Andre Palmer | Cybersecurity is data protection too

IT IS IMPORTANT for persons and entities that collect data to note that data protection is not the same as cybersecurity, but cybersecurity is a part of data protection. Specifically, in a Jamaican context, it’s the seventh standard in the Data Protection Act (DPA). This standard requires data controllers to take appropriate organisational and technical measures to protect the personal data in their care.

The important thing to understand is that the DPA makes no specification as to what those measures may be. The responsibility for that decision is entirely that of the data controller and, unless an audit is requested, the Office of the Information Commissioner will only assess the appropriateness of the measures if they receive a complaint or there is a breach.

The quality and effectiveness of security measures can also be tested in other ways. The DPA includes a right of private action – so one can be sued and have to defend one’s compliance with the eight standards in court. An organisation’s security is also tested every day by the intentional actions of bad actors – hackers, fraudsters, dishonest employees – and by the unintentional mistakes made by staff and customers. To err, as they say, is human.

PROVING SECURITY

The final test is one data controllers will also impose on others. One of their key duties is to ensure that anyone with whom they share data is a safe recipient. This means that they must also ask persons to prove their security. If they are a processor, then the ultimate liability of their compliance with all of the standards, including the seventh, lies with the data controller. For those who would like to read more, this aspect is covered by section 30 of the DPA.

What does all this mean data controllers should actually do? The standard answer from a security consultant is “it depends”. The first real step must be to assess risks:

• What risks are faced from outside attackers?

• What could go wrong with internal processes?

• How bad would it be for data subjects (customer, prospects, employees and others) if any of these risks became real?

The first decision must then be: do the means exist to protect this data and process it safely? If not, or if the cost of adequate protection, taking these risks into account, outweighs the value of the processing, then it should be stopped – or not started in the first place – and a different way found to meet business goals.

CONSIDERATIONS FOR ADEQUATE MEASURES

If a set of measures can be implemented to adequately address the risk – policies, procedures, training, access controls, authentication, encryption, network and device security, physical controls and so on – then it must be done. Other considerations are:

• How to provide evidence of that security without such disclosure undermining its effectiveness

• How to check whether security measures are actually working

• How to review and update all aspects of security provisions – including decisions about the fundamental appropriateness of the processing – as risks evolve and business changes.

However strong one’s security is, there must also be a plan for what to do if it is defeated. Breaches happen even to the best, and the moment after one is discovered is not the time to work out how to respond to it. Data controllers will face multiple technical, regulatory and communications challenges in a breach situation. Failing to plan for them is, as the old adage has it, planning to fail.

Andre Palmer is an experienced management consultant and head of practice at Securys Limited, a global data protection firm with offices in the United Kingdom and Jamaica, serving clients in over 60 countries. Email: info@securys.com.jm. Send feedback to columns@gleanerjm.com