Three words that will make or break your compliance programs
Effective, reasonable, and appropriate – these three seemingly solid and affirming concepts are, by design, wielded by legislatures, regulators and auditors to give us all some wiggle room – not to offer an easy way out of our obligations, but to add elasticity to regulations and controls that will always struggle to keep pace with technological, political, and societal change.
This “meaningful ambiguity” can deliver quite a blow when regulators or judges take a different view on what you might have assumed to be reasonable, appropriate, or effective. Sentencing guidelines and liability exposure are only two of the most obvious domains where failure to validate and document your understanding of these concepts in context can do you in.
This is not a pedantic or academic issue; these terms saturate virtually every privacy, information security, and risk management regulation and framework. NIST’s SP 800-53 Security and Privacy Controls for Information Systems and Organizations embeds “effective” 177 times, “appropriate” 127 times and “reasonable” (only) 7 times. HIPAA embeds “effective” 28 times, “appropriate” 80 times and “reasonable” 117 times.
Each use comes fully loaded with deliberate (although implied) obligations – obligations that may well be evolving month-by-month – even though the words themselves remain static.
What do I mean by “saturated?” Let’s take a closer look at GDPR. By the simple numbers:
Reasonable: 29 occurrences
Effective: 58 occurrences
Appropriate: 115 occurrences
State of the art: 6 occurrences (a newcomer that is worthy of attention).
Now let’s take a look at how these terms are deployed throughout. (All screenshots are from a single live graph using filters - you can access the graph and data here – although there is a bug in the software so the referenced Article and Recital titles are not lining up properly).
The 202 occurrences of these meaningfully ambiguous terms span 45 of the 99 GDPR Articles (that’s almost half 😊). But this is not the end by any measure. If you’ve ever had the pleasure of reading the actual GDPR legislation, you know that the 99 Articles are preceded by 173 Recitals (an exhaustive list of relevant assumptions and definitions). Understanding the Recitals are essential to developing a working understanding of the Articles that comprise the body of the GDPR.
Of the 173 Recitals, 57 also rely upon these terms to provide the flexibility needed to capture the complex and fluid topic of personal privacy. ….BUT WAIT – there’s more! As already stated, the purpose of Recitals is to provide a contextual grounding for the Articles that follow. The next chart looks at a subset of Recitals that include these terms that directly support the subset of Articles that themselves ALSO include these terms. You might say that's (meaningful ambiguity) squared. To keep the following chart manageable, I’ve further reduced the graph to only look at Articles 24-43. These are the Articles that define Controller and Processor; two foundational concepts inside the GDPR.
Now, lets take an even closer look at the actual content of just one important Article (32 – Security of processing) and its dependence on two Recitals (78 – Appropriate Technical and Organizational Measures and 77 – Risk Assessment Guidelines). Not surprisingly, Article 32 mandates that organizations take "appropriate measures." In addition to what those measures need to include (Recital 78), organizations must assess the materiality of the exposure in a consistent fashion. This is defined in Recital 77. As an exercise, take the time to review how Appropriate, Effective, and State of the Art are defined through the use of examples, intent, and references. Ultimately, the GDPR stops short of offering a concrete rubric to definitively identify a “compliant” solution.
Organizations are often tempted to skip the exercise of defining these terms internally and jump to implementing controls and specific technologies and/or training programs – BUT without a consensus on these terms – there is simply no way to guarantee that the work to ensure information security and personal privacy will be sufficient (and that is most definitely NOT effective, reasonable, appropriate, or state of the art 😊)!