This blog post is based on our recent webinar given by Security Analyst Ben Christensen: The State of GDPR: FAQs and Best Practices. Continue reading to learn what was covered!
GDPR news and updates
The General Data Protection Regulation (GDPR) was adopted on April 14, 2016 and was enforceable as a regulation starting on May 25, 2018. May 25th has come and gone. So what is the state of GDPR compliance now?
In the highly publicized cases of Google and Facebook, there have been large lawsuits and fines. With fees totaling upwards of 9.3 billion dollars, these situations may well serve as precedent for future non-compliance and data breach infractions down the road.
The Information Commissioner's Office (ICO) of the UK is clearly taking action against organizations that fail to protect users’ information. They have already issued a first GDPR notice to Aggregate IQ Data Services (AIQ), which was connected to the Facebook-Cambridge Analytica data scandal.
From a data protection perspective, the fact that someone is enforcing the protection and regulation of personal data is a positive thing. It can only be good for the industry as a whole. For individual businesses, GDPR may feel like a burden, but overall it should unify data privacy laws and practices.
So clearly, GDPR is relevant, and there is an immediate need to have GDPR explained. Affected businesses should be aware of its requirements and actively work towards GDPR compliance. We polled webinar attendees about their GDPR readiness, and 153 responded. Out of those respondents, 45% said that GDPR is a “high priority” at their organization, yet only 8% of respondents answered that they were “extremely prepared” for GDPR requirements.
Who does GDPR affect?
Any organization operating in or across the EU or any org processing personal data from EU natural citizens.
Why should you care?
GDPR can affect you. There are associated fines, and it appears that the ICO is taking action. It is in your best interested to know where you stand.
Where does your business fit in to GDPR?
Are you a data controller or a data processor? It is possible to be both. You could also be a “joint controller,” which is when one data controller works with another data controller.
How does GDPR compare to other data security standards, like PCI DSS?
We polled organizations to ask them what other mandates they comply with in addition to GDPR. The majority of respondents (88%) answered that they were complying with the PCI DSS.
GDPR is more privacy focused than other major data security standards. It includes a lot of the same steps and controls that the other data security standards have, like PCI DSS for example. But, GDPR requirements may not constitute the traditional network architecture that protects payment card data. Since GDPR includes any personally identifiable data, it has a much larger scope.
GDPR best practices
The number one action you should take now? Do your data mapping. Know what type of data you have, where it travels internally, and how it comes into your organization in the first place. You need to know how it’s stored and if it’s protected–both when sitting on servers and in transit.
You should create data flow diagrams, pictures, and illustrations of your data that are easy to look at and comprehend by people in different departments. This will put you on the fast path to having GDPR explained and managed at your company.
Also, you need to know where your processes might have gaps. Maybe your processes address other data security aspects, but not privacy.
Policies and procedures
People usually have some procedures in place from HIPAA, PCI DSS, or a SOC audit. Those procedures can be a good starting place for GDPR. But, you might not yet have GDPR-specific policies and procedures. We also see organizations that have very high-level procedures like “we will follow GDPR” but lack documented steps to follow through. Some examples of GDPR-specific policies include:
- How to handle an incident or a breach
- How to fulfill a data request from an individual
- How to protect retained data
Make sure to perform a walkthrough to see that these policies are effective.
Legal basis to process data
If you don’t document it, it won’t happen. Document what decisions you made and your basis for making them. Document what you’re doing along with your data decisions you’ve made and why you made those decisions.
Consent from data subjects
If your legal basis for retaining data is consent, make sure you get it. Under GDPR, you need clear consent to process personal data. Your notice document should explain to data subjects why you will retain their data and how you will use it. It has to be easy to understand and written so that data subjects know what they’re agreeing to when they click “yes.”
Privacy notices are known for being dense and hard to read. GDPR privacy information needs to be more transparent and easy to understand.
Whether you use a pop up or an on-page notice, it’s helpful to include easy-to-read bullet points that clearly explain the most important points about why you’re keeping their data and what you’re using it for.
Always think from the data subjects’ perspectives. That helps you understand how you need to design and tweak things.
Data subject access requests (DSAR)
According to GDPR, individuals have a right to be informed by an organization which is processing their personal data. If the organization is processing an individual’s data, it must also tell the individual:
- Which personal data is being processed
- For what purpose the personal data is being processed
- To whom the personal data is disclosed
- The extent to which the data is being used for the purpose of making automated decisions related to the data subject, and the logic used for that purpose
The time limit to fulfill a DSAR is 30 days. One month might seem like a lot, but it can go by quickly, especially if you’re not ready or you’re working with multiple vendors. Make sure your processes are efficient and you can handle incoming requests in a timely manner.
Data protection by design and default
The “data protection by design and default” requirement is a big deal. It’s not just one requirement; there are many steps and controls implied in that one little phrase. Make sure you know what it means for your organization’s environment.
We recommend using data protection impact assessments. You may or may not be legally required to complete a data protection impact assessment, but regardless of whether you do or not, doing so supports data protection “by design and default.”
Data protection impact assessments will help you recognize if you’ve change data processes, and understand how those changes might impact your data flows as well as the rights of data subjects whose data you hold. When it comes to changes in process, if you can understand the impact and the controls together, you’ll stand a better chance of understanding what your posture is. You can then better fill in gaps and bolster security.
Find out what other companies plan to spend on GDPR.
Contracts and agreements
Most organizations have contracts with third parties. Make sure those contracts are clear and include GDPR language so you understand each party’s role as data processor or controller.
