Maksim Kabakou - Fotolia

Security Think Tank: Information security professionals have key role in GDPR compliance

What is the role of information security professionals in helping organisations to ensure they are compliant with the EU’s General Data Protection Regulation (GDPR) by 25 May 2018?

The EU’s General Data Protection Regulation (GDPR) – and data protection (DP) in all its guises – is a subset of information management and assurance, or information security (IS).

The role of the IS professional is to protect all of the organisations information assets, of which the personal and sensitive/personal information covered by data protection, happens to be a sub group. 

It’s a shame more organisations don’t fully grasp this and see it that way: DP, IS and privacy are all part of the same team and should in fact be harmonising.

This is frequently not the case, and there can often be conflict between DP and IS and sometimes gamesmanship. This is counter-productive and flies in the face of our overall security requirement to protect our asset – the organisation itself.

After all, protecting the organisation is why all security professionals exist. As DP (or privacy) is a part of this culture, it applies just as much to those roles and activities.

First and foremost in DP and in GDPR is the underpinning of the respect to a data subject’s rights.

We who handle personal data never forget that it does not belong to us. The data has been loaned to us by the data subjects who have a right to expect it will be used for the express intention it was collected for, kept safe and deleted when the agreed on purpose for collection has expired.

The GDPR has reinforced this basic right for data subjects. How organisations handle this will be key to how successful they are in staying on the right side of the regulations.

Read more about the GDPR

IS professionals will be working with their organisations to help them understand information assets. This will preferably be through information asset owners, the policies and practices required to keep them safe and the implications for DP professionals as practices need to change.

The idea that data subjects can be forced into allowing processing of personal information that is not required for use of a service, simply to be able to access that service,  will no longer be accepted.

For some organisations, this is going to require a lot of thinking and may affect their business model. The IS professional and the DP professional both have a key and interlocking part to play in ensuring their organisations stay on top of this data subject-centric requirement.

Breaches affect business

People have a right to believe that every precaution is made to keep their information safe. When this does not happen, people are increasingly voting with their feet.

TalkTalk recently announced a halving of their profits after the breach. This is the same organisation that confidently announced they had done everything legally required of them to keep the data of customers safe.

Clearly, the bare minimum was not enough, and customers felt similarly. Research from Gemalto backs this up, with 64% saying they would not use a business that had lost financial information, including credit card details, with half stating the same for loss of any personal information.

In summary, the IS role is to help protect all information, including the personal information on loan. This means working with compliance officers, DP officers and audit teams to get continual improvement and embed a culture where information is valued. This will mean compliance with the GDPR will come naturally.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Privacy and data protection