Maksim Kabakou - Fotolia

Security Think Tank: Infosec pros need to identify and protect GDPR-relevant data

What is the role of information security professionals in helping organisations to ensure they are compliant with the EU’s General Data Protection Regulation (GDPR) by 25 May 2018?

While the EU General Data Protection Regulation (GDPR) relates to personal data, the question remains: what to do with personal data once it has been duly identified and registered?

GDPR stipulates that such data be treated in an orderly manner, but refrains from giving specific security advice. This is not surprising, given that the GDPR is about the nature of the data, whereas information security is more about the treatment of the data.

Infosec professionals should therefore be prepared to acknowledge, analyse and then safeguard GDPR relevant datasets. However, this is easier said than done, as protection levels and risk classifications must be extended from traditional personal data to now incorporate datasets that might allow undue inference.

In many jurisdictions, the law deliberately introduces some overlap between the data privacy officer (DPO) function and the infosec function. In Germany, for instance, the gradual growth of data protection legislation has led to fairly detailed provisions regarding the ‘surroundings’ of personal data, ranging from physical and logical access to certain organisational requirements. This makes sense, since many DPOs actually reside within the infosec or corporate security functions, usually reporting to the CEO, COO or chief risk officer (in financial institutions).

GDPR, in a similar way to cyber security laws, creates yet another class of information assets and additional risk categories. In terms of infosec, this means that a potential GDPR risk must be taken on board, just like any other infosec risk would be.

GDPR risk will undoubtedly affect confidentiality, but also integrity and availability, as companies must be prepared at any time to formally respond to enquiries by individuals or organisations.

As a legal instrument, GDPR should harmonise standards across the European Union, combining elements from the UK and continental Europe. In terms of contents and rules, it does not introduce any groundbreaking changes or extensions.

The infosec professional therefore needs to:

  • Understand the nature of information assets covered by GDPR;
  • Liaise with the legal department to confirm the accuracy of the GDPR dataset; further confirm with the legal deptartment any business impacts of breaches, non-compliance or infringements and adapt and adjust the protection levels for GDPR data in line with the potential impacts of ignoring it;
  • Liaise with the DPO to understand how datasets are related to GDPR; understand where such data resides and how it is combined to deliver enriched information; foresee and explain to the DPO any danger of undue inference from disconnected datasets and understand and assess the risk to the final GDPR dataset in terms of internal and external attacks or unauthorised use;
  • Liaise with DPO, legal and public relations to clearly state (in the public statement on privacy rules) how security is implemented and enforced with regard to the GDPR dataset. This will need to be done in simple words, since such statements are usually on the website and available to all.

The lead in GDPR undoubtedly rests with the DPO. It is their fiduciary duty to ensure GDPR compliance at all time, and in this capacity they are independent from the rest of the firm (not unlike internal audit). However, where there is no formal DPO requirement, a privacy officer should adopt similar rules and behaviour patterns, as their job is essentially the same albeit not legally mandated.

The infosec professional is a lateral helper from within the second line of defence. Their job is to back up the DPO and privacy officer by protecting and adequately safeguarding GDPR-relevant data. This implies that the infosec professional may not even need access to the data itself, but rather they should provide the requisite access control, encryption and encapsulation for those that need to access it.

Rolf von Roessing is a past international vice-president of Isaca and president of Forfa.

Read more on Privacy and data protection