The introduction of GDPR (General Data Protection Regulation) in 2018 in the EU raises some new challenges for those involved in controlling and processing personal data, but it is also a great case study in risk ownership and governance. It demonstrates some concepts and principles that have long been central in the SABSA way of thinking. In this article we shall explore those principles using the GDPR as an example.
SABSA has an approach to risk ownership that recognises different players with different roles. There is the risk owner, whose job it is to determine how much risk can be taken and who is ultimately accountable. There is the risk custodian, who is responsible for looking after the management of the risk on behalf of the owner, according to policies and procedures laid down by the owner, often in the form of a contract and service level agreement. There are also other third parties who have no say in the policies and have no part to play in the management of the risk, but who can be impacted by the outcome of risk-related events.
SABSA also embraces the concept of policy domains, each with a policy authority that owns the domain and makes security and risk management policy within the domain. A domain is sometimes physical in nature but more often logical, being a population of entities subject to the same security and risk management policy. These entities may be human individuals, groups of individuals, organisations or even machine devices. There is a hierarchy of domains – domains within domains, called sub-domains. The higher-level domains that contain sub-domains are known as super-domains. The super-domain / sub-domain model can be deeply nested, in which some domains are sub-domains to higher domains, but also super-domains of lower ones.
Let’s see how all this relates to the GDPR model.
The highest-level super-domain is the EU itself, setting policy for personal data protection in the form of an EU Directive. Nation states within the EU are sub-domains. They are all subject to the policy guidelines in EU Directives. The development of these guidelines for personal data protection is actually carried out by a small sub-domain of the European Commission called the Article 29 Working Party, which comprises representatives from all the participating nation states and is run by the EC. However, the material (opinions, working documents, letters etc.) issued by the Article 29 Working Party reflects the views only of the working party, which has an advisory status and acts independently. They do not reflect the position of the EC, although the EC will develop its position based on the advice it receives. Authority behind any Directive comes from the EU Parliament. Each nation state is an autonomous lawmaker and must implement the Directive in national law, but there may be local variations according to cultural differences. Each nation state will also have a dedicated government office and officer with responsibility for policing compliance with the law. Already we see some complexity in the policy domain model.
GDPR talks about ‘controllers’ and ‘processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. So we see the roles as being risk owner (controller) and risk custodian (processor). However, the processor is also a risk owner because GDPR introduces specific legal obligations that significantly increase the accountability of the processor. In many cases the controllers and processors will be organisations of some considerable size, although the regulations apply equally to small and medium sized organisations, including sole traders and practitioners, where both the roles are combined in one party.
As before there are data subjects about whom the personal data has been collected. They are clearly ‘at risk’ from breaches in the regulations and could be heavily impacted by a breach, but they have no official authority for risk ownership or custody. It is worth noting that the definition of ‘personal data’ has also been extended under GDPR to include such items as IP addresses and other online identifiers, in line with the growth of the digital economy and the change in the ways that organisations collect information about people.
Some personal data is also classed as ‘special categories of personal data’ such as genetic information and biometric information in which the objective of the processing is to identify an individual uniquely for identification purposes. There are exceptions too, such as personal data collected under the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
So there we have a complex and deeply nested set of policy authorities that inherit policy from higher-level authorities and must implement those policies in their own lower-level policy-making activities. It is the strength of SABSA that it provides the tools with which to model such complexity, something that is essential in the development of security architectures.