The GDPR Fever: There Is No Privacy Without Security
This is the first post in the GDPR Fever series aimed at explaining whether and how DLP technologies could be used for achieving GDPR compliance.
The GDPR’s mission is to improve information privacy protection in corporate IT systems that process personal data of clients or employees. Usually, privacy-specific IT problems are most often associated with the growing number of cases when a system “designed to achieve beneficial objectives (e.g., improved efficiency of the electrical grid and increased security) can adversely affect individuals’ privacy … as it is processing information about individuals.”
A few indicative examples of such cases are outlined below:
- Using information collected from user’s homes by smart meters of electric grids for revealing behavior inside a person’s home;
- Personally-identifiable profiling of user’s behavior when they are visiting websites for selling this information to Internet advertising agencies;
- Collecting information on private persons by computer and network activity surveillance tools for purposes unrelated to public or national cybersecurity.
Crucially, all these types of privacy violations have something intrinsically in common: all of them are unintended or deliberate “byproducts” of data processing – a misuse of personal data access to which is authorized for some legitimate purposes. Therefore, in all these cases the security (precisely speaking, confidentiality) of processed personal data has been already implemented by applying appropriate access control measures.
On the one hand, this means that data misuse-related privacy violations cannot be prevented by data security measures alone, because they are aimed at authorizing or denying access to personal data, but not to detecting the purpose of their processing and controlling the system's ability to perform it. Far more “intelligent” than access control, business process-aware privacy safeguards preventing data misuse have to be enforced once access to personal data has been granted. That’s why organizations’ obligations to implement protective measures against the threats of personal data misuse are rigorously specified in the GDPR in a set of data protection principles including lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; and storage limitation – all applied to various aspects of data processing.
On the other hand, the very applicability and protective value of these data misuse-prevention measures are entirely based on the condition that data confidentiality is already protected. To explain this, let’s consider the following opposite cases:
- If access to personal data is controlled, it can be granted to only those authorized components of the processing system that will further prevent data misuse in their own operations, while all other – unauthorized – external or internal entities won’t get access to personal data at all, thus fully eliminating any risks of information privacy violations by these entities with respect to personal data in the system.
- Alternatively, if access to personal data is not controlled, any unauthorized system components and all entities inside and outside the system (e.g. malicious employees and hackers) can freely access the data and misuse them as they want to harm the privacy of individuals whose personal data are processed in the system – regardless of the ability of authorized system components to not misuse these data in their operations.
Hence, there can be no privacy without security — because the lack of personal data confidentiality protection in a processing system makes its data misuse-preventive capabilities useless, while having confidentiality protection in place enables them.
The fundamental significance of data security for information privacy is fully recognized in the GDPR where the special provision of “integrity and confidentiality” dedicated to the “CIA triad“ of infosecurity protection goals has been added in the data protection principles in Article 5(1) that constitute key requirements of this regulation. This comes in a positive contrast to Directive 95/46/EC, where the relevant requirement was specified as a paragraph in a separate article devoted merely to the security of processing the data.