June 14, 2019
It has been a year since the enactment of the General Data Protection Regulation (GDPR), which has marked a series of events for the big data collectors and processors, such as Google and Facebook. Both of the tech giants have been subject to fines as a result of users’ data privacy misuses – by violating the GDPR, while Facebook is currently settling an agreement with the Federal Trade Commission for data misuse, which will cost the company a staggering 5 billion dollars.
Confounding the GDPR and Information Security
So, clearly, the implementation of such a privacy regulation has had its impact on the global tech business landscape, and as such, organizations of all types and sizes are constantly working to be compliant with the GDPR. However, being compliant with the GDPR entails securing the data of your users – in other words it is a trait of data privacy protection, and in this matrix it is easy to overlook and confuse this with information security. The latter, entails that the information is secure from unauthorized access from malicious attackers, while the former (data protection) is to say that the user data is and will not be shared with third parties without the knowledge and unambiguous consent of the user. The counterpart of the GDPR (data protection compliance) is the internationally recognized ISO/IEC 27001 – the international standard developed by the International Organization for Standardization and the International Electrotechnical Commission (IEC) which provides requirements on an Information Security Management System.
While it is easy to confuse the two domains – information security and GDPR compliance – the consequences of this confusion might be perilous to the point of threatening the existence of an organization. In other words, if an organization which is constantly striving to be compliant with the GDPR, all of a sudden is the victim of a cyber-attack which results in a cyber disaster – a massive data breach of some sort, such as Wannacry or the Marriott data breach– and is unprepared for such an event, it might risk its very existence in the market because of lawsuits, reputation damage and legal actions that might be taken by the government which enforces the law of the land that the organization is operating on. So let’s make a distinction: The Cambridge Analytica scandal was a users’ data privacy disaster, while the Marriott data breach was an information security disaster, because it was caused by black hat hackers.
The GDPR and ISO/IEC 27001
In today’s business world, online presence is not negotiable, and as such, if you are present online and have customers, you are forced to be at least a data collector, if not a processor. The difference between the two is that the former simply collects and stores the data, while the latter processes this data and produces results such as customer behavior, preferences, and connects them with age, gender, location and more.
Organizations, both for-profit and nonprofit, have been implementing the ISO/IEC 27001 a long time before the existence of the GDPR. So information security is a much older domain than data protection, because hackers have been present for as long as the internet has existed. Data privacy protection, on the other hand, made it to the public discourse only after users’ data became the “gold mine” of big tech players, which offer “free” services to users in exchange for selling their data to third parties, and scandals such as the Cambridge Analytica were events which really caught the public’s attention and made public opinion raise a voice.
As mentioned, ISO/IEC 27001 is an internationally recognized standard which provides requirements which have to be implemented by an organization in order to have in place an Information Security Management System. The standard has a series of controls that are meant to make sure that the information that the organization possesses, from internal and external sources, is secure from unauthorized access. As such, it is a very technical document, which outlines mechanisms, methods, 114 security controls. These controls make it an internationally applicable standard on information security for every type and size of organization because while these controls are exhaustive, they may or may not apply to every organization, and therefore ISO/IEC 27001, while being particular in what it offers, is universal in its applicability.
Integrating Information Security Management and Data Privacy Protection
However, information security and data protection are indeed complementary disciplines, and therefore an integration of GDPR compliance and ISO/IEC 27001 certification would be ideal for every organization, in that it would not only make the information the organization possesses secure from unauthorized third party access and would protect privacy, but it would also protect and improve the organization’s reputation and trustworthiness in the eyes of customers as well as stakeholders, while minimizing the impact (both technical and financial) of a cyberattack or data breach.
Currently, there is a standard being developed by ISO, the ISO/IEC 27552 – Security techniques, Requirements and Guidelines, which is an extension to the ISO/IEC 27001 and ISO/IEC 27002, and which provides the requirements to implement and maintain a Privacy Information Management System (PIMS), in addition to the Information Security Management System (ISMS) provided by ISO/IEC 27001.
Organizations can be certified against both standards upon the implementation, verification and successful auditing from an accredited and independent third party (a certification body), even though in order to obtain ISO/IEC 27552 certification, the organization must have already in place an ISMS according to ISO/IEC 27001 and be certified against it.
This new standard will make possible for organizations to implement privacy security controls in addition to information security controls, which would guarantee data privacy protection, and makes it an ideal approach to having a comprehensive management system to tackle both information security and data privacy compliance in accordance with the GDPR. Among others, the GDPR states that organizations which collect and/or process data must have an individual – a Certified Data Protection Officer (CDPO) – or team of individuals who are responsible for the management of data privacy within the organization. Most companies which have a Chief Information Security Officer (CISO) or a Chief Technology Officer (CTO) have amalgamated the duties by delegating the responsibilities of the CDPO to either the CISO or the CTO and the respective teams, if they have any. This integration of duties seems natural because, as mentioned, the domains of data privacy protection and information security are complementary.
In conclusion, while data protection privacy and information security can be blended together in terms of duties and responsibilities, it is still essential for an organization to not neglect the difference between being GDPR compliant and having an information security management system in place based on the ISO/IEC 27001. The International Organization for Standardization is offering the solution by adding PIMS controls to an already existing ISMS, which will make the job of organizations much easier in being both GDPR compliant and cyber-resilient.
Julian Kuçi is the Marketing Quality Assurance Manager at the Professional Evaluation and Certification Board (PECB). He is an honor graduate of RIT in Economics & Statistics and Public Policy & Governance. Julian holds a diploma in Transitional Justice from the Regional School of Transitional Justice and is certified against ISO 9001 – Quality Management and ISO/IEC 27001 - Information Security Management.