The security principle in data protection regulation
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There are so many components within the Nigerian Data Protection Regulation (NDPR), and even in the European General Data Protection Regulation (GDPR), that needs consistent unpacking. One component that raises many questions is the security principle.
How can it be achieved, and what needs to be in place?
The security principle is a web. Many dots make the security line. Yet, companies think once they have certain encryptions or specific frameworks, they are compliant with data protection regulations.
Data protection regulation presents legal and operational functions. They work together. The legal part focuses solely on the theoretical aspects of data protection, while the working process focuses on the technical delivery of these theoretical legal hypotheses.
Regulators want companies to obey regulations and have the technical capabilities to back the laws. A company can escape a fine even after a breach if they can demonstrate that they have the right technical and organisational measure in place.
For example, the NDPR admonishes companies to carry out data portability function where it is “technically feasible”. There is no clear explanation of what this loaded phrase means. How do we measure feasibility? From an operational point of view, it simply admonishes the company to meet these portability demands as long as it does not reduce or impair everyday business functions. Can a company be fined if it can’t meet these functions? If the investigation reveals that the company has tried everything possible to meet such demands, can show proof, it won’t be held liable for a data privacy breach in this case.
The security principle demands companies first understand the elements explained above. What exactly do companies mean when they claim to have technical and organisational measures in place to protect data in their possession?
To answer in short terms, it means they have security controls to obey the law. It means they have an array of components to meet security demands.
Having and maintaining a robust collection of documented policies is the first place to start. These documents guide the ideologies of the company’s approach to data protection. It serves as the manual to both internal and external stakeholders. Without it, there will be no firewalls or encryptions, employees will be confused about their data protection responsibilities, and makes an organisation’s business process vulnerable to threats.
The security principle requires management involvement. There can be no data protection framework or methodology in a company if its management is blind to data protection trajectories and data protection roles in business functions. From field experience, leadership plays a critical role in ensuring that the company builds robust security that meets data protection standards.
Another critical factor of the security principle is the cyber and tech environs the company maintains. In trying to save cost, most companies go for a cost-effective way and build cyber and tech settings that may not detect or prevent breaches. Sometimes, in the bid to save money, they end up creating a vulnerable cyber environment.
Most stakeholders would not pay the right amount to prevent data breaches in their initial data security projects and spend more during or after a breach or incident. This technical dilemma points to the failure of leadership within an organisation.
The security principle demands companies to pay attention to international standards best practises such as Payment Card Industry Data Security Standard(PCI-DSS), ISO 27001 series, CBEST frameworks and the National Institute of Standards Technology(NIST). These standards are globally recognisable standards companies can add to improve their data protection frameworks. These are not regulations. Most organisations misconstrue these best standards as data privacy laws. Let’s be clear about a fact: an organisation can have these standards and yet not be compliant with local data protection regulation.
The security principle is the bedrock of any data protection regulation around the globe. Without security, any data protection framework in any organisation will fail. What I have enumerated here is not an exhaustive list and only serves as a guide to institutions. Companies must assess their processes and design the best technical and organisational measure that fits their business processes.