The European General Data Protection Regulation (“GDPR”) is leading to a change culture, which will increase not only data protection but also security awareness. Below you will find the main takeaways of the data protection and cybersecurity seminar held with the GIOIN Open Innovation Network in Turin.
- Cyberattacks (and more broadly IT security threats) are inevitable. It is a matter of assessing how such attacks are monitored and confronted.
- IoT brings increasing concerns, from data sharing with unreliable third parties to unsecure data transfer and usage of vulnerable web applications. Connected devices have substantially widened the perimeter of potential attacks (internet, mobile, cloud, etc.), with an impending exponential increase (according to Padmasree Warrior, few years ago only 1% of devices were actually connected…).
- Networks that had been devised to connect millions of people will now have to connect billions of things… Connectivity operators will increasingly play a key role in opposing cybercrime and, at the same time, given the current excessive fragmentation, a consolidation of the software security market is likely.
- Albeit it has not been devised for cybersecurity purposes, the GDPR is a great opportunity to properly address security (and data protection) at an earlier stage. It sets up an accountability principle, whereby each company is responsible for demonstrating active compliance with its legal responsibilities.
- Such responsibilities include appropriate security measures, which should at all times take into consideration the nature, scope, context and purposes of the processing and the related risks. Security measures can no longer be considered as a static concept, as some inferred from the Italian Data Protection Code which set up a minimum set of security measures. Security measures will have to be progressively checked and updated, and in this respect, data governance processes will have to devise periodical checks, from both a technical and regulatory standpoint.
- The security measures obviously include technological measures, including, among others, anonymization, pseudonymization and cryptography. Machine learning and big data analytics will also play a huge role, and this is something which will also be addressed within vendor and third party management processes. For instance, from RFP requests to contract administration, appraisals and checklists will enquire about such things as early warnings (e.g. for DDOS attacks) and vulnerability tests, and how open source is managed (increasingly we are seeing open source based cybersecurity systems!).
- In fact, through the accountability principle almost all GDPR provisions become relevant from a cybersecurity perspective. According to the GDPR, companies must take the privacy risk into account, throughout the process of designing a new product or service, and adopt mechanisms to ensure that, by default, minimal personal data is collected, used and retained. The same principles will obviously apply also to security risks. An approved certification mechanism can be used to demonstrate compliance with the applicable requirements (e.g. ISO/IEC 27001), but will obviously not be considered as a substitute for an adequate data governance.
- For instance, the GDPR’s privacy impact assessment (PIA) will become a valuable tool for cyber protection. A PIA will be a mandatory pre-requisite before processing operations that are likely to present higher privacy risks to data subjects. Proper data governance should ensure that within such assessment data losses and cybersecurity concerns will also have to be addressed (and documented).
- The same applies with the GDPR’s portability right, whereby the data subjects can require that data files are transferred from one service provider to another. As also stated by the Article 29 Working Party, companies will have an additional responsibility for ensuring that there are no data breach risks during the transfer, also assessing that the data reach the right destination. The above risks can be avoided, for instance, through encryption and strong authentication measures.
- Cybersecurity requires a wider approach, addressing both preventive and reactive security models. And technology is only one – albeit vital – part of puzzle. The “human factor” remains fundamental. For instance a distracted employee simply leaving an unlocked computer or adhering to phishing mail can cause a substantial data breach from a GDPR’s perspective.
- The GDPR’s accountability will help to further address the human factor. Under the GDPR companies will have to ensure their employees are adequately trained. Data security (and protection) training platforms have become increasingly relevant. At present, many of us are being inundated with offers of GDPR-related training. Although some will see this as a nuisance, this current trend will help to address the current biggest cyber threat: security (and data protection) unawareness.
- Last but not least, the GDPR’s obligation to notify data breaches will certainly push towards greater compliance. In addition to investigating security measures, once informed, the supervisory authority may ask certain questions, including why the data are being processes and for how long they have been processed. To avoid substantial sanctions, companies will have to be ready to answer to such questions, which will in turn lead to one of the most effective (preventive) security measures: being aware of the reasons for the data being used, thus reducing all unnecessary data processing (data minimization).
Special thanks to Agostino Santoni (AD Cisco Italia); Fabio Ugoste and Paolo Musso (Gruppo Intesa Sanpaolo); Alessandro Vallega (Oracle); Rodolfo Mecozzi (EY Cybersecurity); Matteo Flora (The Fool); and Alberto Fioravanti, Marco Gay and Layla Pavone (Digital Magics) who contributed to a very interested debate.
Let us know if you want to further discuss GDPR and data security.