On Tuesday 20 April the HSD Café: Security & Privacy took place online. The reason for this Café was to discuss the gap between security and privacy concerns. An exemplary case was the outcome of an RTL News investigation on 24 January this year. This investigation showed that the personal data of millions of Dutch people who had done a Corona test at the GGD had ended up in criminal hands. A number of malicious employees of the GGD were involved in this.
During the Café, experts discussed the risks of lack of awareness of data security and insufficient privacy protection measures. The Café started off with the message that the impact of data leaks is huge and momentarily noticeable that there is a disaster developing lately concerning leaks. There is a need for actual consequences because there seems to be a continuous lack of understanding of the seriousness in the responsible organisations. This is worrying according to prof. Bart Jacobs from the Radboud University Nijmegen.
The Café approaches privacy, GDPR and security & cybersecurity solutions both from a legal angle and from the perspective of those developing and responsible for adequate security.
dr. Wilfred Steenbruggen from Bird & Bird: “From privacy perspective it must be looked at carefully, business awareness around security is very important, but privacy by design requirements are broader than just security".
Petra van Schayik from Compumatica secure networks says that it is important to get clarity of security requirements at an early stage, adjustments will always be necessary to the security of databases. Take into account a flexible structure of your database. Additionally, van Schayik points to Principle 9 from the NIST-standard that data must be secured during processing, during transport and during storage. “This implies that at least 3 types of security control must be present to meet this principle. In practice, you see that there are even more to guarantee availability, integrity and confidentiality during these three transition phases. Early recognition and specification of security control is essential.”
Working with security and privacy in practice is always a balancing act. It can happen that the most secure software solutions have the downside of not being in line with GDPR requirements. This is a distinction that Jordy Mullers, CISO at ENGIE points out.
An interesting discussion between the legal world on the privacy focus and the practical world on the application of security and privacy concerns.