From the course: Cybersecurity Foundations

Protecting privacy with cybersecurity

From the course: Cybersecurity Foundations

Protecting privacy with cybersecurity

- [Instructor] The general data protection regulation of the European Union is a law which enforces the protection of the privacy of European citizens, with mandatory rules for how organizations and companies must use any information, which directly or indirectly could identify a living person. This is known as personal data, and a couple of simple examples are your name and phone number. The actors become globally relevant because it applies to any services being consumed in the EU no matter where they're sourced. With a 1% global revenue fine for failure to comply, compliance is a high priority. There are six principles in the act. Personal data is to be processed in a lawful, fair, and transparent manner. These process characteristics don't involve cybersecurity directly. It must be collected for a specific purpose and only used for that purpose. Again, this is a process characteristic and doesn't involve cybersecurity. It must be limited to what's needed for the purpose and no more, another non cybersecurity characteristic. It must be accurate and kept up to date. Cybersecurity capabilities can be used to maintain data integrity, which contributes to its accuracy. But keeping it up to date isn't a cybersecurity capability. It must be kept in a form which minimizes the exposure of a person's identity and only retained for as long as necessary. Cybersecurity can certainly help here by enabling encryption of data. The last principle is fully cybersecurity. It requires appropriate security for personal data, including protection against an authorized or unlawful processing, and against accidental loss, destruction, or damage. GDPR requires organizations to implement appropriate, technical, and organizational measures to secure personal data. This requires businesses to ensure that their cybersecurity defenses continue to be effective against evolving cyber threats. A good GDPR compliance program involves risk assessments, ongoing maintenance of the security infrastructure, and continuous monitoring of networks in order to detect and respond to any intrusions. Some key cybersecurity controls for GDPR compliance include encryption of personal data, control of access to data, and regular audits. These are all standard controls used in most cybersecurity programs. An alternative to encryption of data is to mask or tokenize it, and this is a security control generally associated with privacy. In addition to the normal controls, a data privacy program needs to have breach notification protocols in the event of a data breach. Other privacy specific controls include data minimization practices, data protection impact assessments, and implementing privacy by design principles. While not cybersecurity controls as search, these will often fall to the security team to manage as part of the wider security and privacy program.

Contents