DATE: Wednesday 22 January 2020
VENUE: La Cave
SLOT: 10.30
ORGANISED BY: European Union Agency for Cybersecurity (ENISA)
MODERATOR: Athena Bourka
Panel Description
When discussing security and the protection of personal data, there is typically a perception that these two concepts are distinct, sometimes complementary and other times conflicting. Indeed, the notion of “balancing” security and data protection (or privacy as a broader concept) is not unusual, especially in the context of the “cyberspace”, as if there is a trade-off between “safeguarding the internet” and “protecting individual rights”. However, as recent large scale data breaches have shown, (cyber)security and data protection are in fact the two sides of the same coin: data protection cannot be achieved without security, while efficient security must have data protection as one of its primary goals. The General Data Protection Regulation (GDPR) recognises this convergence, introducing, for the first time, security as a data protection principle, while reinforcing the provisions of security of personal data processing and making security one of the main elements of the controller’s accountability. However, in order to achieve this converge, it is essential for security to embrace the very nature of personal data, as well as the specificities that this nature brings as to their protection. How can this be performed in practice? The panel seeks to address this question by exploring different levels of convergence of data protection and security requirements, from risk assessment to technical implementation and from standards developments to relevant certification frameworks. Some relevant questions to be discussed are:
- How can a “traditional” security risk assessment process embed data protection requirements?
- How can data protection requirements form part of products' secure development frameworks, especially in the context of new development approaches (e.g. agile development)?
- What role can technical standards play and what is the experience so far?
- To what extent can different certification frameworks under the GDPR and the Cybersecurity Act (CSA) benefit from each other in the area of cybersecurity? What is the experience so far?
