Another day another notice from the ICO
So we now have the second notice from the ICO in quick succession relating to the applied GDPR, this time in relation (at least in the face of it) to a data breach that was fully in the gift of Marriott to address that is currently intended to be over £99m.
The issue yet again is one that is likely to make the press from those wishing to push technical services, but the comment below from the ICO is of crucial importance.
The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Supply chain and acquisitions have always been placed on the difficult list for security professionals, as there is no one approach that fits the different sectors and sizes of organisations involved. It is all too common for suppliers and customers to be at odds with the language and intent used to detail what activities are undertaken and the assurance available. How do the board gain assurance that they are not unduly exposed by this lack of a common framework to align their governance to?
How do you assess what is being done?
We can say that cyber is the best approach, yet even the baseline 10 steps to cyber security guidance from the NCSC has less than 5% adoption according to the recent DCMS cyber breaches survey. Looking at the adoption of Cyber Essentials shows that less than 0.02% of organisations in the UK have a certification to prove they follow this minimum standard.
If organisations don’t follow this standard, then are they really likely to comply with the GDPR security outcomes from the NCSC which themselves are intended to turn what is considered good security practice into a legal minimum under Art.32 of the applied GDPR?
A comment on my post yesterday discussed how ISO/IEC-27001:2013 requires good governance, but the reality is that cyber is merely a cost of business that is tolerated. The only real way to address the malaise indicated above isn’t fines, indeed there were in excess of £300m in fines last year across the financial sector, for health and safety and others. All of these fines could be linked back to poor governance, the same as the Marriott breach.
The issue with the use of fine to influence behaviour though is that you will often get a tightly-defined scope of compliance, as the corporate culture tends to be one of achieving a destination rather than a continual journey. Good governance is a process that occurs daily throughout an organisation (the board takes many unconscious risk decisions), but the lack of understanding of cyber tends to cloud the decisions of the board and they rely on others.
Understanding the importance of information governance
Of concern is how the ICO is framing the personal data to be protected by organisations though, as below:
Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.
Personal data has a value to the person it relates to, and the common law torts define the baseline legal obligations that organisations have to manage the protection, accuracy and access to this information. The equity of law is the foundation of the legal system in England and Wales, something shown in the vicarious liability judgement against Morrisons by Justice Langstaff:
Accordingly, thus far, I cannot conclude that the DPA excludes common law and equitable actions in respect of the same data disclosure.
The personal data of a person doesn’t belong to the organisation that has acquired it, it has been acquired according to a transaction that defines how it is going to be used and managed.
Aligning information governance within a common framework
There is currently too much fragmentation between information governance, privacy and cyber professionals, fighting for the same constrained budgets. The information to be managed, however, remains the same. Of concern is how only 13% of respondents to the DCMS survey are aligning their cyber activities to their legal obligations.
We are seeing a groundswell of cyber professionals entering the GDPR marketplace, but the challenges need to be addressed in a consistent manner something addressed in my joint white paper with Innopsis on the EU GDPR last year.
Confuse the marketplace and you will only deliver chaos, build on a common framework with legal obligations at its heart, and you will deliver a structure to align your compliance activities and truly interface with the board. However, the question to ask is how many of the more than 4000 legal obligations relating to information management in the UK are you actually aware of?
Understanding the obligations and the activities means you can benchmark where you are and where you need help in improving, aligning common activities in a single assessment and allowing the board to decide where to improve according to the impact to the organisation.