IAPP The Privacy Advisor: How NIST Security Controls Might Help You Get Ready for the GDPR
In order to get ready for the General Data Protection Regulation, companies need to thoroughly review and exercise due diligence of their existing security measures and information security frameworks. Considering that the GDPR is meant to be technology neutral, it provides very little guidance on these topics. While it aims to bring privacy from theory into practice, the onus to achieve it is on the controllers and processors of personal data.
For this reason entities are very much alone with all practical problems, while being threatened with severe administrative fines.
So where to start? Is the solution trial and error?
Well, why not look paradoxically across the Atlantic for some inspiration? Although the U.S. and EU laws are far from each other (and some would say there seems to be no hope of fully bridging those differences), many of the security controls described by the National Institute of Standards and Technology, and designed as such for federal agencies, seem to be very much appropriate to meet the GDPR requirements (cf. ia Article 32 of the GDPR). To be sure, this would still be a high level, generic approach. Yet NIST recommendations, while being technology neutral, are meant to be technologically aware. This way, you are in a position to use some of the existing tools for tailoring your own process, considering the company's mission and business concerns. Obviously you need to start first with general solutions before going into specific security functions and using concrete management tools and techniques.
What would be the best reading materials to get you equipped with the necessary knowledge for taking this mission, while bridging the security-privacy divide?
That very much depends on where you are, and what the level of maturity of your current security and privacy framework is.
Some of the more relevant and interesting publications to consider, would include:
- FIPS PUB 200 "Minimum Security Requirements for Federal Information and Information Systems";
- Framework for Improving Critical Infrastructure Cybersecurity;
- NIST 800-53 'Security and Privacy Controls for Federal Information Systems and Organizations' or
- NISTIR 8062 'An Introduction to Privacy Engineering and Risk Management in Federal Systems'.
While first two provide general structure for evaluating your information-security framework and the third with more concrete solutions to meet the security objectives, the last would be of particular use in implementing privacy by design and by default.
In addition to that, NIST 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations,” would be handy for introducing continuous security assessments and evaluation procedures, and NIST 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems,” for applying a risk-management framework. As these are more or less vast documents to read, NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” is where you might want to start with confidentiality basics.
These should support you in building fundamentals of your privacy program, which requires maintaining effective and real control over the data you have across their life-cycles, including inbound and outbound data flows. It will be very much up to you whether to create from the ground-up convoluted, multi-layered solutions, robust against any possible threats or to augment security capabilities you already have.
Part of the process is also assessing your security and privacy controls and breach response capacities. You won't be able to notify authorities nor the data subjects about the breach, as required by the GDPR, if you cannot identify that a breach has occurred in the first place. Moreover, you will not be in a position to assess the risks, which you must do under the GDPR in a continuous manner, without having adequate risk management and assessment procedures in place. That would be also relevant for conducting a data protection impact assessment, which by its very nature requires you to be aware of the risks and to come up with practical solutions for their mitigation. Even though risks to data subjects and to the company require different approaches, some integrated solutions may still be feasible.
Whereas, with regard to the anonymization, pseudonymization and encryption of personal data, European sources should be your primary place to look for answers (WP29 “Opinion 05/2014 on Anonymisation Techniques,”and the ENISA publication “Recommended cryptographic measures — Securing personal data," in many other areas, you might start by looking at NIST’s recommendations in the first place, while adjusting it to the GDPR requirements and to the EU broad definition of personal data. Naturally, making such adjustments without breaking the very linkage between privacy and security is not an easy task. It is necessary, however, as just following the U.S. PII model, including Fair Information Practice Principles, is certainly not enough to meet EU requirements. Still it seems tempting and rational to integrate privacy and security first, based on foundations which are not legal system dependent, and to integrate EU specifics subsequently. In contrast to what you might think, there would be very few discrepancies once you reach a certain level of maturity of your privacy and security policy.
This approach might help you to ensure that both the security and privacy objectives are met, including confidentiality, integrity, availability and resilience of processing systems and services. In addition to that, you also need to have in place procedures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Integrating privacy and security, not to mention procedures for vendor management, are prerequisites for meeting EU data protection principles, including data minimization, transparency and accountability. This is also crucial for exercising the right to be forgotten in practice and not just in theory. The same goes for data portability, as you would first need to have effective mapping and processes for continuously monitoring the data you have, so you are aware what data fall under this data portability right.
No technique or solution is devoid of shortcomings and will provide you as such with a lasting compliance. Therefore, it is necessary to treat implementing privacy as an iterative, rather than a one-off process.
Whenever there is no clear guidance under the GDPR on how to obtain certain security objectives, it certainly seems wiser and more rational to use existing solutions provided by NIST publications than to wait until more EU guidelines would be available. Later you could further build on what you already have, rather than start from scratch.