It’s no secret that data protection has become a hot topic with the impending General Data Protection Regulation (GDPR) effective on May 25th. I recently asked a group of people what comes to mind when they hear “Privacy” and then again when they hear “GDPR.” In response to privacy, there were terms such as security, protection, data, door, HIPAA, and problem. In regards to “GDPR,” EU, unknown, security, lawsuit, and it’s coming. Prior to polling the crowd, I asked myself these same questions. My response to privacy was “#getpumpedaboutprivacy”, a hashtag I’ve been trying get trending for a while, and my GDPR thought was “change.”
The penalty for non-compliance with GDPR is up to €20 million or 4% of world-wide yearly revenue – whichever is higher. The potential for substantial fines is changing the way organizations approach their data protection practices. In terms of an organization’s cybersecurity ecosystem, what needs to be in place from a security perspective to ensure compliance?
Let’s dive in.
What is the General Data Protection Regulation?
To quickly summarize, GDPR is a regulation on data protection which applies to data subjects within the European Union (EU). GDPR gives control to EU data subjects in regards to how their data is processed, stored, or transmitted. The ripple effect of GDPR reaches to all corners of the globe, making this legislation applicable to organizations outside of the EU, many of which are based in the U.S.
Now, let’s explore some key security controls that need to be in place to ensure your organization is ready for GDPR:
- Identity and Access Management (IDAM)
Having the proper IDAM controls in place will help limit access to personal data for authorized employees. The two key principles in IDAM, separation of duties and least privilege, help ensure that employees have access only to information or systems applicable to their job function.
What does this mean in terms of GDPR? Only those who need access to personal information to perform their job have access. In this situation, privacy training should be available to those individuals to ensure that the intended purpose for collection of personal data is maintained.
- Data Loss Prevention (DLP)
Relevant to GDPR, DLP helps prevent the loss of personal data.
Technical safeguards, such as a DLP tool, are critical in preventing a breach and becoming the next headline. According to GDPR, organizations, whether they are the controller or processor of personal information, are held liable for the loss of any personal data they collect. Incorporating DLP controls adds a layer of protection by restricting the transmission of personal data outside the network.
- Encryption & Pseudonymization
Pseudonymization is a difficult word to spell and an even more difficult one to pronounce, pseudonymization is “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information” (GDPREU.org). This fancy, hard-to-say word, may include field level encryption in databases, encryption of entire data stores at rest, as well as encryption for data in use and in transit.
Pseudonymization is something the GDPR “advises” but doesn’t require. However, if an incident leading to a security breach occurs, investigators will consider if the organization responsible for the breach has implemented these types of technical controls and technologies.
- Incident Response Plan (IRP):
A mature IRP should address phases such as preparation, identification, containment, eradication, recovery and lessons learned. But, what if an incident occurs and it was identified that personal data may have been breached?
Well, GDPR has requirements for your organization’s incident response. Breach notification requirements are among the most notable in the legislation. Under GDPR, “In the event of a potential data breach that involves personal information, an organization must notify the Data Protection Authority without undue delay, within 72 hours if feasible, after becoming aware of the breach; and Communicate high-risk breaches to affected data subjects without undue delay” (GDPREU.org).
- Third-Party Risk Management
If an organization entrusts the processing of personal data to a processor or sub-processor, and a breach occurs, who is liable?
Quick answer: Liability for all!
Processers are bound by their controller’s instructions. However, GDPR also obligates processors to have an active role in the protection of personal data. Regardless of instructions from the controller, the processor of personal data must follow GDPR and can be liable for any incidents associated with loss or unauthorized access to personal data. Sub-processors also will need to comply with the GDPR based on each contractual relationship established between a processor and sub-processor.
As you can see, GDPR compliance is just as important for third party relationships as it is internally for an organization as long as those third parties process, store, or transmit personal data of EU data subjects.
- Policy Management
While this is the last concept covered in this post, it’s my personal favorite.
Policy is the teeth, the hammer, and an “accountability partner” for the previously discussed security controls.
To be effective, policy must receive enterprise-wide buy-in in order to manage and update security controls in an always changing cyber security environment. For best practices, organizational policy acknowledgement and training ensures policies are properly communicated and understood.
Put it all together and, if managed and followed accordingly, policy management is a foundation for compliance toward GDPR readiness.
The Take Away
As you can see, GDPR requirements are more than checking a box. If you process the personal data of EU data subjects, then you are days away from the implementation of GDPR.
Take the time to explore the security controls you have in place to support GDPR requirements to ensure personal data is accounted for, protected, and processed correctly.
Don’t fret, GDPR compliance is exciting! Be proud to protect personal data!
Lead Privacy Analyst