Qu.1 – Who owns personal data, is it the Data Subject or the Data Controller?
Does it really matter? Yes, because by asking this question you can weed out the real privacy experts from those who claim they are experts.
The answer to this question is fundamental to privacy and data protection principles, not just the Regulation. If you get this wrong, you will get it all wrong. The funny thing is that most IT and information security experts will get it wrong. This is not surprising because they spend most of their working life protecting the intellectual property of their employers and clients, so it would never occur to them that personal data stored by the company (data controller) does not belong to the company, but the data subjects themselves.
Personal data belongs to the Data Subject, not the Data Controller!
So I’m a skeptic, but a deserving one at that, having come from the camp of information security experts myself. I almost cringe at my early consulting efforts to assist one especially large client, who decided that compliance with the Data Protection Directive would be a good thing. I was so focused on the information security aspects that I missed everything else.
Qu.2 – Privacy is the flip side of the coin to Security?
I often hear that privacy is the flip side of the coin to security, when in fact the inverse is true. These sweeping statements imply that privacy is a part of security, or a mirror of security, or in best case that security versus transparency. However privacy is not security, or purely transparency. Security is needed for privacy, and this is about as far as the boundaries of security goes within the scope of privacy.
Qu.3 – Privacy is about compliance the same as Information Security, right?
Any individual which claims that compliance with the Data Protection Regulation can be managed under the same umbrella as an InfoSec Program knows nothing about privacy. Much of the Regulation is focused on controlling the collection, quality and processing of personal data. It is about protecting the rights of the data subject. It is about ensuring transparency and openness between the data controller and the data subject. There must be evidence showing that the data controller is taking seriously their role as guardians of the personal data, and in the Regulation this will be strongly enforced.
Qu.4 – This is going to be expensive?
Now it is 2015 and the new Regulation is peeking at us just around the corner. I have during the second half of this year become increasingly concerned that this time and money wasting scenario that I inflicted on some poor client all that time ago, is going to be repeated 100s, 1000s and millions of times across the EU, by 100s, 1000s and millions of young, and older, energetic and enthusiastic information security consultants during the next 2 years and more. It’s going to be expensive unless you take some action yourself.
Qu. 5 – Now where do I start?
So what can you do to help yourself? Apart from the very simple question I posed at the beginning of this article, I have some nuggets of gold, where you can find some privacy wisdom, which you can check out for yourself…
- If you want to get certified in privacy… read the next bullet point… would love to have you join the global movement of privacy professionals!
- Visit the International Association of Privacy Professionals (IAPP) website. There you will find the real privacy experts from all around the world. You need to individuals that have the CIPP (Certified Information Privacy Professionals) certifications which can be likened with CISSP in information security. Here you will find experts in privacy that could be technical and/or security and/or qualified in law.
- IAPP have great conferences globally. I was in Washington in April and Glen Greenvald (Snowden files) was keynote, it was a great place to absorb the amount of expertise on tap concerning privacy and data protection, and to network. The one scheduled to be in Brussels this week was cancelled.
- They also have local KnowledgeNets around the world (even in the cold Nordics ;)) where you can network with the local privacy geeks.
- 4 times a year a ‘Privacy After Work’ bash is scheduled wherever there are KnowledgNets, and next is on Data Protection Day, 28 January 2016, let me know if you want to join us for the one in Stockholm!
If you just want a basic grounding – I have just released an online 10 hour training available for only €225 that opens for registration on 1 December 2015. This is great and inexpensive route to get yourself or your privacy champions on boarded with the new Regulation.