2nd e-Crime and Cybersecurity Congress Scotland
Edinburgh, 6 November, 2019
Protection versus privacy: getting data right
As GDPR fines start to bite, does privacy trump protection? And is the CISO in the loop?
Is security more or less important than early fraud detection? More or less important than making the consumer recovery process from fraud and data breaches easier? More or less important than keeping data safe from misuse by authorised parties?
Cybersecurity professionals, and the senior managers who decide security budgets, have wrestled with these questions over the past 20 years.
If the current state of cybersecurity is evidence, the answer is that security concerns have indeed been largely subservient to processes that ensure public, consumer-oriented losses are rectified. If the public does not lose money, everyone seems to accept current levels of data loss and cyber-insecurity.
The latest, largest GDPR fines change this calculus.
The regulators at least have determined that the authorised misuse of data is worthy of a fine in the tens of millions of euros, and that the inadvertent loss of data can cost those who lost it seven figure sums.
These fines, finally, give the business world what it needed: a way to calculate the materiality of data protection and data privacy, and to suggest the levels of budgeting appropriate to the newly measurable risk.
But where should any new money be spent? GDPR is notionally focused on data privacy, and security professionals have long distinguished between data protection (securing data against unauthorised access) and data privacy (managing authorised access - who has it and who defines it).
This has led to the assertion that data protection is essentially a technical issue, data privacy a legal one.
The GDPR fines render this distinction philosophical rather than practical: data privacy is compromised both by technical failures in data protection and by failures in data management ethics or processes. Regulators are therefore penalising both.
The common denominators are data management in the broadest sense, and the consumer. So who is responsible for what?
GDPR's super-fines change the cybersecurity calculus. This year's e-Crime and Cybersecurity Congress Scotland will convene to discuss the latest problems and solutions.