Can Technology-Centric Standards Cope With User-Centric Regulations, such as the GDPR?
Technology changes the world at a fast pace. Internet and web services are showing this already on a daily basis and massive scale. Technology makes innovation possible in society and in our economy. Cloud computing, data analytics and Internet of Things (IoT) will expedite this pace by hyper-connecting people, organizations and data with billions of objects.
Technology-centric versus user-centric compliance?
More and more companies and other organizations are picking up speed to explore how to benefit from digital technology. From an information security perspective, for more than a decade organisations (whether provider or customer) have taken steps and implemented organizational and technical measures in order to seek and obtain compliance and assurance regarding various international information security standards, such as the ISO 27000 series, SSAE 16 SOC series. From a technology- and process-centric perspective that makes a lot of sense.
However, with the recently adopted user-centric EU General Data Protection Regulation (GDPR), just being compliant to international or other standards is not enough and would actually mean regulatory non-compliancy. A regulation prevails over standards, and the GDPR is not a standard. Not being in full compliance to regulation such as the GDPR can now lead to enormous penalties of up to 4% of the annual global turnover. The GDPR is applicable to any organisations in the world that is active within the EU, not just EU organisations.
So, it is time for these organizations to look beyond the former comfort zone called information security and related standards. Now they must ensure true compliance with the demanding user-centric requirements set forth in the GDPR. Where standards traditionally focus on technology-centric processes and controls, regulation such as the GDPR – soon to be followed by the upcoming ePrivacy Regulation – is user-centric, including but not limited to the data subject itself and its related data and knowledge.
In this article, we will navigate you through some essentials steps to becoming GDPR compliant.
Navigation Essential Nr. 1: Personal Data Life Cycle
In the life cycle of data, most organizations are either data controllers or data processors: they create, collect, process, derive, archive and (ideally) delete data. From the perspective of data protection, information security standards focus on the company’s internal processes and technology processing the data once received or otherwise obtained. Such standards aim to ensure that data receives an appropriate level of protection within the organization’s infrastructure and is prevented from unauthorized disclosure, modification, removal or destruction.
By contrast, GDPR prioritizes the rights of the data subject (the individual), with regards to the legal basis of processing of the individual’s personal data and the legitimate purpose to do so, in each of the phases of the personal data life-cycle. By having combined both the user-centric and data-centric approach, the GDPR provides a higher benchmark for security in data processing than the current standards.
Navigation Essential Nr. 2: Data Travels
This approach makes a lot of sense and is a prerequisite if you take into account the way that data travels. Where information security was generally only aimed for internal processes and related controls, this is the age of digital data being transmitted, exchanged and otherwise processed around the world, any time, (almost) any place. Therefore information security now should be much more about data control, access, use and digital rights management.
The GDPR has taken these points into account, but most organisations (and data subjects) are not aware of the fact that data travels far beyond the organization, and may be obtained and otherwise processed far beyond the back-end servers of the organization. Think about sensors picking up a data subject and sending related personal data through devices and gateways to various web servers and then the back-end servers. This multi-dimensional element is generally not yet very much acknowledged or addressed.
Navigation Essential Nr. 3: Data Protection and Security
Likewise, GDPR takes a more stringent stance towards data protection and security requirements. While the current standards focus on determining and preventing risks by putting in place a set of internal policies, processes and controls, GDPR requires organizations to assess the level of protection from a wider perspective. The GDPR offers an equation for finding the appropriate level of protection, per purpose, per impact assessment, et cetera.
The level of having state of the art security measures (both technical and organizational) in place is the benchmark in the GDPR, where (i) the related cost of implementation, (ii) the purposes of personal data processing and (iii) the impact on the rights and freedoms of the data subject (also good, bad and worst case scenarios) need to be taken into account, whether one is either data controller or data processor. We call this the appropriate dynamic accountability (ADA) formula:
State of the art security – Costs – Purposes + Impact
Although the current information security standards aim for ‘achieving continual improvement’, the GDPR aims to ensure up-to-date levels of protection by requiring the levels of data protection and security to continuously meet the ADA formula.
Navigation Essential Nr. 4: Encryption
Encryption is mentioned four (4) times in the GDPR. It is mentioned as an example of a security measure component that enables meeting the state of the art formula requirements. Encryption of data plays an important role in ensuring security. Moreover, applying appropriate encryption can enable personal data to be securely exchanged and used in the cloud, cloud edge, IoT and other digital ecosystems while preventing unauthorized processing and access to it. While for instance the 27001:2013 requirements make no explicit references to encryption, the GDPR recognizes the benefits of encryption and prefers it as a method of facilitating the security of processing data and mitigating inherent risks, adversely effects and other negative impact.
For example, in countries that already have security breach notification regulation in place regarding personal data (such as the Netherlands) enforced by the local Data Protection Authority (DPA), encrypting personal data means that in case of a breach the data subjects do not need to be notified (other than to the DPA itself), which is a requirement if such personal data is not encrypted. Although not yet made clear by the EU data protection authorities, this is likely to be similar for breach notification required under the GDPR.
Compliance is not what it used to be
Having analyzed the state of play of international information security standards and its frameworks, we can safely conclude that GDPR raises the bar for personal data protection and related security by introducing user-centric and more specific data-centric requirements as opposed to process- and technology-oriented frameworks of standards.
Being compliant in the traditional way where compliance refers to compliancy and assurance of standards is not good enough anymore. Technology has become a highly-regulated domain in itself.
How to gear up?
Since the (2018) GDPR requirements are stricter than those of its (1995) predecessor, there is a lot to be done to ensure compliance with the GDPR before or by 25 May 2018, the date the Regulation enters into force. Organizations that are already ISO27k, SOC2 or otherwise compliant to information security standards should start performing various gap analysis and data impact assessments. In addition, organisations should (re)design and build multi-layered, interdisciplinary (data) architectures to ensure appropriate and accountable GDPR compliance and avoid those hefty penalties, which for large enterprise can amount to several billions of Euros.
The good news is that, once an organization does have those appropriate technical and organizational measures in place, it will significantly increase trustworthiness towards customers and stakeholders, and demonstrates next generation readiness.