Technical (protection) measures, means, technologies, rules and resources are mentioned multiple times throughout the GDPR text. The Regulation does not, however, specify any security technology implementation as obligatory (a few methods are suggested as optional solutions for the specific usage). Choice and evaluation of adequacy is the sole responsibility of the data controller and processor.
The range of possible technical mechanisms and safeguards for processing personal data depends primarily on the existing business processes and underlying ICT systems. Cybersecurity (or ICT security) solutions present a subset of possible technical approaches to ensuring compliance, characterized by its scope (digital domain) and purpose of application (preserving availability, authenticity, integrity, confidentiality, non-repudiation and privacy.
A saying, especially appropriate for GDPR, states that “there is no privacy without security” (not necessarily vice versa). So, what does InfoSec have in store for the GDPR buyer?
Before, during, and after
To put it bluntly, the purpose for cybersecurity protection lies in the very act of compromise. Since there is no way to eliminate threats altogether, only thing that’s left to do is strengthening the defences and then wait.
Security controls can be classified into one or more of the three groups: preventive, detective and corrective controls. Even if the division is not already familiar to the reader, their context can be inferred intuitively: certain measures can help minimize the risk of an incident and/or detect its occurrence and/or conduct an appropriate response; i.e. mitigate the consequences.
Most of the cybersecurity solutions today fall within more than one of the categories. For example, network and endpoint protection solutions prevent unauthorized access, but at the same time constantly monitor the systems’ usage and can detect anomalous behaviour, as well as block certain activities. An insider threat management portfolio provides a psychological barrier for the potential inside perpetrator, while storing a forensics audit trail and providing additional remediation functions.
On the other hand, some solutions are limited to a single domain. Most notable, but only on account of a specific mention in the GDPR, are encrypting and pseudonymising data. Inherently preventive, these solutions provide protection in two directions: rendering the data unreadable to the unauthorized user (not a member of the encryption chain of trust) or altering/masking the data in order to remove its ability to identify an individual (pseudonymising or data tokenization).
A different perspective on ICT security posture offers several focuses, which could somewhat relate to the maturity of the security model of the organization.
The traditional basic approach to InfoSec was confined to network perimeter and endpoint focus, including primarily network firewall, antivirus and patch management solutions. Further need for protection and control lead to the infrastructure and service focus, offering implementations of Security Incident and Event Management (SIEM), Intrusion Detection/Prevention Systems (IDS/IPS), vulnerability management, Web Application Firewall (WAF), etc. Third is the user focus, which provides secure identity management mechanisms and monitoring of individual behaviour. This is achieved through tools and methods such as multi-factor authentication (MFA), Single Sign-on (SSO), Privilege Access Management (PAM), User Behaviour Analysis (UBA) and other solutions. Finally, data-centric focus concentrates on the data itself, by providing classification, encryption/pseudonymising, Data Leakage Protection (DLP) and others.
Although all four categories undergo constant progress and new types of solutions emerge, progression from the first to the fourth focus roughly resembles growth of cybersecurity maturity for most organizations. Adequate protection of (personal) data should therefore meet the corresponding qualities of all four security focuses.
Caveat emptor (“Let the buyer beware”)
This short list of possible mapping of cybersecurity functionalities to GDPR requirements is by no means an exhaustive one. The security landscape is always widening—albeit one step behind the threat agents. An organization’s InfoSec budget is the bottom line and risk management steers the wheel.
However, while prioritization of possible combinations of vulnerabilities, threats and mitigation measures will point to the specific technological direction, adequacy of the solution doesn’t just depend on the requirements & specification matrix. Ongoing delivery and upgrade/maintenance of the solution bears as much importance to the continuous compliance as the functional and operational features.
To conclude: security is not perfect, and privacy has many difficulties. However, we simply can’t afford to put up a Great Wall to keep our people’s data in. Respecting their privacy via legally based business processes is not enough. In order to secure the data, organizations have to invest in the security technology (and continue to do so in a constant manner).