How does GDPR apply to IT security professionals?
The General Data Protection Regulation (GDPR) came into force on 25 May 2018. Along with tightening up data protection rules for all businesses handling personal data of EU citizens, it also extends responsibilities to cover data processors, along with data controllers.
The GDPR is of particular importance to IT security professionals, as data controllers and processors must not only demonstrate an awareness of their data protection obligations, but also show they have taken steps to comply with the regulation (e.g. putting in place effective cybersecurity measures).
What are the primary challenges to achieving compliance?
Most companies were unprepared for the GDPR implementation on 25 May. According to the 2018 GDPR Compliance Report from Alert Logic, only 7% of companies were on track to achieve compliance by that date, with some of the main barriers to compliance being:
- lack of expert staff with critical skills (43%)
- lack of budget (40%)
- a limited understanding of the new regulations (31%)
Who is responsible for GDPR?
A noteworthy finding from the report, for IT security professionals, is that primary responsibility for GDPR compliance within many companies falls to IT (27%) teams and Information Security (25%) – significantly ahead of legal teams (15%) which would normally be the more obvious custodians of regulatory compliance. The reason for this discrepancy may be that many companies simply don’t have a legal department, and data protection matters therefore often end up being placed in the technical domain by default.
Ironically, although GDPR compliance has ended up on the desks of IT professionals, the majority of concerns relating to the new regulations do not actually involve IT security – but instead involve organisational matters of processes, policy and documentation. Furthermore, even well-staffed and funded information security teams cannot address the bulk of compliance requirements under the GDPR; new policies need to be put in place by management, and admin teams must adopt new processes.
What is article 32?
Article 32 of the GDPR states that data controllers and processors must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. It goes on to note certain measures which can be taken:
- “the pseudonymisation and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
How does article 32 challenge IT professionals?
Article 32 is rather vague in terms of compliance requirements. Although it does mention some specific measures, this is by no means an extensive list. It therefore falls to IT security professionals to decide what constitutes “appropriate technical measures” and how to ensure these are implemented. Finally, the “organisational” measures aspect of the article means that other teams (legal, operations, marketing etc) need to work with IT to ensure consistency of approach.
Having a working understanding of the GDPR is crucial, both for IT security specialists and other professionals in the wider business context, to ensure compliance. If you would like to find out more about how Navisite can help you with your data please contact us.