Implementing Information Security in a World Increasingly Concerned with Data Protection

From the GDPR to the Brazil General Data Protection Law to the California Consumer Privacy Act, new regulations emerging throughout the world require businesses to emphasize data protection as a new facet of security across their systems. At its simplest, this can mean just understanding where a company has data. At its more sophisticated it requires implementing new technical systems and human-centered business processes around data management wherever it exists across the cloud, on premise, shared drives, or in paper filing systems.

How are changes in data protection regulations affecting information security?

Information security is a wide-ranging practice covering everything from cyber risk management to application security to identity management to human business process improvement and culture. But there is a new risk in town, and that is the threat of data protection liabilities in the wake of new regulations that are sweeping the world, like GDPR.

Organizations must see data now not only as an asset but also consider it as a liability. Put another way, as businesses are becoming increasingly digital, the intangible asset line item on the balance sheet is growing, but there has not been a concomitantly wide consideration of the “intangible liability” that data in general, and personal data in particular, presents. It is data protection regulation that will turn uncontrolled data into liabilities (whatever the accountants choose to call it!) and these liabilities should be subsumed alongside other impacts into the overall security risk models of an organization. Data protection regulation is an increasingly important risk that is crossing into the security sphere.

Data protection regulation and security threats

GDPR and similar regulations essentially mandate best practices for data security and usage. Although they do not match precisely (GDPR compliance ≠ ISO27001 compliance), much of the contents of security standards like ISO27001 are subsumed within GDPR. The principal difference is that in the past if a business did not implement best security practices, they were open to threats like external hacks, data breaches, and more. The consequence was reputational damage and loss of customer confidence. In a post-GDPR world, these threats will also manifest in regulatory fines as well. Businesses need to plan for and assign responsibilities for data protection compliance and build technical and process measures to control these threats.

Assigning responsibility for data protection threats and bringing together cross-functional teams

Stronger data protection regulation is requiring a reworking of staffing needs. At the most apparent, GDPR literally mandates a new position for some organisations in the form of a Data Protection Officer (DPO). However, the actual implementation of the processes and assignment of responsibility to implement those processes is more complicated.

At clients Ohalo has worked with, the first port of call in many organizations in preparing for GDPR was the legal function of the business or their lawyer. This is normal since much of the process and technology improvement came down to how the regulation was interpreted in the context of a particular business. After this initial breakwater, the actual role of the implementation is somewhat diverse and there seems to be some confusion over where the role of the person that is in charge of implementing data protection measures should sit in a company.

What is best practice? Should it be a legal issue? An IT issue? A security issue? Who is in charge? In some large companies, there are fairly clearly defined lines in the form of Chief Data Offices or newly created Chief Privacy/Protection Offices. In medium sized companies we find that the task normally falls to a legal or security function. And, in smaller companies technology and legal functions seem to be taking the reins. However at the end of the day someone needs to get “close to the data” and put processes in place that determine how an organization is protecting data.

Helping troops on the front line

The lesson is that security is a task for everyone. Roles that were not formerly data centric are increasingly so. Roles that were not formerly involved with enabling a sound regulatory environment are increasingly so. The lines between legal, IT, and security are increasingly blurred with new data protection regulation and all of these roles need to be prepared for this change.