<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

The Great GDPR Sale

Topics: Data Protection, Compliance, GDPR, DPA

Posted: 23 January 2017

GDPR Compliance Data Protection Security

If I had earned £1 for every time I was asked “which IT security solutions help with the incoming GDPR (General Data Protection Regulation)?” I would be able to purchase every possible solution myself. Only that would still fail to answer the question because it’s just not that simple. Nothing ever is.

It’s certainly true that within reason there is no such thing as a stupid question. Despite the comedic tone of the initial paragraph, those regarding solution alignment with legislation are included. However, the issue with asking such a question demonstrates a lack of true understanding of the purpose and magnitude of the GDPR.

The Six Core Principals

The regulation centers around a notion of personal data, that being any data which has the potential to identify an individual e.g photographs, names, eye colour and gender to name a few from the extensive list. It does this for two purposes; one is to create a set of rights that data subjects have over the use and collection of their personal data, and the other is to remove the boundaries across European business by levelling the existing individual national laws into one common standard governing personal data.

This manifests itself as six core principles for data collecting and processing:

  • - Personal data must be processed lawfully, fairly and transparently.
  • - Personal data can only be collected for specified, explicit and legitimate purposes.
  • - Personal data must be adequate, relevant and limited to what is necessary for processing.
  • - Personal data must be kept up to date.
  • - Personal data must be kept in a form such that the data subject can be identified only as long as necessary for processing.
  • - Personal data must be processed in a manner that ensures it's security.

The major focus of the six principals is the behaviour by which a processor should be bound. Security controls are only referenced of in one of the principals, which is expanded on in Article 32 by requirement of data processors to introduce measures to protect the confidentiality, integrity and availability of processing systems. Technology is only ever referred to directly by way of encryption and even in such cases, pseudonymisation is seen as just as appropriate.

View Through a Pinhole

The GDPR was created to deliberately shy away from mandating the need for technological solutions. It accepts and even advocates that often organisational controls provide sufficient protection. For example, change control boards or job specific permissions.

Focussing on this one facet of the GDPR by way of seeking or selling solutions does an injustice to the purpose and spirit of the regulation. It ignores that the GDPR is about information security and not IT security.

Data Protection Impact Assessments

Rather, the GDPR recommends that in any case where the processing of data could be considered high risk to a data subject should it contravene one of the six principals, the data processor should conduct a DPIA (Data Protection Impact Assessment) to assess the risk. This gap analysis exercise will resultantly reveal the areas of risk that which can be addressed with either technology or organisational controls. A tailored process which will be different for all organisations.

Shortcuts are blocked; cheats sheets are irrelevant. The GDPR cannot sell solutions for one simple reason. One-size does not fit all.

Prepare for GDPR 11 step checklist


Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts