“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”Abraham Maslow
An open letter to the information security profession
Dear infosec people,
You do a tough job in a complex, high-stress and fast-paced environment. I admire the cleverness of your technical capabilities and respect the challenges you face.
Having said that; PLEASE SHUT THE FUCK UP ABOUT THE GDPR UNLESS YOU HAVE REALLY STUDIED DATA PROTECTION.
Seriously. You’re making the lives of privacy professionals really difficult, and that’s not going to lead to collegiate and constructive co-operation. You’re also occasionally making yourselves look like right knobbers to those of us who do know what we’re talking about in this area.
I’m generally not a fan of the ‘stay in your lane’ philosophy – breaking down silos and working together is an essential part of being effective these days. However, if you have not learned the rules of the other lanes, then carelessly blundering into them and screwing with the traffic flow is just as bad – if not worse – than hiding in a silo.
I absolutely welcome infosec people learning more about privacy/data protection – it’s the career path I took myself and have flourished upon. What sends me up the bloody wall though, is the Dunning-Kruger Effect that is evident when infosec people try to tackle data protection without having spent the time and effort to understand privacy law. Because they get it so very wrong and are uncritically parroted by other people who aren’t familiar with either professional knowledge domain, thereby spreading myths, tropes and general #GDPRubbish.
Infosec and privacy are not the same thing at all. There is overlap, but only for a small proportion of both. There is wide divergence and narrow convergence. Information security is about protecting corporate information and systems. Privacy is about protecting individuals and society. Data Protection is privacy applied to information about living people.
Data protection requires information security, but only as a small feature in a broad landscape of human right-based risks, controls, considerations and obligations. There are seven principles in data protection law, and only one of them is ‘process personal data securely’.
There are a whole bunch of individuals’ rights that have nothing to do with the security of their data. There are a pile of obligations that don’t relate to information security in any way. If you didn’t know that, or you don’t know what those principles, rights and obligations are, then please either go and learn, or belt up and refrain from undermining privacy by hijacking GDPR conversations and narrowing them to infosec-centricity.
It’s understandable that when your whole world is one topic, you’ll see everything else within those terms of reference. It’s natural to have a whole bunch of cognitive biases and assumptions. This isn’t a value judgement on your character, it’s just me pointing out an opportunity to integrate rather than colonise.
To assist you with this, here are some nuggets of data protection wisdom for you to take away and keep.
- Privacy is not equivalent to confidentiality, it is the right to be free from unwarranted or arbitrary interference. This may involve a degree of confidentiality for information, but not necessarily. Data Protection is usually more concerned with why you’re doing stuff with/to people via their data than how secret the data is.
- Privacy is not the binary opposite of ‘in public’. In fact, ‘in public’ is a spectrum anyway, but even if it were a single environment, it would still not be the opposite of privacy, because being amongst other people does not negate your human rights.
- ‘Personal data’ is wider than ‘personally-identifiable information’. It’s heavily influenced by context and association, and the same piece of info may be ‘personal data’ in one scenario but not in another. There is no binary always/never threshold. Deal with it.
- ISO27001 or any other infosec standard will NOT deliver GDPR compliance. Not even close. Not even 50%. Done properly, 2700x can help you adhere to the security and accountability principles, but does nothing to address fairness, rights, transparency, rights, lawfulness (etc)
- No system, tool, document set or ‘solution’ can be ‘GDPR-compliant’ in itself. Only when used in accordance with all of the data protection principles, within an organisational culture of respect for privacy, in a privacy risk-managed way, can it play a small part in GDPR ‘compliance’. Which, by the way, requires the org to have integrated strong data protection risk management as business-as-usual into EVERY process, system, activity and decision.
- The GDPR is principle-based law on purpose. It leaves room for innovation, creativity, risk appetite and context. If you’re looking for a prescriptive checklist of inflexible instructions for which no nuance is required, then stop trying to understand data protection and focus on PCI-DSS instead.
- The only time ‘encryption’ is the ‘answer’ to data protection, is when the question is ‘what is one way to protect the confidentiality and integrity of data within a particular digital processing environment?’.
- Security controls themselves must be assessed for privacy risk. User monitoring and profiling, authentication and verification for example, carry inherent privacy risks of their own and the security justification for using them may be negated by the privacy justification for NOT using them. This is not ‘privacy stopping you from doing your job’ but ‘the lesser of two evils’.
I believe that the disciplines of infosec and privacy can and should work collaboratively and constructively. But in order to do so, privacy pros need to be sterner about emphasising the ‘rights and freedoms’ aspect of data protection, and infosec pros need to accept that their security expertise does not equate to competence in the privacy domain.
Thank you for reading
Lots of luv and respect,
(This was originally going to be an exasperated sweary rant, but it turned out quite moderate and civil. Apologies to anyone I have disappointed as a result.)