Home > Blog

The GDPR Fever: There Is No Privacy Without Security

27.02.2018

This is the first post in the GDPR Fever series aimed at explaining whether and how DLP technologies could be used for achieving GDPR compliance.

The GDPRs mission is to improve information privacy protection in corporate IT systems that process personal data of clients or employees. Usually, privacy-specific IT problems are most often associated with the growing number of cases when a system designed to achieve beneficial objectives (e.g., improved efficiency of the electrical grid and increased security) can adversely affect individuals privacy as it is processing information about individuals.

Get the "DLP: A Critical Piece of the GDPR Puzzle" Whitepaper!

A few indicative examples of such cases are outlined below:

Crucially, all these types of privacy violations have something intrinsically in common: all of them are unintended or deliberate byproducts of data processing a misuse of personal data access to which is authorized for some legitimate purposes. Therefore, in all these cases the security (precisely speaking, confidentiality) of processed personal data has been already implemented by applying appropriate access control measures.

On the one hand, this means that data misuse-related privacy violations cannot be prevented by data security measures alone, because they are aimed at authorizing or denying access to personal data, but not to detecting the purpose of their processing and controlling the system's ability to perform it. Far more intelligent than access control, business process-aware privacy safeguards preventing data misuse have to be enforced once access to personal data has been granted. Thats why organizations obligations to implement protective measures against the threats of personal data misuse are rigorously specified in the GDPR in a set of data protection principles including lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; and storage limitation all applied to various aspects of data processing.

On the other hand, the very applicability and protective value of these data misuse-prevention measures are entirely based on the condition that data confidentiality is already protected. To explain this, lets consider the following opposite cases:

Hence, there can be no privacy without security because the lack of personal data confidentiality protection in a processing system makes its data misuse-preventive capabilities useless, while having confidentiality protection in place enables them.

The fundamental significance of data security for information privacy is fully recognized in the GDPR where the special provision of integrity and confidentiality dedicated to the CIA triad of infosecurity protection goals has been added in the data protection principles in Article 5(1) that constitute key requirements of this regulation. This comes in a positive contrast to Directive 95/46/EC, where the relevant requirement was specified as a paragraph in a separate article devoted merely to the security of processing the data.

There Is No Privacy Without Security
Deciphering the "Integrity & Confidentiality" Principle
From Legal to Technical Landing the GDPR at the IT Field
DLP Is Necessary for GDPR Compliance
Engineering Information Privacy
DLP by Design