How Cybersecurity Engineers Can Contribute to Privacy Regulatory Compliance Programs

Within the maturity framework of certain organizations, compliance with privacy regulations is often assigned to cybersecurity and data protection areas, rather than to legal teams. While this can certainly leave some issues uncovered due to the lack of legal knowledge on the part of security and information technology engineers, there are certain aspects of the regulations that can indeed be addressed. In fact, security experts often provide a very accurate perspective when identifying privacy risks to data subjects.

When defining what cybersecurity means, the United States National Institute of Standards and Technology (NIST) describes it as the protection of information with the objective of ensuring its availability, integrity, authentication, confidentiality, and nonrepudiation. In this context, the personal data that organizations collect and use daily for their activities, platforms, and systems are undoubtedly part of this body of information that must be protected with all the characteristics defined by NIST.

Complying with Regulations

The European Union's General Data Protection Regulation (GDPR), as well as the Brazilian Data Protection Law (LGPD) and others around the world, establish the obligation to implement appropriate technical and organizational measures to ensure a level of security of personal data. This includes measures such as pseudonymization, encryption, backups, and incident response planning, among others.

To comply with these regulations, organizations typically establish an information security management program that consists of actions to achieve an initial level of security and then a series of recurring controls to ensure that the security of personal data does not diminish for any reason. Examples of recurring controls include penetration testing, vulnerability and misconfiguration scannings, access reviews, backup assessments and disaster recovery testings.

How Technical Teams Can Help

In this way, a technical team without legal knowledge can make a significant contribution to regulatory compliance with regulations such as the GDPR. As mentioned, regulations often contain clauses unrelated to security that undoubtedly require the involvement of specialized legal and compliance teams. However, the contribution of a security team is a crucial step towards preventing the theft of customers' personal data, which would be a serious breach of user privacy, law, and organizational reputation.

In the event of a personal data breach, while security engineers work to identify and fully eradicate the problem, mitigate the effects of the incident, and restore systems to their original secure state, legal teams must handle the required notifications to authorities and potentially to data subjects. In this sense, both teams must work in parallel, complementing each other, and both are essential for the efficiency of the program.

Building and Implementing a Cybersecurity Program

The implementation of a cybersecurity management program and its set of recurring controls often requires the deployment of tools that enable the organization to meet all the objectives established in its annual plan. These tools, which can be internal or provided by a vendor, can help better organize information, set short-, medium-, and long-term goals, assign tasks, generate metrics and reports, and even integrate with other tools to obtain a centralized source of essential security program information.

Knowledge of the cybersecurity program, managed by its experts, fundamentally helps the organization's lawyers understand that personal data is being protected in a way that ensures regulatory compliance. In this sense, cybersecurity engineers and privacy lawyers work in parallel, and both are indispensable for the program to be efficient and compliant with applicable regulations.

Our team at Enveedo can help, check out the latest eBook, Beyond GRC Platforms: Meet Enveedo — The Cyber Risk Management Platform of the Future.