3.5 Security and Data Protection

Information security means protecting the confidentiality, integrity and availability of any data that has business value. The requirements for information security can be legal and regulatory in nature, or contractual, ethical, or related to other business risks.

As all information progressively turns into digital data, traditional information security converges into cybersecurity. Modern leadership should see cybersecurity rooted into organisation culture, not merely as a technical insurance provided by a specialised security team.



The ISO/IEC 27000-series provides best practice recommendations on information security management and ISO/IEC 27001 outlines an information security management system. The standard comes with over a dozen domains, amongst which the five main topics below should be considered as minimum.


Cybersecurity awareness

Decisions that impact security must be made daily by everyone in the organisation. Awareness of the rules is not enough. Great decisions only happen when people are empowered, enabled and encouraged by the organisation to act securely. One way to test the security-awareness of the organisation is to ask questions such as:

  • Does the organisation reward secure behaviour and the reporting of risks?
  • Are people encouraged to acknowledge mistakes that compromise security?
  • Is there a culture of collaboration where business, IT and security, work and solve problems together?

Instead of a separate awareness programme for company policies, involving people in co-creating secure practices often leads to better results. Incentivising the development of those practices can further promote continual learning and innovations.


Classification of information and compliance

Classifying information is about identifying information assets that are sensitive to the business, individuals and/or subjects to legal requirements. This allows an organisation to focus and prioritise security investments.

As information classification must become a routine for the entire organisation, it must be simple and intuitive. In practice, this means keeping information classes to a minimum (e.g. open, confidential, secret) and binding these classes to simple rules. Ensuring that appropriate legal and regulatory requirements are reflected in the definitions and suitable help is provided, supports people in the correct classification. In addition, hands-on group training ensures that everyone is motivated and able to classify information relevant to their roles.


Security in development and project management

Ensure all projects start with an early risk assessment and defined objectives. Regular reviews against the objectives throughout the project minimises surprises and rework. Projects should be supported by guidance for secure development of software and systems covering the entire project and development lifecycle.

Audit trails and change control processes are crucial for easy roll-backs if the changes fail. However, as these processes must still enable agile and lean teamwork, co-creating these practices ensures motivation to follow them. Effective change control is paramount to keeping the business running.


Digital and physical access rights

Digital and physical security requires verifying authorised access and denying unauthorised access. It is important to ensure that access management, both digital and physical, is aligned with information classification and legal requirements, as well as in alignment with each other. For example: it makes little sense to limit access to highly confidential data systems, if the team that processes data work in an open office space accessible to anyone. Practical guidance for designing access management can be found in ITIL and the OWASP Access Control Cheat Sheet.

In a culture of collaboration, it is also worth considering what is the value of transparency and approach these definitions by comparing the value of sharing against the risk of broader access.


Addressing security within supplier agreements

Developing innovative, scalable and user-friendly services typically means working with partners. In today’s world, organisations share data and parts of their business with third parties ranging from cloud and IT suppliers, advisors, sponsors, competitors to start-ups. Maintaining trust and ensuring business continuity, means also ensuring that the partners also share the same security principles.

Done right and being diligent with the third parties is not only a mandatory compliance exercise, but a mechanism for taking controlled risks that can lead to a faster go-to-market with a new service partner.


Data protection

The purpose of data protection (also known as information privacy and data privacy) is to define when and on what conditions personal data can be processed. All data related to an identified or identifiable natural person (the data subject) is personal data.

A controller is a person, company, authority or community that defines the purposes and methods of processing personal data whereas a processor is a third-party processing personal data on behalf of a controller.

Data protection regulations have existed a relatively long time (e.g. the EU Directive 95/46/EC from October 1995) and more attention was raised by the new EU Regulation (2016/679, also known as EU GDPR or EU General Data Protection Regulation) that became binding in all EU member states on 25 May 2018.


Characteristics of the EU GDPR

The core document of the regulation is long (99 articles) and depending on the nature of the business and how much it is related to processing personal data, there is potentially a lot of need for guidance and interpretation to fully comply with it.

The main reason why the EU regulation has gained so much attention is the enforcement that enables the Data Protection Authorities (DPA) to impose fines to businesses up to 20 million EUR or 4% of a company’s worldwide turnover. In practice, the maximum fine is on a level that both imposes a huge risk for the whole business and justifies any investment needed to comply with the regulation.


Data protection roles

Whether to appoint a Data Protection Officer (DPO) or not depends on what kind of personal data the company is controlling and/or processing and on what scale. If the processing of personal data is not a core part of the company’s business, and its activity is not on a large scale, there is usually no need to designate a Data Protection Officer. Even when a DPO might be needed, it is a role that an existing employee can take. Or, it can also be obtained from a provider as a service.

Regardless of having the role of DPO manned or not, if there is a data breach where personal data (that the company is responsible for) is disclosed to unauthorised recipients or altered so that it poses a risk to individual rights and freedoms, the company needs to provide a proper notification to its DPA within 72 hours after becoming aware of the breach. To be able to react to a data breach or to any potential processes or technology related threats related to personal data, the organisation must have a nominated person to take the responsibility when needed.


Lean approach to data protection

Taking data protection into account at an early stage when designing a new process, new products or services or a new information system that is related to processing personal data is a good way of considering data protection requirements in a lean way. The same applies to tendering or any other sourcing process going on and ensures that the (potential) supplier and the contract are compliant with the EU GDPR. This approach is called data protection by design.

Data protection by default is about ensuring that all processing related to personal data is limited to a minimum set of data subjects (for example specifying every time what data records needs to be listed), access to the data is limited to a minimum number of people (for example the key user needs to grant access separately for every user) and the data storage time is limited to a minimum.


Benefits from implementing data protection

The companies operating in the EU benefit from implementing the data protection by default as it is cheaper and easier for companies to do business in the EU area when the rules regarding data protection are the same. The companies based outside of the EU must also apply the same rules when offering products and services to individuals in the EU. GDPR is also technology neutral and applies to personal data processing the same way regardless of whether the processing is done manually or automated.

When optimising the business processes and information systems related to handling personal data, the processes can be streamlined to be more efficient and the requirement for systems and storage can be minimised to decrease costs. At the same time, the related data can be consolidated so that it is easier to utilise for the business or even create new services based on that information.

It is also possible to get competitive advantage from handling the personal data in a trustworthy and reliable manner and providing enough transparency to the customers to gain more trust than company’s competitors.