GDPR’s INFOSEC REQUIREMENTS- APPROPRIATE?
Undeniably, the law is good, revolutionary & is destined to be the game changer. The legalese is superb. And for long times to come techno-legal laws will not have clear prescriptions. This is in tune with present concept of jurisprudence. The final goal is protection of PII of European citizens. Thus, it can only be decided on an outcome based approach.
Article 32, is at the core of definition of appropriate. It says; taking into account the state of art, the costs of implementation and the nature, scope, context and purposes as well as the risk of varying likelihood and the severity for the rights and freedom of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The challenge is to translate this article in technical terms, into tools, software, its operations & the controls emanating out of it.
To put the regulation into motion, visible to the world are consent letters & privacy statements. The technologies would be decided by the business enterprises. IT Security is a portfolio game where the combination of various tools would give the desired result. The combination is made fully operational by the interfaces, APIs & related strategies. Data Protection Officer is positioned here; a professional well versed in enterprise operations, technology, law & strategy. He decides & operationalises PII data protection.
The story changes when a complaint is filed. The adjudicating authority will decide whether the controls put in place where adequate. Law is never black and white, grey area would take over. Fine tuned legal arguments by legal luminaries would make a difference, to define & decide what is appropriate. The cases & rulings will make things clearer. The mandatory intimation of breach is also critical. Output and impact, judged as objectively, would be the touchstone.
TECHNICALLY, APPROPRIATE INFOSEC REQUIREMENTS NEEDS TO BE THRASHED OUT.