7 Security Controls You Need For General Data Protection Regulation (GDPR)
by Caitlin Gruenberg
It’s no secret that data protection and security has become a hot topic in recent years with the 2018 rollout of the General Data Protection Regulation (GDPR). As the world becomes increasingly global and more global companies serve European clients and customers, discussions on GDPR security controls continue to be relevant.
I recently asked a group of people what comes to mind when they hear “Privacy” and then again when they hear “GDPR.” In response to privacy, there were terms such as security, protection, data, door, HIPAA, and problem. In regards to “GDPR,” EU, unknown, security, lawsuit, and it’s coming.
Prior to polling the crowd, I asked myself these same questions. My response to privacy was “#getpumpedaboutprivacy”, a hashtag I’ve been trying to get trending for a while, and my GDPR thought was “change.”
When it first rolled out, GDPR and its security controls were the source of much confusion all over the world. Businesses of all sizes who were concerned about complying with GDPR requirements had a lot of knee-jerk reactions to implementing it. And rightfully so.
The penalty for non-compliance with GDPR is up to €20 million or 4% of worldwide yearly revenue – whichever is higher. The potential for substantial fines is changing the way organizations approach their data protection and security practices. In terms of an organization’s cybersecurity ecosystem, what are data protection controls that need to be in place from a security perspective to ensure GDPR cybersecurity compliance?
Let’s dive in.
Download Now: No Hassle Guide To Effective Third-Party Risk Management
What Is the General Data Protection Regulation?
To quickly summarize, GDPR is a regulation on data protection which applies to data subjects within the European Union (EU). Born out of a goal to protect consumer data privacy, GDPR requirements are designed to give control to EU data subjects in regards to how their data is processed, stored, or transmitted. Because companies all over the world serve EU residents, the ripple effect of GDPR reaches to all corners of the globe. With the rollout of GDPR, its security controls set the global standard for data privacy. This legislation is applicable to organizations outside of the EU, including those that are based in the U.S.
If you’re wondering what GDPR data protection actually covers and what it means for your organization, you’re not alone. While a great deal more information is available today than in 2018, many questions remain for a wide variety of businesses.
Let’s explore some key GDPR security controls that need to be in place to ensure your organization is fully compliant with GDPR requirements:
1. Identity and Access Management (IDAM)
Having the proper IDAM controls in place will help limit access to personal data for authorized employees. The two key principles in IDAM, separation of duties and least privilege, help ensure that employees have access only to information or systems applicable to their job function.
What does this mean in terms of GDPR? Only those who need access to personal information to perform their job have access. In this situation, privacy training should be available to those individuals to ensure that the intended purpose for the collection of personal data is maintained.
2. Data Loss Prevention (DLP)
With regards to GDPR security controls, DLP helps prevent the loss of personal data. According to GDPR, organizations, whether they are the controller or processor of personal information, are held liable for the loss of any personal data they collect.
Technical safeguards, such as a DLP tool, are critical in preventing a breach and becoming the next headline. Incorporating DLP controls adds a layer of protection by restricting the transmission of personal data outside the network. DLP systems work behind the senses to ensure that your security policy is free of violations and notifies your data protection team of any threats or risks.
3. Encryption & Pseudonymization
Pseudonymization is a difficult word to spell and an even more difficult one to pronounce. It’s defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” (GDPREU.org) This fancy, hard-to-say word may include field-level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit. It typically removes any personally identifiable information from data so that even if a breach occurred, loss of personal data is minimized.
Pseudonymization is something the GDPR “advises” but doesn’t require. However, if an incident leading to a security breach occurs, investigators will consider if the organization responsible for the breach has implemented these types of GDPR technical controls and technologies. Failing to do so may result in an “at-fault” finding.
4. Incident Response Plan (IRP):
A mature IRP should address phases such as preparation, identification, containment, eradication, recovery and lessons learned. But what if an incident occurs and personal data may have been breached?
Organizations can think of their IRP as a critical component of their crisis response or crisis management plans. It should lay out a step-by-step process for reporting and mitigating data breaches.
Unsurprisingly, GDPR security controls define specific technical requirements for your organization’s IRP. Breach notification requirements are among the most notable in the legislation.
Specifically, GDPR security controls state, “In the event of a potential data breach that involves personal information, an organization must notify the Data Protection Authority without undue delay, within 72 hours if feasible, after becoming aware of the breach; and Communicate high-risk breaches to affected data subjects without undue delay” (GDPREU.org).
Related: The Top Third-Party Data Breaches of 2018
5. Third-Party Risk Management
If an organization entrusts the processing of personal data to a processor or sub-processor, and a breach occurs, who is liable?
Quick answer: Liability for all!
Processors are bound by their controller’s instructions. However, GDPR data compliance also obligates processors to have an active role in the protection of personal data. Regardless of instructions from the controller, the processor of personal data must follow GDPR requirements and can be liable for any incidents associated with loss or unauthorized access to personal data. Sub-processors also will need to comply with the GDPR based on each contractual relationship established between a processor and sub-processor.
As you can see, GDPR cybersecurity compliance is just as important for third-party relationships as it is internally for an organization as long as those third parties process, store, or transmit personal data of EU data subjects.
As a result, you must vet your third-party vendors carefully and monitor their policies and activities to ensure they continue to remain compliant with GDPR security controls as well as your internal security protocol.
6. Secure Access Service Edge (SASE)
SASE is an emerging protection model that differs from legacy models in that it recognizes the challenges presented by remote work and operations. While many organizations were headed toward a SASE model before the pandemic, when the world experienced a rapid transition to remote work, traditional protection models became less relevant.
In the past, organizations prioritized identifying and preventing external threats. However, the sudden shift to remote access meant that using a company’s firewalls to narrow points of entry was no longer a reasonable option. SASE differs from traditional models in that it uses cloud services to deploy security protocols to remote locations.
While not a specific GDPR requirement, in today’s digital world, implementing this protocol is an excellent strategy for remaining compliant.
7. Policy Management
While this is the last concept we’re covering with regard to GDPR compliance recommendations and requirements, it’s my personal favorite.
Policy is the teeth, the hammer, and an “accountability partner” for the previously discussed data security controls.
To be effective, policy must receive enterprise-wide buy-in in order to manage and update data security controls in an always-changing cybersecurity environment. For best practices, organizational policy acknowledgment and training ensure policies are properly communicated and understood.
Put it all together and, if managed and followed accordingly, policy management is a foundation for compliance toward GDPR readiness.
Related: 4 Steps CyberGRX Is Taking To Get Ahead of GDPR
As you can see, complying with GDPR security protocols requires more effort than checking a box or saying “I solemnly swear I’ll do right by your data.” If you process the personal data of EU data subjects, then you must comply with GDPR security controls and manage your cyber risk effectively.
It behooves you to take the time to explore the existing security controls for data protection your company has in place. From there, evaluate if your efforts support GDPR requirements to ensure personal data is accounted for, protected, and processed correctly.
CyberGRX has a tool to verify vendor compliance, without the tedious process of cross-referencing data and questionnaire answers. We call it Framework Mapper, and we’d love to show you how it can not only save your company time, but equip you to identify gaps in statutory and industry-specific regulatory requirements, before they become a larger concern. Book a demo now.