GDPR Vulture

Want on the GDPR Bandwagon? Be Qualified, or Stay the Hell Off!

First, what do I mean by ‘qualified’? – I mean that the only people truly qualified to lead a GDPR project are lawyers specialising in privacy. That’s it.

EVERYONE else only has a part to play. Often a very significant part, but that’s it for them as well. A part.

I’m NOT saying that every single organisation has to make the significant investment in a privacy lawyer to meet the intent of GDPR. I’m saying that the only ones qualified to determine ‘intent’ in your organisation’s specific context, are privacy lawyers. No-one who is an expert in information technology, or cybersecurity, or any other subject is qualified …unless they are also a privacy lawyer.

To even further labour the point, a qualified person is neverCertified EU General Data Protection Regulation Practitioner …unless – you guessed it – they are also a privacy lawyer.

I’ve seen every type of vendor from Cyber Insurance providers, cybersecurity consultants, to single-function technology vendors, make the most ridiculous claims as to their suitability to ‘help’ with GDPR. All to make a bit more money while the GDPR bandwagon is on the roll.

The prize so far goes to a consultant who maintains that the entire GDPR can be ‘operationalized’ under the ISO 27001 standard. Unfortunately this attitude is pervasive, as no organisation seems to want to share the opportunity with appropriate partners. The attitude of ‘land-the-gig-and-we’ll-work-out-how-to-deliver-it-later’ cannot apply here. GDPR is a law, one with significant penalties attached, so unless you really know what you’re doing, stick to what you know. And ONLY what you know.

For example, I can be [very] loosely categorised as a ‘cybersecurity expert’, so that limits my ability to help with GDPR to:

  1. Data Security – As I’ve said a few times now, of the 778 individual lines of the GDPR Articles, only 26 of them are related directly to data security. That’s only 3.34%. Yes, I can help you implement ISO 27001 to cover that 3.34% (a.k.a. “appropriate security and confidentiality”), but if GDPR is the only reason you have to implement ISO, don’t bother, you’ve missed the point;
    o
  2. Secure Technology Implementation – GDPR is not about technology, but the implementation of GDPR will have significant technology implications. From collection of consent (Recital 32), to age identification (Recital 38), to the rights to erasure and rectification (Recital 39), technology will play a big role. All of this technology will require appropriate security wrappers in-line with demonstrable good security practices; and
    o
  3. Governance Design and Implementation – Any organisation that has a Governance function already has a GDPR Implementation Team in place. Since there can be no true Governance without full departmental representation (Technology, Security, Legal, PMO, Sales, Marketing and so on), it follows that the Security team will have full understanding of GDPR’s impact from the Legal team. In turn, Technology and Security will have significant input to Legal’s decisioning, and it’s this ‘negotiation’ under the Governance umbrella that gives GDPR its ‘organisation specific context’.

This should be more than enough for any security consultant, but apparently it’s not enough for some consultants who want to replace Governance all by themselves. But, what’s wrong with partnering up with others to do the parts you absolutely should not touch? Is it not better to be really good at the one thing you do for a living and be part of a team of experts who can cover the other bases?

To put this another way, do you really want to ruin your reputation by lying to your clients now, or be the resource they come to to solve every similar problem from this point forward? Do you want to sell used cars or be a trusted advisor?

GDPR, like security, is not complicated. It’s actually very simple, just BLOODY difficult to implement. There is not one individual who can simplify this for you, not even a privacy lawyer. So if you’re looking to implement GDPR, you can rest assured that anyone who is a) not a privacy layer, AND 2) not part of a team of experts with collaborative skill-sets, AND 3) trying to sell you something, should be listened to with caution.

As always, I am not going to lay the blame entirely at vendor’s feet, they too have a business to run. In the end, the only people who get the answers they need on GDPR are the ones asking the right questions.

You MUST do your homework!

[If you liked this article, please share! Want more like it, subscribe!]

PCI to GDPR

Going From PCI to GDPR? You Are Starting from Square One

To be very clear from the outset, if you think the PCI DSS is a good ‘stepping stone’ to GDPR, you need to do a lot more homework. Data security represents less than 5% of the entire GDPR, and the PCI DSS is – in my admittedly biased estimation – no more than 33% of a true security program.

I have, for years, railed against the PCI DSS as an inadequate baseline for security, and even the card brands and the SSC have never claimed it be more than what it is; a set of MINIMUM security control related to the protection of cardholder data. Well, except for this ill-advised and rather naive quote perhaps;

People come to me and say, ‘How do I achieve GDPR compliance?’… Start with PCI DSS.

