14.05.2018 | Thomas Kessler

Informational Self-Determination: How do we Deal with the Upcoming Upheaval?


The impact of the European General Data Protection Regulation (GDPR), which can be felt by everyone, has so far been limited to the laborious confirmation of cookie policies. Behind the scenes, however, a revolution is underway that could shake the very foundations of how security managers see themselves today. This revolution is already visible in various new regulations, such as the Electronic Patient Record (EPR): in the EPR, patients themselves decide how they classify their documents and which doctors are allowed to access their records. The European Payment Services Directive (PSD2) for the digital banking business follows the same thrust.

Even if it takes longer than planned: Sooner or later, customers will (have to) exercise their rights and obligations as responsible data owners themselves. It is not yet clear how this will affect information security. Will providers be allowed to allow their customers to forego basic security measures? Must they even do so in order not to unduly restrict the customer’s data sovereignty? And if not, where is the acceptable limit?

In answering these questions, we should consider two areas separately: Firstly the duty of care or “basic protection”. This must ensure that the security functions as it was configured (by the customer!). Error-free programming, secure system operation or the isolation of the service from various sources of danger belong in this area. As before, the security officer and the regulator must define and enforce the applicable quality standards. Secondly, security within the service Here the customer will demand extended configuration options to reflect their preferences. There will be customers who prioritize convenience over data security, while for others it will be the other way around. This is very similar to the “analog world”, where car buyers and builders take the accident safety or burglar resistance of a product into account when making a purchase decision. Information security can also emerge stronger from the process in this area. However, it must be completely repositioned and professionally maintained as a quality label and brand element.

Thomas Kessler gave a presentation on the opportunities and risks of informational self-determination in the specific context of the EPR at the Information Security in Healthcare Conference on June 7, 2018. The corresponding slides can be found on our website.

Compliance Governance, Risk and Compliance (GRC)

About the author
Thomas Kessler
About the author
Thomas Kessler, Partner, Managing Security Consultant