momius - stock.adobe.com

Use GDPR to propel business forward, says ICO

GDPR is about a new way of doing things that businesses can use to their advantage, and cyber security is a key element, according to the Information Commissioner’s Office

The European Union’s (EU’s) General Data Protection Regulation (GDPR) is not another Y2K where the issue disappears after compliance deadline on 25 May 2018, said Nigel Houlden, head of technology policy at the Information Commissioner’s Office (ICO).

“The GDPR is the new environment we have to work in and requires many organisations to make changes, but my message is to use it to your advantage and keep your foot on the gas,” he told the TechUK Cyber in the digital economy conference in London.

“Keep working hard to make people’s data secure through cyber security to build consumer trust, which can provide a competitive edge. Cyber security professionals can use that as leverage to get the attention and support of the board because it is a now boardroom problem.”

The GDPR and the newly implemented NIS Directive are opportunities, not threats, said Houlden. “They are meant to help business as well as protect the rights of every individual,” he added.

People are becoming more aware of these rights and taking more interest in what companies are doing with their privacy and data, but this is something cyber security professionals can use, he said, because in today’s inter-connected world, privacy and security have to go hand in hand.

“This is something you can tell companies they must live up to, but it is not meant to be an increased workload. It is meant to be about strengthening citizens’ rights and can be used as a badge of honour,” he said.

“Show that you are respecting people’s rights, and over time as people understand what their data is worth, they will start to respect companies that look after it, and it those companies that can demonstrate that they respect and protect privacy that will attract new business.”

Although the GDPR introduces new obligations for organisations, such as mandatory breach reporting in high-risk incidents, data portability, privacy by design and stronger provisions for transferring data across borders, he said each of these provide leverage points for information security professionals to use.

“We see too many cases where for the lack of basic and low-cost security measures, the consequences for individuals can be devastating,” said Houlden.

In the data breaches at Carphone Warehouse and TalkTalk, he said ICO investigators found that neither case might have happened if the companies had put rudimentary protections in place.

CIA triad model of security

Underlining the link between privacy and cyber security, Houlden said confidentiality, integrity and availability (CIA) triad model of security can be applied in the context of the GDPR.

In terms of confidentiality, organisations need to ensure personal data is secure in transit and at rest, he said. “Even if it is lost or hacked, it should not be readable,” he added.

When it comes to integrity, organisations need to ensure that personal data is accurate, complete, up to date, and kept only as long as necessary.

In terms of availability, organisations need to ensure personal information can be accessed when needed, and understand how individuals and their rights could be affected if it is not.

“Availability could be affected by ransomware and loss of passwords or encryption keys, which regulators will be looking at because they are breaches of the GDPR,” he said.

The core expectations of the GDPR, said Houlden, are aligned to the top level security objectives of managing security risk, protecting against cyber attack and detecting security events.

With just one week to go before the GDPR compliance deadline, he said organisations should ensure they are taking action in all these areas and that they are documenting what they are doing.

Emphasising that the ICO prefers to focus on education, support and guidance rather than punish organisations through enforcement action, he said the ICO will take into account anything organisations can show to demonstrate that they were taking their responsibilities under the GDPR seriously.

“If the worst happens, data privacy impact assessments and other documentation will be taken into account,” he said, urging organisations to keep records of all they are doing so that ICO investigators can give credit where credit is due.

Those organisations that engage with the ICO to resolve issues can demonstrate strong information rights accountability arrangements and are trying their best to respect people’s privacy, said Houlden, can expect the ICO to take that into account when considering any action the regulator may need to take.

“And it all comes down to cyber security, which has a huge part to play in the digital world and the digital economy. If cyber security is not right, you are then just relying on your policies, which relies on humans. You need that cyber security layer to be solid. It needs to be functioning as it should do,” he said.

Houlden assured UK organisations that the ICO is going to be proportionate and pragmatic and is not on a mission to punish organisations after the GDPR compliance deadline.

“This is about people and their rights, and cyber security professionals can protect that, and that is what you need to tell company boards. You need to tell them that your talent can help protect citizens’ rights, which is what the GDPR is all about,” he added.

Read more about GDPR

Read more on Privacy and data protection