If I had earned £1 for every time I was asked “which IT security solutions help with the incoming GDPR (General Data Protection Regulation)?” I would be able to purchase every possible solution myself. Only that would still fail to answer the question because it’s just not that simple. Nothing ever is.
It’s certainly true that within reason there is no such thing as a stupid question. Despite the comedic tone of the initial paragraph, those regarding solution alignment with legislation are included. However, the issue with asking such a question demonstrates a lack of true understanding of the purpose and magnitude of the GDPR.
The Six Core Principals
The regulation centers around a notion of personal data, that being any data which has the potential to identify an individual e.g photographs, names, eye colour and gender to name a few from the extensive list. It does this for two purposes; one is to create a set of rights that data subjects have over the use and collection of their personal data, and the other is to remove the boundaries across European business by levelling the existing individual national laws into one common standard governing personal data.
This manifests itself as six core principles for data collecting and processing:
- Personal data must be processed lawfully, fairly and transparently.
- Personal data can only be collected for specified, explicit and legitimate purposes.
- Personal data must be adequate, relevant and limited to what is necessary for processing.
- Personal data must be kept up to date.
- Personal data must be kept in a form such that the data subject can be identified only as long as necessary for processing.
- Personal data must be processed in a manner that ensures it's security.
The major focus of the six principals is the behaviour by which a processor should be bound. Security controls are only referenced of in one of the principals, which is expanded on in Article 32 by requirement of data processors to introduce measures to protect the confidentiality, integrity and availability of processing systems. Technology is only ever referred to directly by way of encryption and even in such cases, pseudonymisation is seen as just as appropriate.
View Through a Pinhole
The GDPR was created to deliberately shy away from mandating the need for technological solutions. It accepts and even advocates that often organisational controls provide sufficient protection. For example, change control boards or job specific permissions.
Focussing on this one facet of the GDPR by way of seeking or selling solutions does an injustice to the purpose and spirit of the regulation. It ignores that the GDPR is about information security and not IT security.
Data Protection Impact Assessments
Rather, the GDPR recommends that in any case where the processing of data could be considered high risk to a data subject should it contravene one of the six principals, the data processor should conduct a DPIA (Data Protection Impact Assessment) to assess the risk. This gap analysis exercise will resultantly reveal the areas of risk that which can be addressed with either technology or organisational controls. A tailored process which will be different for all organisations.
Shortcuts are blocked; cheats sheets are irrelevant. The GDPR cannot sell solutions for one simple reason. One-size does not fit all.