Brexit means Brexit and so does the EU GDPR

Nick Prescot, Senior Information Security Manager, ZeroDayLab

Since the 23rd June this year, the word 'Brexit' has been the most overused word in the English language; with some saying that we need a 'heavy Brexit' and some saying that we should have a 'Brexit lite'. Whilst one can debate endlessly about the proposed route taken by the UK Government, there is on inalienable fact that holds a certain evident truth; the EU GDPR will become law in 27 countries and if we're still in the EU, 28 countries on 25th May 2018.

Safety: the condition of being protected from or unlikely to cause danger, risk, or injury 

What is important to note that one shouldn't just add 'EU GDPR' to the risk register and then make it all red because it's a big thing...The risk isn't the regulation, it the level of controls that are required around the processing of personal data. This means that there are many risks that have stemmed from this regulation; this being data that is 'at rest', data 'in transit' and data 'managed by 3rd parties. What is interesting is the European approach to the premise that personal data is a valuable currency not only to the individual but also to the adverse party.  

Security: the state of being free from danger or threat   

In English, ‘Safety’ and ‘security’ are 2 separate words, but in many European Languages these are conjoined words (France= la sécurité; German= Sicherheit; Italian= sicurezza; Spanish = seguridad). It's not only a cyber security premise but also a cyber safety premise as well. This being that in many European languages cyber security and cyber safety mean the same thing and in the English language, they are not always meaning the same outcome. I get the sense that cyber security is looking at dynamics from the 'outside-in' and cyber safety is looking at dynamics from the 'inside-out' - This is a personal view and I'm sure that lots of people will be thinking, thanks for that but not sure what you mean here!

The regulation is quite specific in article 25 about data encryption. To me, this is the essence as to what the majority of European countries are thinking when they are talking about this new privacy act. In English, we see data protection as a cyber security thing whereas in Europe, the word for ‘safety’ is also the word for ‘security’ This makes somewhat perfect sense because of a lot of the legislative comments are focused towards words such as psuedonymisation, which means that separation of data from a direct identifying component. This to me is a safety factor when one is trading one’s personal data with 3rd parties. There is also the recital 75 that states that there should be a process where there is ‘the prevention of unauthorised reversal psuedonuymisation’ which basically means one-way hashing of personal information through encryption.

This is potentially a huge impact for the processing, storing and holding of personal data. Not only will this protect the rights of the individual, it will require the companies that are holding this data to adequately protect with the well known security measures that are in place. Encryption at rest isn't cheap but it looks more than likely to be a regulatory requirement that can't be avoided.

In a recent Ponemon Survey, the perceived risk to brand recognition from mandatory breach notifications emerged as the major upcoming headache for many European organisations, with 51% of survey respondents noting it as a concern, followed jointly by the risk of distraction from more important security topics and cost, both of which were cited by 48% of respondents. Other concerns noted were the potential for over-delivering on compliance (38%), fines for non-compliance (36%), ensuring compliance for data transfers across borders (36%) and the inability to make data transfers to chosen providers (31%).

So whilst Brexit means Brexit and we don’t know what that means, we know that Safety and Security for our European cousins are the same thing (on the whole) and my message is this, if you’re having trouble banging that ‘cyber security’ message to the internal business continuity and Health/Safety teams and swap it to ‘Cyber Safety’, I’d be interested to know what the reaction is and especially in the context of EU GDPR.