the responsibility of the privacy officer or data protection officer, infosec professionals have an important role to play in the practical application of these to IT projects. Having developed strategies for ensuring security impact assessments for IT projects, infosec professionals will be well placed to advise on how to embed the PIA into their organisation's IT processes. 

Data encryption and pseudonymisation

GDPR specifies a general requirement to provide appropriate protection to the data that the organisation holds. The practical implementation of this requirement will require an increase in the adoption of data encryption and pseudonymisation (a procedure to prevent data being personally identifiable to a third party) techniques. Applying these tactics may not be possible for some IT applications and infosec professionals can play an important role in helping their legal/privacy team to meet this objective and identify and document any exceptions where they will not be practical/possible.

Archiving and data retention 

Having helped their organisation respond to other regulatory requirements (for example, PCI) infosec professionals will be familiar with the need to define appropriate archiving and data retention policies and the practical implementation of these in their organisation. While guidance from the legal/privacy team will be necessary in order to determine the policy itself, infosec professionals will need to play a role in the practical implementation of these policies and in providing guidance to the legal/privacy team as to what is and what is not achievable.

Richard Hunt is managing director of Turnkey Consulting 

Read more on Privacy and data protection