Maksim Kabakou - Fotolia

Security Think Tank: Infosec pros can kickstart GDPR prep with data audit

What is the role of information security professionals in ensuring organisations comply with the EU General Data Protection Regulation (GDPR) by 25 May 2018?

GDPR is a new but very important acronym for the infosec professional and the organisations they work for. It stands for the General Data Protection Regulation and, unlike its predecessor – the Data Protection Directive – it does not require enabling legislation to be enacted in each European Union (EU) member state.

The EU Council and Parliament formerly adopted GDPR in April 2016 and it will come into force on 25 May 2018 after a two-year transition period. Any organisation failing to comply with GDPR after May 2018 will be liable to a variety of sanctions – up to and including fines based on an organisation’s annual worldwide turnover. It should be noted that GDPR’s scope extends to cover all foreign companies holding and or processing EU residents’ data.

The role of the infosec professional with respect to GDPR will primarily be as a member of an organisation’s data protection officer’s (DPO) support team, the exception being where an infosec professional has been appointed as an organisation’s DPO. This is due to the very wide remit of a DPO as identified in GDPR requiring – not just an understanding of legal compliance and data protection laws and regulations, but also proficiency in managing IT processes and data security.

This includes dealing with cyber attacks and business continuity issues associated with the handling of personal and sensitive data. The infosec professional should bring to the DPO’s support team knowledge and understanding of data security and how it is implemented in an organisation (for example, compliance with relevant legal, regulatory and contractual requirements and the handling and investigation of cyber attacks).

While the infosec professional will need a solid understanding of the GDPR, their role with respect to the GDPR is restricted to that of supporting an organisation’s DPO and not that of policing or enforcing the GDPR in an organisation. That task falls to the DPO who could (and in many cases will) devolve some of their work to the infosec professional. Note that public sector bodies and organisations that process more than 5,000 subjects (people and their associated data) are obliged under GDPR to appoint a DPO.

Although there is a two-year transition period before GDPR becomes mandatory that is not in reality much time for what is a complex regulation. One of the early tasks that an organisation’s infosec professional can undertake, perhaps in advance of any formal DPO appointment or support team creation, is that of conducting an audit of personal and sensitive data subject to control by the organisation.

Such an audit would include identifying who owns or controls specific data in the organisation (HR, finance, individual managers etc.); where data is held, where it is processed, who has access to what data and what they can do to the data, (read only, create, edit, delete) – that is, create a data asset register. Note that this register should include full information about storage and processing locations for third parties and cloud suppliers (important where off-shoring could be involved). Do not forget personal computers in an organisation, as it is not unusual for staff to take copies of data.

You have two years – starting now!

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Privacy and data protection