A saying, especially appropriate for GDPR, states that “there is no privacy without security” (not necessarily vice versa). Technical security measures are mentioned several times throughout the GDPR text. The GDPR does not, however, specify any particular security technology as mandatory although a some methods are suggested as optional solutions in some cases.
The choice of technical solutions and evaluation of their adequacy is the sole responsibility of the data controller and processor. The range of possible technical security controls and safeguards for personal data will depend on the existing business processes and the existing IT infrastructure and systems.
Security controls can be classified into one or more of the three groups i.e. preventive, detective and corrective controls. Even if these categories are not already familiar, their purpose can be understood intuitively. Certain measures can help minimise the risk of an incident, some detect its occurrence and others conduct an appropriate response; i.e. mitigate the consequences and/or prevent future occurrences.
Many cybersecurity solutions today fall within more than one of the categories. For example, network and endpoint protection solutions prevent unauthorised access, but also continually monitor system usage and detect anomalous behaviour and block certain activities. A data leak prevention (DLP) solution can provide a psychological barrier for the potential inside perpetrators, block processing of data in certain ways and also store a forensics audit trail.
On the other hand, some solutions are limited to just one domain. Notably, in relation to GDPR due to specific mention in the regulation, are the processes of encrypting and pseudonymising data. These are both fundamentally preventive solutions, which differ in that encryption renders the data unreadable to an unauthorised user whereas, pseudonymisation alters or masks the data in order to remove its ability to identify an individual (sometimes referred to as data tokenisation).
Security Maturity
The traditional approach to Information Security was limited to network perimeter and endpoint focus, including network firewall, antivirus and patch management solutions. This basic approach, due to the requirement for increased protection and control, lead to the infrastructure and service focus approach. This included implementations of Security Incident and Event Management (SIEM), Intrusion Detection/Prevention Systems (IDS/IPS), vulnerability management, Web Application Firewall (WAF), etc. Third stage is user focus, which provides secure identity management mechanisms and monitoring of individual behaviour. This is achieved through tools and methods such as multi-factor authentication (MFA), Single Sign-on (SSO), Privilege Access Management (PAM), User Behaviour Analysis (UBA) and other solutions. Lastly, data-centric focus concentrates on the data itself, by providing classification, encryption/pseudonymisation and Data Leakage Protection (DLP).
Although all four focus areas undergo constant progress and new types of solutions emerge, progression from the first to the fourth focus roughly tracks growth of cybersecurity maturity for most organisations. Adequate implementation of all four focus areas is required to fully protect personal data.
The security landscape is always widening, albeit one step behind the threat agents. An organisation’s InfoSec budget is the bottom line and risk management steers the ship. However, while prioritisation of possible combinations of vulnerabilities, threats and mitigation measures will point to the specific technological direction, adequacy of the solution doesn’t just depend on the requirements and specification matrix. Ongoing delivery and upgrade/maintenance of the solution bears as much importance to the continuous compliance as the functional and operational features.
In conclusion, security is not perfect, and privacy presents many difficulties. Respecting privacy via legally based business processes is not enough. In order to secure the data, organisations have to invest in security technology and continue to do so in a constant manner.