In the third article of our series on the new General Data Protection Regulation (GDPR), James Mulhern, Chief Information Security Officer for Eduserv, looks at how GDPR will impact organisations’ cyber security efforts and how it could encourage improvement.
1. Make GDPR your opportunity to review and strengthen cyber security
By its very nature, GDPR is designed to considerably increase individuals’ rights on personal data. In particular, it outlines special new provisions and compliance requirements for “sensitive personal data” which includes genetic data, biometric data, health data and data relating to sexual orientation, race, political opinions and so on.
Evidence gathered via the dark web suggests that sensitive personal data – such as medical records – is now more valuable for cyber criminals than financial information like credit card details.
If you’re responsible for cyber security, you should therefore be using GDPR as a golden opportunity to get a firmer grip on a key area where attacks are increasing. This is particularly true for organisations like local authorities, who routinely collect and share citizens’ sensitive data with other organisations (both public and private) to operate effectively. And if confirmation were needed that this is the right path to take, it seems that central Government agrees, because it recently confirmed in its Cyber Security Regulation and Incentives Review that it will also seek to improve cyber risk management through the implementation of the GDPR.
2. Start by reducing your attack surface
Under GDPR, compliance will depend in part on having explicit and specific consent for the exact purpose for which data is held or processed. This means that over the next year, organisations need to interrogate all the sensitive personal data they hold to find out whether they have the right level of consent. If they don’t, they will have to delete it. In cases where they don’t have consent but still have “legitimate reason” to keep the data, then it’s likely that they will have to retrospectively pseudonymise or anonymise the data, which is the course of action the GDPR recommends for organisations to achieve compliance. Going forward, they will need to ensure that these privacy practices are embedded by design.
While this will be time consuming, it’s also a great opportunity to reduce entry points and vulnerabilities that are currently exposed to cyber criminals and reduce overall “attack surface”. On top of this, organisations should ensure that they (or at least their security supplier) have appropriate measures in place to provide active and protective monitoring as well as ongoing testing that will help identify new vulnerabilities as they arise.
3. When you appoint a Data Protection Officer, make sure they are cyber security aware
One of the much-discussed elements of GDPR is that it requires many organisations to appoint a Data Protection Officer (DPO) to achieve compliance. This includes all public authorities as well as all organisations that carry out “regular and systematic monitoring of data subjects on a large scale” or large-scale processing of “special categories of personal data”.
GDPR specifies that DPOs are responsible for activities including monitoring compliance, educating staff on their responsibilities, providing advice on privacy impact assessments and co-operating wherever necessary with the relevant supervisory authority.
In addition to this, I believe organisations should also ensure their new DPOs are cyber security aware and trained. GDPR compliance implies implementing Cyber Security Regulations, so your DPO will need to be up to speed with the latest thinking on cyber security and broader organisational resilience. If they are, they will help to guarantee your data’s security, integrity and accessibility by disseminating cyber security best practice throughout your organisation.
4. Make sure everyone in the organisation is aware of GDPR and sees security as their responsibility
One of the great maxims of cyber security today is that organisational and human factors are just as important as any technical barriers you put in place to prevent an attack. The GDPR confirms this, stating that in order to achieve compliance, organisations need to demonstrate that they have robust processes in place for regularly testing, assessing and evaluating the effectiveness of not only technical measures but also the organisational measures for ensuring security
More than ever, organisations should recognise that managing cyber security under GDPR is about managing processes and people as much as anything else – so they’ll need to think about providing security and GDPR awareness sessions that improve understanding of personal and sensitive data across the organisation. In addition, they should consider scenario based exercises, red teaming and advanced resilience testing based on both covert and overt scenarios.
More on GDPR
Eduserv and data
Eduserv provides a comprehensive range of cloud, digital development, data and cyber security services for the public sector and charities across the UK. We have in-depth knowledge of the way organisations need to manage and protect personal data in all these contexts and are actively helping our customers to prepare for GDPR compliance. For more information get in touch with James Mulhern at firstname.lastname@example.org or 01225 474 344.