What are your obligations to each other? Who fulfills access requests? What about breaches? Should a data subject call you? Or the controller? Make sure you know what should happen if there’s a problem because at that point, anyone could be on the hook. After a serious breach or mishandling of personal data has already occurred, it’s unlikely that the ICO is going to accept ignorance as an excuse.
Data protection officers
You may or may not be required to assign a Data Protection Officer (DPO). But whether you need one or not, we recommend you do have someone who is generally in charge of GDPR at your company. See the GDPR Articles 37 - 39 for the DPO requirements.
Data breach procedures
You should have an incident response plan ready to go. You may want to seek legal counsel, whether your own or a third party. We are data security experts but at the end of the day, run things by legal counsel.
Our main takeaway for GDPR preparedness?
Document, document, document. Have your documentation ready to go. Start data mapping now. You need to have at least something on file. Start by writing down what you’re doing with data, and what the job roles are surrounding data processing.
If you can’t do anything else at the moment, start your data mapping. Then move on to a risk analysis and a gap assessment.
Webinar attendees were also polled about whether or not they were planning to use a third party to help meet GDPR requirements.
- 71% said they’d do it themselves
- 21% said they’d hire outside help
- 6% said they aren’t worried about GDPR
Your questions about GDPR explained.
Q: How does data collected for a purchase of a product differ from data in general when someone visits a website with session storing? We need customer data and information for sales and business records--is that data something the customer has the right to ask us to delete?
A: There are many different data collection scenarios, specific to your environment. From a data subject perspective, if I go to a website and purchase some goods and services, and put in my email for example, then yes I’d think it’s clear cut that they could ask you to delete that. But if you’re asking about session data, you’d have to think, “is this personal data? Can they be individually identified somehow with session IP, logs, etc.?” If so, then yes, they could possibly ask to have that deleted.
Whether you decide that a certain type of data can or can’t be deleted, you should document your reasons why. Anything that identifies a data subject, directly or indirectly, is considered personal data under GDPR. You should document the type of information you have and what scenarios could happen. That way you’ll be ready in case you would possibly need to delete that data.
Q: What about the new California digital privacy law? Sounds like it’s similar in some aspects to GDPR. Maybe you can give us some insight into how the new California initiative is the same or different from GDPR.
A: The new California digital privacy law is a big topic in the news in the US. Personally, I think more data privacy regulations are needed and probably coming. This California law is new and there are a few similarities between it and GDPR. Like GDPR, the new law is focused on data subject rights. This may become a trend, with more states passing data privacy legislation more in the vein of GDPR. Therefore, GDPR can help us prepare for those coming regulations and be on the forefront of such developments.
Q: How are you determined to be a data controller or processor? How are they treated differently? Can you give an example of each?
A: Per the GDPR, a data controller determines the purposes and means of the processing of personal data. A data processor processes personal data on behalf of the controller. In the case of an employees and employers, if you’re the employer, you would be the data controller for your own employees’ data. You determine what data you need and why you need it. A data processor would be a third party, like an HR or payroll service. They are processing data on behalf of the employer. You need to know: are you a processor, controller, or both?
Q: Where do people start with data mapping? Are there templates?
A: Data mapping is probably the most important takeaway at this point. As with any data security initiative, you need to know where the data is you want to protect. The simple steps I’ve used are: first, gather information. You can send out a survey that asks department heads where they store personal data and gives examples of what kind of data you’re interested in. Meet with employees in person if needed.
From there, you can define and list your data containers.
Then, start drawing. Diagram your basic data flow and build on that. The key is to work with many different members of your organization to have a better view of where all the data is. Every year, at least, refine your diagram and reassess the data.
Q: Does SecurityMetrics specifically have templates for policies and procedures, documents to evaluate GDPR readiness, or a GDPR checklist?
A: Yes we do. We have developed documents and templates that can help. These documents serve as important starting points for many organizations. As a GDPR implementation consultant, we are certified to advise on the data security aspects surrounding GDPR.
Q: You mention “data privacy by design and default.” Which article in the GDPR contains this requirement?
A: Article 25 contains the “data privacy by design and default” idea. This article talks about the controller and other parties needing appropriate technical and organizational measures. It doesn't explain in detail what that really means; you need to intuit what that means for you. If this is a challenge for you, you should contact a data security expert.
Q: Is there a way to know if third parties are GDPR compliant? Is there a central location where you can look up other companies’ compliance?
A: There is not a central location to check on the GDPR compliance of companies. In fact, there is no official compliance certificate or certification for GDPR (unlike with the PCI DSS). But, SecurityMetrics does offer services such as checklists that you can use to help meet certain requirements. You can then use the checklists as evidence of your GDPR compliance efforts.
Q: If we have a unique ID for a customer without their personal information, does it have to be managed in the same way as personal data?
A: Go back to the definition of personal data (data that directly or indirectly identifies an individual). Does a username do that? It depends. If all you have is the ID, can you put it together? If you can do that, then the answer is yes. If not, make sure to document why you believe you can’t. Always document your business reasons and decisions.
Q: How is the EU regulating GDPR? Have any US companies been fined for GDPR noncompliance?
A: It’s a little up in the air regarding who’s going to be the ultimate authority on GDPR: is it the ICO, or other governing bodies? We do know the ICO is fining organizations. Enforcement is happening. But we haven’t see these cases go to court yet, so we will know more in the future.
Need more aspects of GDPR explained? Contact us here.
Ben Christensen (CISA, QSA) has worked in the IT sector for over 20 years. He currently performs security assessments for merchants and service providers looking to become PCI compliant. He is also leading SecurityMetrics’ GDPR efforts in developing product offerings and documentation. He has been a Security Assessor for SecurityMetrics for over 2 years, lending his extensive knowledge of the IT industry in performing assessments for clients who wish to achieve PCI compliance.