GDPR Security & Privacy – It’s All the Same?

Many of us have been following recent news items regarding data security breaches and data privacy along with hearing the recent public announcements stating the EU General Data Protection Regulations (GDPR) comes into effect in May 2018.

The impact of getting either of these two-important topics wrong can have massive effects on an organisation’s reputation and whether individuals trust businesses to use their personal information responsibly.

Recently, Cambridge Analytica announced it was to shut down in the face of mounting pressure from politicians and media, let alone the millions of individuals who were informed by Facebook that their data was harvested. Many of those individuals have likely already taken advantage of a new data privacy setting made available in the EU by Facebook to effectively block the use / sharing of their personal data, essentially rendering targeted and personalised marketing ineffective.

You don’t need to be an expert to understand the GDPR’s information security and privacy requirements, which are freely available in European Union. Even though the UK is leaving the EU, it’s likely that the UK will continue to follow and enforce GDPR regulations post-Brexit.

Are security and privacy the same thing?

Many organizations think they are and combine the two together. In reality data privacy is a different topic than data security. Data privacy requires a much deeper understanding of privacy rights and law. Under GDPR data privacy is called out as a specific role required in the organisation, that of “Data Protection Officer.” In fact only 3 of the 99 requirements are directly related to security:

Article 33 Notification of Breaches to the ICO.
Article 34 Notification of Breach to Data Subjects.
Article 35 – Data Protection Impact Assessment.

The remaining 96 Articles relate to data subject rights & privacy.

In another blog, I write about the proliferation of the “Digital Me” and our online digital data presence. This proliferation of “Digital Me” along with data breaches and the European Union’s view that the data belongs to the individual was one of the key drivers behind the new GDPR regulations.

Many of the processes required to conform to the regulations require the ability to record / audit and automate certain processes via a Data Subject Access Rights Portal (Article 63)
The key ones are listed below:

The right to:

  • Be forgotten (personal data erasure)
  • Consent or object at any time to the processing of personal data
  • Restrict the processing of personal data
  • Not be subject to not automatic data processing and profiling
  • An explanation on how personal data is processed
  • A copy of one’s personal data (Data Subject Access Request)
  • Correct any incorrect personal data
  • Personal data portability, provide personal data to another data controller

Giving the Data Subject (customer) the ability to review / manage how, where, and for what their data is used in a clear and personalized manor will become the norm. Facebook has already started that journey with recent changes to their platform.

Think about what “the right to be forgotten” means. Where is the customers’ data, in which systems? In what backups? In what data lakes? In what offsite storage? With what 3rd parties? In what email systems?

Specifically to the items above, many organizations continue to have silos of personal information and systems that are not always connected or consistent.

Given these new individual rights, providing a system / solution that can manage the requests, gather the information, and keep within the SLA’s defined by the EU regulations will be critical to avoiding investigations or fines.

Leave a Reply