Our guest contributer, John Strutt, an intelligence analyst and cyber security expert, explains what GDPR risk really means for your organisation. Intelligence analysts are the people most likely to see the consequences of GDPR risks and misunderstandings, so we asked John for his take on the impact of GDPR.
Clearing up the GDPR risk confusion
There’s a lot of contradictory information surrounding GDPR (General Data Protection Regulation). I’m a Cyber Intelligence Specialist, not a GDPR expert; however, like most of us I am trying to find answers to some of the questions that surround the subject.
GDPR certification – can you trust it?
The first major concern I have discovered is also one of the most frequently asked questions about GDPR: certification. A quick Google search will reveal vendors selling a certification called 'Certified EU General Data Protection Regulation (GDPR) Practitioner'. The practitioner course may provide information on some of the important elements of GDPR, however to date, no official certification has been created.
GDPR is not an IT security problem, it is most certainly a business problem.
In the UK, the ICO (Information Commissioner’s Office) will regulate GDPR and it is the body responsible for issuing fines for data protection infringements. It is worth noting that ICO mentions ISO 27001 as a framework for information security therefore my advice would be to very dubious of vendors offering GDPR certifications, consultancy on the subject or someone that calls themselves a GDPR expert, especially cyber security specialists.
Who is responsible for minimising GDPR risk and compliance?
GDPR is not an IT security problem, it is most certainly a business problem. I investigate data leakage incidents and one major problem for organisations is putting a value on that data.
The responsibility for the data that GDPR is concerned with is the business department that collected and uses that data. They are best placed to know the value of data, what has been collected and where that data resides. Security teams can help and advise on how to store, transmit and securely delete data.
GDPR is about ensuring PII (Personally Identifiable Information) data is correctly dealt with by organisations and governing how an organisation uses that information. It’s about making sure that information is not left in databases and/or servers unprotected and that it is removed when no longer needed.
So, what is PII?
PII, according to the GDPR is any data that can be used to identify a specific individual. National Insurance Number, address or email address, and phone numbers have most commonly been considered PII, but technology has expanded the scope of PII and may now include IP addresses, login IDs, social media posts, digital images, geolocation, biometric, health and behavioural data.
GDPR outside of Europe
The simplest way I can put this is The European Union General Data Protection Regulation (EU GDPR) applies beyond the sovereign borders of EU countries and protects the personal data of its citizens regardless of location. This means it will impact on all organisations that process PII data relating to EU citizens – your customers, supporters, clients and employees. In the UK The Data Protection Bill was published on 14 September 2017 and even though this is not yet law, it will be the UK’s version of GDPR.
Unfortunately, I assess that adoption will be slow in the beginning, and we may well see large fines being imposed until organisations start to take it seriously. In the long run this will start to have an impact as organisations improve how they handle and protect information.
Organisations will be forced to adopt a risk-based approach. Risk-based strategies ensure proper procedures for evaluating data sensitivity, system vulnerability and the likelihood of cyber threats are all considered. Ultimately, if large fines are imposed, organisations will seek to comply with GDPR rather than take the risk of non-compliance.
Along with GDPR, we have a full catalogue of compliance courses
The cyber threat landscape is constantly changing. The threats we face today are sophisticated. Cyber criminals, now know the value of personal data and how to get access to it. There is a growing concern regarding data threat and organisations that do not protect data will be caught out. Strains of Ransomware and effective phishing scams, are still favourites for many attackers. Vulnerabilities (includes zero days) are likely to be discovered and exploited with new releases. Even Internet of Things (such as smart home devices) are playing a role in increased DDoS (distributed denial of service attacks).
How will GDPR risk and compliance look in the future?
So how will GDPR look in the future? In my opinion firstly, there will be a large number of requests to organisations about the data they hold on individuals. There will be a number of fines issued and then as organisations and the policy come to terms with GDPR there will be better advice and improved best practices available. Check out our full suite of compliance courses, Comply by Logicearth.
Links in this blog:
John Strutt's LinkedIn
The Information Commissioner’s Office
GDPR Course Preview
Comply by Logicearth