The PCI DSS was written for ONE very specific purpose, and it’s only ego, desperation, or vested interest that would lead people to think it’s anything more.

The reason for this particular blog is reading articles like the two samples below. It’s articles like these that lead organisations who don’t know better [yet] into making bad decisions. They also give cybersecurity professionals a bad name. Well, worse name, unscrupulous QSA companies and greedy product vendors have already caused significant damage.

Article 1, and by far the most egregiously overstated quote [so far] is from an article in SecurityWeek (PCI 3.2 Compliant Organizations Are Likely GDPR Compliant); “Any company that fully and successfully implements PCI DSS 3.2 is likely to be fully GDPR compliant — it’s a case of buy one and get one free.” Given the author’s apparent credentials, he should know better. Since when does the PCI DSS deal with explicit consent, or children’s data, or the right to erasure/correction/objection/portability and so on.

Then, in the very recent article 2; How the PCI DSS can help you meet the requirements of the GDPR – the author states that; “Failure to report breaches attracts fines of up to €10 million or 2% of annual turnover, whichever is higher. Breaches or failure to uphold the sixth data protection principle (maintaining confidentiality and integrity of personal data) can attract fines of up to €20 million or 4% of annual turnover (whichever is higher).

No part of the above statement is factually correct:

  1. Just because Article 33 – Notification of a personal data breach to the supervisory authority is included in Article 83(4)(a) – General conditions for imposing administrative fines, it does NOT mean that failure to respond in 72 hours will attract a fine. There are many caveats; e.g. Recital 85 states ; “the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it (Recital 85)”‘
  2. sixth data protection principle“? – Nothing to do with confidentiality and integrity, assume author meant the seventh principle (security).
  3. Maximum fines for data breaches are 2% (for an undertaking, a.k.a. a group of companies), not 4%.

The author then goes on to say; “The ICO is also likely to treat inadequate or non-implementation of the PCI DSS as a failure to implement appropriate “technical and organisational measures” to protect personal data…” which is clearly not the case. The ICO has always left loss of cardholder data / PCI up to the card schemes, and have already mentioned ISO 27001 in their “The Guide to Data Protection“.

Every article I have read on how PCI helps with GDPR, is at best, hugely overstated, and at worst, full of self-serving lies. I can fully appreciate the desire for cybersecurity companies (especially QSAs) to branch out from the massively price compressed and ultimately doomed PCI space, but to do so in this manner is unconscionable.

Unfortunately if you are falling for this advice, I can safely assume that you:

  1. have little idea of how limited the PCI DSS is, even as protection for the only form of data to which it’s relevant;
  2. have little idea what the GDPR is trying to achieve if you think a bunch of security controls are that significant a component; and
  3. don’t actually know what an ‘appropriate’ security program should look like.

This is actually not meant as a criticism, these things may not be your job, but if you have any responsibility for GDPR, you absolutely must learn to ask the right questions.  I will finish with some reasoning below, but leave to up to you work out whose guidance to take.

PCI and GDPR are very far removed from each other.

  1. Data protection Articles are only 3.34% of the Regulation – yes, I actually worked this out on a spreadsheet. That means the GDPR is 96.66% NOT security control relevant. Of course IT and IT security are important and intrinsic to GDPR, but PCI does not cover anything else other than than those things.;
    o
  2. PCI DSS makes no mention of the need for Governance – PCI compliance is almost invariably an IT project, and while this is obviously wrong, does not prevent organisations from achieving compliance. In GDPR, the IT folks have absolutely no idea where to start. Nor should they, IT/IS people aren’t lawyers and they do not control the organisation’s direction, they are business enablers who do as bid by senior management. GDPR requires a team effort from every department, which is exactly what Governance is.;
    o
  3. PCI DSS is about compliance to an already defined standard of security controls, the GDPR requires a demonstration of ‘appropriate security’ measures – For example, what if your annual risk assessment showed that the PCI controls were actually excessive? Could you scale some of them back? No, you can’t. Alternatively, what if your risk assessment showed that they weren’t enough, could your QSA insist that you went above and beyond? Again, no, so what the hell is the point of the risk assessment in PCI?
    o
  4. Only QSAs that started out as security consultants [not the other way around] have the skill-set to provide any help at all. If they were experts in ISO 27001, CoBIT, NIST etc., then yes, they can help you both define and implement ‘appropriate security’. If all they did was pass the QSA exam, the only guarantee you have is that they can read.
    o
  5. The PCI DSS can never keep pace with the threat landscape – It’s already way behind, and with its complete inability to change significantly, the DSS can never represent appropriate security. If the DSS did change significantly, both the card brands and the SSC would be lynched. Millions of organisations have spent BILLIONS on PCI, they will simply refuse to start all over again. GDPR on the other hand has no defined controls, it’s up to YOU to show that your controls meet the measured risk.

