The European Union has long considered that a person owns all non-public data about him. Each individual then explicitly grants and revokes rights to process (for example: collect, analyze, aggregate and store) his or her personal data to everyone interested.
With some data, it is easy. One signs a contract, and later on, perhaps cancels the contract, along with permissions to process the data. But the question is not only about granting or revocation of rights to process, but also about getting to know which data is stored, how it was processed, with whom it was shared, and having the possibility to remove that data from systems (i.e., to be forgotten).
Data in the physical world leave some traces, and even more in the digital world. Each of our digital activities touches many systems: computers, servers, information systems, transmission systems, security systems, usage analysis systems, and so on. Moreover, not all of these traces are under contractual relationships due to complexity of interaction between systems, as well as due to usability.
Information systems and the Internet were designed mostly respecting another model – that the owner of the system owns the data as well, unless it is specifically provisioned otherwise.
The new EU General Data Protection Regulation (GDPR) threatens everyone globally that processes data of clients and EU residents with big fines if the EU approach of data owning is not respected. ISACA recently issued a new publication GDPR Data Protection Impact Assessments – What Does It Mean to Me, providing guidance to practitioners and their organizations for how to deal with these considerations.
Despite all the difficulties, I would argue that implementation of the new regulation brings a lot of benefits to all those involved in IT governance, such as:
- Organizations are forced to inventory all their digital assets, and start managing them better. In such way, more resilience against cyberattacks or mismanagement can be created.
- IT staff are forced to talk and understand legal teams, discuss the impact, and better understand threat landscapes and liabilities, which shrinks gaps of understanding.
- The true cost of automizing will be calculated better. Right now, it is still often calculated in only the cost of designing, deploying and running costs of information systems. Now, the securing of information systems, data and information system life-cycling, and the creating, processing, destroying, auditing, handing over and disposing of data will be assessed.
- A new profession with a clear mandate and responsibilities will be brought into most organizations. The Data Protection Officer (DPO) will provide extra help in IT governance.
Overall, GDPR has the potential to be one of the pillar forces that gets us together to address cyber security properly. While it alone will not be sufficient, combined with other governance and regulatory efforts, real progress can be made.