Security Think Tank: Embrace data protection as a necessary business process

When it comes to compliance with the EU’s General Data Protection Regulation (GDPR) and the UK’s GDPR-aligned Data Protection Act 2018, no information security professional should be driving the conversation with dialogue about potential fines. This is both defeatist and counter-productive when dealing with senior leadership figures. 

Instead, we need to focus on all the benefits that can be realised by embracing data protection as an integral and necessary business process that is fully embedded into our business as usual.

All information security and data protection activities should start with the organisation’s business objectives in mind. Security, including data protection, should demonstratively benefit the organisation and ultimately result in information being utilised and exploited in a positive way, therefore enabling the right people to have access to the right information at the point of need.

To achieve this, it is absolutely vital to fully understand what personal information is being collected by the organisation, from where, and for what explicit purpose. The business needs to ask if it strictly necessary.

If it isn’t, then it must stop. If it is, then the next step is to identify what fair and lawful purposes are going to apply to processing this information and ensure that it is properly documented. By doing this, information security professionals can then work with the organisation to develop strategies to ensure that the information can be used by legitimate users.

Often, this can seem like a monumental task to information security professionals and, as a result, is frequently an area that is shied away from. And that is because, simply put, it is a monumental task. Indeed, it is far too big a task for one person. 

However, it should not be a task that is allocated to the information security professional at all. Instead, businesses need to integrate the role of information asset owner into their organisations and make the senior leadership team themselves responsible both for implementing and embedding this structure.

“Security, including data protection, should demonstratively benefit the organisation and ultimately result in information being utilised and exploited in a positive way”

This will then enable management, using a combination of common sense, pragmatism and professional judgement, to make risk-based decisions over the collection, processing, sharing and, ultimately, disposal of information, with security and privacy professionals acting in a tactical advisor role, as and when required.

Doing it well takes effort, there is no doubt about that. This can sometimes be the stumbling block against which best intentions first fall. However, doing it well also brings huge benefits. For instance, reducing storage costs and creating clarity about who should be able to access what in order to be efficient can reveal poor employee practice and highlight training issues, and therefore improve business quality.

We should be focusing on the benefits when we talk to our senior leaders, and the potential for fines, which is a risk and therefore cannot be ignored, should be supplementary. 

Only by doing it this way can we start to get our organisations to see data protection in a positive light so that it becomes something they want to do, not something they do grudgingly to tick a box.