Where does cyber security stop and data protection start?
04:00 Wednesday, 22 September 2021
UK Cyber Security Council
GDPR, the European data protection law, is based on six principles. These are outlined in Article 5, item 1(f) of which states that personal data must be: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Similarly, Article 66 of the UK data protection law notes that: “Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data”.
In both cases the mention of security is very brief, though particularly in the case of GDPR it is one of the core stated principles – that is, a few words have a great deal of meaning and authority.
If we examine the ISO 27001 standard, we find no specific references at all to data protection. There are, however, references to assets – for example item A.8.1.1 of Annex A, which can be taken as being as relevant to personal data assets as it is to physical assets. In the case of the ISO 27000 family, though, the brevity of references in the main standard is more than offset by the 66-page supplementary standard ISO 27701, “Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management”. Similarly, there is an equivalent stand-alone British Standard for personal data security, BS 10012, “Data protection – Specification for a personal information management system”, whose 2017 version was updated specifically to: (a) revise its requirements to fit directly with the new GDPR legislation; and (b) to align with the structure of the ISO standards.
And despite the brevity of specific references in the various data protection laws, there are security implications throughout. Personal data may only be accessed by those who need to access it – which maps directly onto the Principle of Least Privilege in a security sense. Looking at it from the other side, ISO 27001 states that test data must “be selected carefully, protected and controlled”, which maps onto the data protection law’s instruction to avoid using recognisable personal data for development or testing. The data protection law giving the right to data portability implies that this must be achievable securely and accountably. And so on, and so on. Hence the lack of specific mentions of security in data protection laws does not detract from the wealth of implicit requirements.
All of the above begs the question: what skills do I need to pick my way through the minefield? From the point of view of the cyber security specialist, a basic qualification in data protection gives a tremendous boost as it builds on a security generalist’s knowledge by injecting specific expertise in what is arguably the most important new privacy concept of modern years.
Where data protection and cyber security deviate is the legal requirement for appropriately skilled staff who have sufficient authority to carry out their jobs. The GDPR states that management must ensure that: “the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data” and that the DPO must “directly report to the highest management level”. The UK variant has similar provisions: in short, the DPO is strongly protected by the law, to the extent that he or she cannot be fired for doing the job diligently.
The same does not apply in general cyber security – or at least not yet in the UK. The Department of Financial Services of the US state of New York is, however, blazing a trail for cyber security in the Financial Services section of the New York Codes, Rules and Regulations (NYCRR) Part 500, entitled “Cybersecurity Requirements for Financial Services Companies”.
This regulation mandates in law a raft of activities that are merely considered best practice elsewhere: a Board-supported cybersecurity policy, penetration testing at least once a year, cyber risk assessments whose outputs feed into the design of security systems, and the like. Section 500.04 brings DPO-style responsibilities and privileges into mainstream cyber security, too, stating that: “Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy”, defining that individual as a Chief Information Security Officer. Yes – there is a legal requirement for a New York financial services company to have a suitably empowered CISO that almost perfectly reflects GDPR’s obligation to have a DPO in certain cases.
The principles of cyber security apply extensively to data protection, then, although in the UK and Europe the legal obligations and protections are much stronger for the data protection officer than for the head of cyber security. It would not be a surprise, however, if the approach that has been pioneered by the New York Department of Financial Services finds its way across the Atlantic and into the IT-related laws of Europe and the UK – which a security specialist with a skills head-start in data protection will be perfectly placed to exploit.