Maksim Kabakou - Fotolia
The role of the IS professional is to protect all of the organisations information assets, of which the personal and sensitive/personal information covered by data protection, happens to be a sub group.
It’s a shame more organisations don’t fully grasp this and see it that way: DP, IS and privacy are all part of the same team and should in fact be harmonising.
This is frequently not the case, and there can often be conflict between DP and IS and sometimes gamesmanship. This is counter-productive and flies in the face of our overall security requirement to protect our asset – the organisation itself.
After all, protecting the organisation is why all security professionals exist. As DP (or privacy) is a part of this culture, it applies just as much to those roles and activities.
First and foremost in DP and in GDPR is the underpinning of the respect to a data subject’s rights.
We who handle personal data never forget that it does not belong to us. The data has been loaned to us by the data subjects who have a right to expect it will be used for the express intention it was collected for, kept safe and deleted when the agreed on purpose for collection has expired.
The GDPR has reinforced this basic right for data subjects. How organisations handle this will be key to how successful they are in staying on the right side of the regulations.
Read more about the GDPR
- The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018.
- Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
- The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.
- European firms are set to invest in data protection in 2016, with enforcement of the EU General Data Protection Regulation just two years away, Computer Weekly’s IT priorities survey shows.
IS professionals will be working with their organisations to help them understand information assets. This will preferably be through information asset owners, the policies and practices required to keep them safe and the implications for DP professionals as practices need to change.
The idea that data subjects can be forced into allowing processing of personal information that is not required for use of a service, simply to be able to access that service, will no longer be accepted.
For some organisations, this is going to require a lot of thinking and may affect their business model. The IS professional and the DP professional both have a key and interlocking part to play in ensuring their organisations stay on top of this data subject-centric requirement.
Breaches affect business
People have a right to believe that every precaution is made to keep their information safe. When this does not happen, people are increasingly voting with their feet.
TalkTalk recently announced a halving of their profits after the breach. This is the same organisation that confidently announced they had done everything legally required of them to keep the data of customers safe.
Clearly, the bare minimum was not enough, and customers felt similarly. Research from Gemalto backs this up, with 64% saying they would not use a business that had lost financial information, including credit card details, with half stating the same for loss of any personal information.
In summary, the IS role is to help protect all information, including the personal information on loan. This means working with compliance officers, DP officers and audit teams to get continual improvement and embed a culture where information is valued. This will mean compliance with the GDPR will come naturally.
Mike Gillespie is director of cyber research and security at The Security Institute.