General Data Protection Regulation (GDPR) from the Information Security Perspective

The Internet is full of articles and comments dealing with these issues and roles without, in my opinion, creating much clarity about the role of information security in the GDPR.

Ensar Seker
May 29, 2020 · 6 min read

The General Data Protection Regulation (GDPR) is a European law adopted by the European Parliament in May 2017 with 392 votes in favour, one abstention and one against that governs how companies’ personal data — EU-based or not — is used and how they deal with it and was a. It replaces the outdated 1995 Data Protection Directive.

Image for post
Image for post
Photo by Giammarco Boscaro on Unsplash

The GDPR establishes a new standard for the protection of digital personal data related to behaviour on the Internet and in the real world. This standard applies to the private data of internet users in the EU, regardless of which company holds its data.

Simply put, if you have customers in an EU country and collect data about those customers as a result of your business transactions, you are subject to the provisions of the GDPR. This is because the size and scope of a company mean that any company with an internet presence can potentially be the subject of this law. They will be a business that does business with EU citizens, regardless of location or business.

It replaces the existing law on the use of personal data and enters into force on 25 May 2018 and applies to businesses in the European Union (EU and also to all members of the EU and the EEA, replacing many statutes in its current legislation, which are contained in the European Convention on Human Rights (ECHR) and European Union (EU) law.

Image for post
Image for post
Photo by Markus Spiske on Unsplash

According to the EU GDPR website, the legislation aims to harmonise data protection laws to improve the protection and rights of individuals. Many aspects of the existing law remain, including laws based on data protection principles. Europe has long disagreed with the United States and other countries on how data should be protected and regulated.

This is because public concern about privacy dominates the business sector and ensures that the way companies use their citizens’ personal data is always taken into account, according to the European Commission.

The General Data Protection Regulation (GDPR) is one of the most significant changes to data protection law in the EU in recent years.

The Council of Europe negotiated many OECD recommendations, codified in the European Convention on Human Rights (ECHR) and the International Covenant on Civil and Political Rights. These guidelines which were also signed by the United States defined personal data as information relating to identifying a person.

Even then, however, there were signs that the EU was moving towards greater protection of privacy. For example, the European Union (EU) enforced rules to protect the privacy of its citizens, such as the Data Protection Directive (DPD) and the Digital Single Market Directive.

Image for post
Image for post
Photo by Christian Lue on Unsplash

GDPR takes into account the challenges of a rapidly evolving digital world, which entails privacy risks for the person concerned and will be more detailed and precise in some areas, and stricter in others. It marks a significant change in the way organisations, businesses, and individuals deal with customer information and will change the way they deal with it. In general, the Regulation applies to all personal data collected, stored, processed, or used in any way, including electronic or paper records.

Image for post
Image for post
Photo by Sebastian Pichler on Unsplash

From the point of view of IT security, a Data Protection Impact Assessment (DPIA) should, therefore, be one of your organisation’s core concerns. The GDPR looks at the data protection impact assessment from the perspective of IT security, with ISO 27001 playing an important role. There is a need to assess the risk of personal data being breached and the potential impact on your business and your customers.

One of the aims of the regulation is to strengthen the protection of personal data and the right to privacy while facilitating the free flow of personal data.

The GDPR will play a crucial role in categorising and assessing these risks, and on the basis of this assessment, the implementation of guidelines to protect your organisation and comply with the GDPR may require you to remove documents containing personal data of EU data subjects. However, compliance with the GDPR typically involves not only a risk assessment of the risk of infringement but also a thorough analysis of where personal data is stored and whether there is a legal justification for storing and processing this information.

Articles 25 and 32 devote a good deal of their time to the technical and organisational measures required by the Regulation to ensure compliance with the requirements of the GDPR and the protection of the personal data of EU citizens concerned. The first configuration awareness can be used as a starting point for implementing these measures in your company and as part of your overall compliance strategy.

Image for post
Image for post
Photo by Franki Chamaki on Unsplash

As we have seen with the recent high-profile breaches, public and regulatory authorities are losing tolerance for arbitrary security operations. It is essential for information security professionals to understand what constitutes the normal use of information resources and when changes occur in the environment.

Many of these requirements do not relate directly to information security, but the processes and system changes required to comply with them could affect existing security systems and protocols. None of us want to fend off a regulator that asks us why we need to do this, and the compliance process could cause significant disruption to our business.

To take conform steps, organizations need to understand what data they have, who has access to it, and which applications and systems are involved in transferring the data. Business departments, in cooperation with IT, are responsible for knowing why data is collected, how long it is kept, and how to ensure that data subjects can exercise their GDPR — legal rights.

This means knowing where and how the information moves, who has access to it, and what they do with it. If you do not know where your information is, what it is crucial for, who you have access to or who has access to it, you are in a less secure situation than if you are currently in compliance with the GDPR and other provisions.

The Internet is full of articles and comments dealing with these issues and roles without, in my opinion, creating much clarity about the role of information security in the GDPR.

The Startup

Medium's largest active publication, followed by +775K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store