Assuming your information security makes you compliant with the regulations governing your industry is a common mistake, and it’s no different under the General Data Protection Regulation (GDPR). It’s also important to remember robust security doesn’t equal privacy.
Ideally, security and privacy must be balanced, and there should be a healthy tension between those responsible for each one in the organization. Unfortunately, they’re often managed in siloes, but if you’re going to be compliant with GDPR today and what it becomes down the road, or any other privacy legislation, then you need to create a culture that embraces both with intention.
Good security must be intentional
Driving this culture shift doesn’t happen overnight. Under GDPR, it should be an ongoing process.
However, information security is usually viewed as the responsibility of the IT team—most users take for granted the applications and data they’re interacting with everyday have been adequately safeguarded. Further, many organizations assume good security automatically ensures privacy, which leads them to assume they are also compliant with privacy legislation, whether it’s GDPR or other legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA).
But even before privacy became the new normal, information security was becoming less and less about keeping sensitive information inside the firewall and threats to data such as malware and hackers out. The advent and rise of mobile devices, distributed offices and remote workers means there’s no longer a clear perimeter to secure. The “castle with a moat” no longer exists.
Privacy, however, has never been as simple as keeping data in and viruses out. Rather, it’s about knowing what data you have, where it’s stored, what it’s being used for and how it flows through the organization, so you can make sure the right people can use it, and the wrong people can’t gain access to it.
If you’re going to be compliant with GDPR, your privacy efforts must also be intentional. That’s why it must be coordinated with your security and made part of your organization’s culture.
Security and privacy must be embedded, not siloed
Because GDPR compliance is a state of being, not just a one-time milestone to be achieved, privacy must be driven into everyone’s thinking along with security. But even though privacy is dependent on good security, those responsible for security in the organization aren’t responsible for compliance with privacy legislation. Flip it around, however, and a good privacy posture doesn’t automatically make your organization’s information secure. Rather, security, privacy and compliance must be approached collaboratively and concurrently—breaking down siloes within your organization is essential for all security and privacy to effectively work together to make you compliant with GDPR.
Not only must security and privacy co-exist for any compliance to happen consistently, GDPR or otherwise, but both must be embedded in the culture of the organization. Just as security can no longer be tacked on after the fact—developers are getting better at thinking about security as they begin to build applications and operating systems—privacy must be embedded in business processes, such as when a new customer is onboarded. However, neither privacy or security should get in the way of people getting their jobs done.
Being intentional about both security and privacy means opening a dialogue between different parts of the organizations so everyone is thinking about them. If your security intersects with your privacy efforts, you can more effectively support GDPR compliance. By breaking down siloes, your privacy requirements can inform your security design, requirements and operations. Security stops being at odds with privacy efforts, but instead, improves them. This ultimately better positions you to support GDPR.
By being intentional about both security and privacy, you’re not only compliant today, but in a state of readiness to navigate any privacy legislation as it evolves.