Picture a morning in the office when you are trying to convince the business stakeholders about the importance of becoming GDPR compliant.

“Good morning, Thanks for having me. Did you hear about the GDPR, and do you know we really need to start working to become compliant before May 2018?”

“No, I haven’t, and why should we do it?”

“Because you can get fined seriously”

“Another reason why I don’t like security and those compliance guys. All I hear is them saying it’s a scary world and I will have to pay. You only cost me money”.

Of course, not being compliant with GDPR has serious implications. But taking this threat-based approach doesn’t do us any good in the long run. Before you know it, there’s a new directive, regulation, or other mandatory limiter put on the business.

Let’s see if we can stray away from the negative, threat-based approach and provide enablement towards already existing targets and goals within an organisation.

A randomly selected organisation I picked for this article had a few statements on their website about their strategic goals:

  • Be open and honest;
  • Follow the rules and laws;
  • Provide customers access and choice;
  • Be a trusted partner for life.

Looking at the GDPR directive, there’s hardly any obvious references to security. Just a few articles state information has to be processed “in a manner that takes account of the potential risks involved for the interests and rights of the data subject and that prevents, inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion [..]”

But did you know that the whole directive is actually full of security requirements?

Let us zoom in on a small portion of article 42. There, for instance, it says you need to be able to demonstrate consent of Data Subject. And you need to provide easy access, and you should be able to identify the controller. These 3 words in italic… are security requirements or lead into security requirements.

Because if we need to be able to demonstrate the given consent, there is a need for making sure this given consent cannot be tampered with, nor later denied. Therefore we would need to address certain Integrity assurance and non-reputability to avoid possible disputes later on. Right?

How about easy access? Easy access implies there is a need for controlling access. And of course, this access-control should then also be easy. And having easy access-control probably falls or stands with having it integrated or not. The third word I wrote in italics, identify, refers to be able to identify the controller from the Data Subjects’ perspective. But, also, when you’re dealing with access-control, there’s a need for authenticating the data subject, and to be able to do this, the data subject needs to be identified, registered, and so on.

And so incorporating demonstrate, easy access and identify alone, already provides a link between the strategic goals, previously mentioned. A customer given access to his consent in an easy manner enables the strategic goal:

“Provide customer access and choice”

It also provides enablement towards trustworthiness for the longer term, when the organisation wants to be a trusted partner for life.

Although this is only a limited view on the directive as a whole, and there are of course more non-security requirements to be found, it does show how zooming in on elements of the directive not only costs money but also provides positive feedback in other requirements the organisation has.

Maurice Smit

Maurice Smit

Principal Security Architect

Select your currency