In the end, the only way PCI can help with GDPR is to use the assigned budget to do security properly. You will never reach GDPR ‘compliance‘ using PCI, but you will achieve both PCI and GDPR compliance on the way to real security.

[If you liked this article, please share! Want more like it, subscribe!]

Reasonable Security Measures

GDPR: How Do You Define ‘Appropriate’ Security Measures?

Ask a lawyer what ‘appropriate’ or ‘reasonable’ means and they’ll come back with something like; “What would be considered fair by a disinterested third party with sufficient knowledge of the facts.”, or “Fair, proper, or moderate under the circumstances.”

Now translate that into what kind of security measures are considered appropriate? How would you justify that what you are doing is reasonable, fair, or proper under the circumstances?

Because that’s what you’ll have to do if things go wrong under GDPR. You’ll have to justify that the measures you took to protect personal data were underpinned by an appropriate program for measuring and treating risk. If your breach was shown to be anything other than a determined attacker, all you’ll have in your defence will be poor excuses. This is no better than negligence.

When you consider that the General Data Protection Regulation (GDPR) – and every other regulatory compliance for the matter – was written by lawyers, should we not be able to work out what ‘appropriate’ means for a security program? After all, lawyers have no problem defining the word ‘reasonable’, they even apply it to their fees!

The good news is that the process is not only well known, it’s simple; it’s called Risk Management, and it’s been around for decades.

Step 1: Complete your Asset Register;

Step 2: Map your assets to your business processes (which should already be mapped to revenue);

Step 3: Map your business processes to your business goals;

Step 4: Run a Risk Assessment against all business processes and / or key IT systems;

Step 5: Document the business impact of each risk (mapped against both revenue and business goals);

Step 6: Document Senior Leadership’s risk appetite against each business goal;

Step 7: Perform full analysis of security controls, determine if there are any gaps between the current state and the risk appetite;

Step 8: Fill the gaps;

Step 9: Document everything; and

Step 10: Repeat annually, or prior to any major changes.

Now put yourself in the shoes of an auditor after you have been breached. What are they going to ask you for? What could anyone reasonably expect you to have in place if you were taking your duties seriously?

If I was an auditor I’d ask for 5 things up front, as without them I know there is no way you have an appropriate security program in place:

  1. A mapping of your policies, standard and procedures to whatever security framework you based your security program on;
  2. Your risk assessment procedure, and the results of the last one conducted;
  3. Your risk register;
  4. Your change control procedure; and
  5. Your incident response procedure.

At this stage I would care nothing for your technology, or how much you spent on it. A technology purchase outside of a properly defined business need is nothing more than smoke and mirrors. Besides, no regulator has ever tried to qualify how much you spent. It’s up to you to show why you spent what you did, and why you didn’t spend more.

The thing to bear in mind here is that the validation of ‘appropriateness’ is not a conversation, it’s documentation. It’s not even evidence of the technologies you have running, it’s showing that the technologies you do have meet the risk you have defined. While from a lawyer’s perspective, appropriate is demonstrated by precedent, in cybersecurity, appropriate is demonstrated by the extent and capability of your security program.

Complying with the cybersecurity elements of the GDPR is simple, every step is written down for you somewhere. There are a few things to bear in mind though:

  1. GDPR is 95% about how you get the data, and what you then do with it when you have it. Anything you spend on security should be justified against the business goals, not a compliance requirement;
  2. There is no cyber insurance against loss of reputation, this should not be about the money; and
  3. Any security vendor offering “GDPR Compliance” is at best telling you 5% of the story, at worst, is lying to you.

While I agree it may be difficult to sort through the good advice and the crap when it come to this stuff, there is no excuse for  doing nothing. GDPR and every regulation to come will not change the basics, security will be same regardless.

The issue is not regulation, it’s that organisations still aren’t asking the right questions.

[If you liked this article, please share! Want more like it, subscribe!]