GDPR – its implications for security
The General Data Protection Regulations (GDPR) comes into force in May 2018. The security industry has to understand, interpret and practise the intention of GDPR: it should not inhibit the gathering and sharing of data, providing cyber security hygiene measures are in place. Technological advances and business imperatives will mean there is ever more data, and ever more sharing, but this must be done abiding by the rules around the security and retention of data.
We asked leading security professionals on their views: will this bring about a step change in our approach to securing data? What other factors will impact cyber security in 2018? We had responses from the following:
- John Unsworth, Chief Executive, London Digital Security Centre (LDSC)
- Jean-Philippe Deby, Business Development Director,Genetec
- Vicki Gavin, Chair, Women’s Security Society
- Adam Bannister, Editor, IFSECGlobal.com
- Sean Kelly, Chief Information Officer, Wilson James
John Unsworth, Chief Executive, London Digital Security Centre (LDSC)
The implementation of GDPR can only be a good thing for the protection of data and helping to drive a shift in how many organisations obtain, store and use personal information.
Will GDPR be the step change in our approach to securing data? On its own, I don’t think so. The security of personal information requires more than just a new regulation; it requires consumers and organisations to realise just how valuable data is to the ever-increasing number of cyber criminals and to take all precautions within their power to protect it.
It requires businesses to appreciate the role they have in keeping consumers safe, and looking after the sensitive information they request from every consumer. It requires consumers to demand from businesses, What are you doing with my data?
How are you using it? How are you storing it? How are you keeping it safe?
It needs all procurement processes to have the security of information as a key consideration before entering into contracts with third parties.
The security of data requires everyone to do their bit, and not just leave it with the IT department.
Jean-Philippe Deby, Business Development Director,Genetec
Given the unique challenges involved in terms of GDPR, surprisingly little has been devoted to the process of ensuring compliance for the operation of video surveillance, access control and other physical security systems. Any public or private organisations using CCTV to monitor public accessible areas should be concerned and operators need to focus on adopting privacy by design.
Under the terms of the EU GDPR, data that is anonymised or pseudonymised is classified as lower risk. The appropriate use of encryption and automated privacy tools is, therefore, a logical first step. For example, video redaction that blurs out people’s faces in video unless there is a legitimate reason to reveal their identity can minimise the dangers of having security cameras deployed in public spaces.
Don’t forget, owners of on-premises video surveillance, access control or ANPR systems are responsible for all aspects of EU GDPR compliance, including securing access to the systems and servers storing the information. However, by working with an approved cloud provider it is possible to offload some of these responsibilities and significantly reduce the scope of activities required to ensure compliance. It is also highly cost-effective.
Nevertheless, it is important to realise that it isn’t a full abdication of responsibility. You remain accountable for ensuring data is classified correctly and share responsibility for managing users and end-point devices.
Vicki Gavin, Chair, Women’s Security Society
GDPR is the marriage of privacy and security, where privacy covers all aspects of the use and maintenance of personal information and security ensures the personal data has been appropriately protected.
Achieving this will require a diverse set of skills, and while convergence to a single point of control would seem to be the answer, it doesn’t really address the variety of different specialist skillsets required to deliver such a complex set of controls.
An holistic approach is required with close partnership between all of the security functions. I am sure this will lead to contention for the small number of individuals who are able to demonstrate that they already have both cyber security skills and privacy skills. As there are clearly not enough of these people to go around, we really need to get a lot smarter about recruiting and retaining talent.
If we look at the world of cyber security today, we can extrapolate and get a picture of what the future will likely hold. But this doesn’t have to be. If we look at today’s practices, we can identify a number of opportunities for improvement:
- Avoid qualification creep, identify the minimum qualifications required,
- Review the minimum qualifications for bias and eliminate it,
- Review CVs to include rather than exclude candidates,
- Assemble a diverse interview panel, and
- Retain good candidates through ongoing development.
Look at the problem holistically. Not every job is suited to every person. Get the skills right and there will be lots of diverse candidates to choose from. In short, there is no shortage of talented people, only short-sighted hiring managers.
Adam Bannister, Editor, IFSECGlobal.com
Cybersecurity would have become a hot topic in the physical security sector even without GDPR looming. No longer written off as a separate discipline, data security is now inextricably bound up with security systems that connect to the internet, each other and non-security systems. The 2013 theft of credit card data from US retailer Target via its HVAC system demonstrated the consequences of negligence.
But the GDPR lifts the stakes higher still. Fines for breaches could be up to 79 times greater than those levied under the existing regime. Embedding ‘security by design’ into product development is essential if the industry is to properly protect customers.
But its customers must protect themselves too. The entire supply chain must abandon the silo-based approach and collaborate more closely in this hyper-connected world.
Expect GDPR to also spur already strong growth in the cloud market too, since delegation to data-storage experts can help organisations meet compliance obligations.
Seldom do I have a conversation with a security professional who doesn’t mention data security – which at least shows that the industry is keenly aware of its primacy.
Sean Kelly, Chief Information Officer, Wilson James
The step change which GDPR will bring to securing data requires an accompanying paradigm shift in data management. The consequence to business realities in 2018 may well result in GDPR negatively impacting wider cybersecurity delivery.
GDPR follows the good data governance concepts espoused by the Information Commissioner and practised by many blue-chip companies. Regrettably, most companies in the UK are smaller and have systems that are not even close to these standards. Data discovery projects alongside the creation of GDPR-compliant systems represent a very considerable expense. Even though GDPR requires data to be stored securely, smaller companies with tight IT budgets will face a stark choice: GDPR compliance or cybersecurity improvements.
In mid-2018, customers, clients, contractors and employees, past and present, will seek to enjoy their new ‘rights’. The novelty of submitting ‘Subject Access Requests’, at no cost, is likely to produce a flurry of activity. The inevitable failure of the unfortunate few to comply in a timely manner will result in well publicised fines, and a subsequent panic of redirected IT resources.
It is the redirection of IT resources toward GDPR administrative processes and away from planned upgrades which will most impact cybersecurity in 2018.