DPO appointed? Tick.
Data Protection Impact Assessments conducted? Tick.
Subject Access Request process operational? Tick.
You’re in good shape, right? Well, in a narrow GDPR sense, you might just be. But beware the data protection illusion. There are all too many organisations out there that have decent levels of GDPR compliance, but still don’t address the basics well enough in other areas of their cybersecurity programme. As an example, we’ve seen businesses take pride in the rigour with which they conduct Data Protection Impact Assessments (DPIAs) yet implement an information classification scheme that could at best be described as ‘surviving’ and at worst as ‘completely ignored’.
Back in 2018, many businesses scrambled to comply with the new data protection regulations yet failed to take a step back and evaluate their overall stance towards information security from a risk perspective. In short, they plugged the data protection hole in the dam, but didn’t notice the cracks forming elsewhere. More worryingly, they failed to assess the volume of water building on the other side of the dam.
What I’m describing is a classic symptom of a compliance-driven approach. Stay on the right side of the law, keep the regulators happy and everything will be fine. Wrong. Such an approach just isn’t fit for purpose in today’s threat landscape.
For data protection measures to be truly effective, they must nestle neatly within a wider, risk-based, framework of measures and activities that can be applied consistently throughout the entire organisation (in effect removing fear, uncertainty and doubt from the equation as far as possible). This framework should cover everything from cybersecurity strategy set by the Board, through information classification and risk-based vendor management, to threat intelligence and effective day-in/day-out assurance that everything is functioning as intended. In short, meeting compliance requirements is merely a baseline.
Whilst the GDPR does require a risk-based approach (focusing heavily on potential privacy impact), it runs the risk of being interpreted too narrowly. True cyber protection requires a thorough assessment of the need for measures that are proportionate to the value of the organisation’s information assets and to the potential damage that might result if they were to be compromised. This assessment needs to be repeated as the value of information changes and as threats evolve. For less mature organisations or those with restricted budget, there are accepted models for conducting effective periodic risk assessment. For more advanced organisations, the aim is to get as close to real-time risk assessment as possible (i.e. processes that detect changes to risk profile ‘on the fly’ – as threats evolve or as defences weaken). At CRMG this is the stuff that we live and breathe, because it’s the bedrock on which every cybersecurity programme should be based.
So, by all means examine the adequacy of your data protection arrangements on a regular basis (they ARE important, after all), but don’t forget that they’re only one part of a much wider programme without which your business will – at some point – come unstuck.
PS: Here’s one last note of caution. Don’t confuse information that is ‘sensitive’ with information that is ‘critical’. Data protection regulations require organisations to handle sensitive information (i.e. information that is specific to living individuals) with care. They couldn’t care less about information that is critical to your organisation’s survival but not sensitive (such as the finer detail of your upcoming market flotation). Ensure your cyber approach genuinely protects both sensitive and critical information.
About the author
Co-Founder & Director, CRMG