What You Need to Know About the EU General Data Protection Regulation (GDPR)
The EU’s General Data Protection Regulation (GDPR) applies to any organization (operating in or out of the EU) that processes personal data, also known as personally identifiable information (PII), of EU citizens–whether that organization is a cloud-storage service, university, hospital, merchant, etc.
In this white paper, you will learn how GDPR compliance impacts you, the basics of GDPR requirements, and GDPR compliance best practices.
WHAT IS THE GDPR?
The GDPR is meant to unite and harmonize privacy laws across the EU, protect and empower EU citizens with data privacy, and will impose new requirements on organizations handling personal data. Before the GDPR, different businesses throughout the EU did slightly different things for data protection.
After four years of preparation and debate, the GDPR was approved by the EU parliament on April 14, 2016, replacing the 1995 EU Data Protection Directive. GDPR went into effect 20 days after being approved and has been directly applicable for all member states since May 25, 2018. Since then, organizations that are not following the GDPR potentially face severe fines.
Supervisory authorities (SA) are entities that will be responsible for GDPR enforcement and issuing non-compliance fines. A supervisory authority is an independent public authority established by a member state to represent the people and oversee/monitor businesses. The Information Commissioner’s Office in the UK is an example of a supervisory authority.
WHO DOES THE GDPR AFFECT?
The GDPR applies to any organization that handles the personally identifiable information (PII) of EU citizens, whether that organization is in North America, Europe, or somewhere else in the world.
PII is data kept by an organization which can be used to “distinguish or trace an individual’s identity.” PII could include names, birth dates, birth places, mothers’ maiden names, addresses, emails, IP addresses, or social security/insurance numbers, such as UK National Insurance Numbers (NINO). “Linked PII” is any information that is linkable to an individual, like educational, medical, employment, or financial information. PII also includes payment card details such as the magnetic card stripe (also known as track data) and primary account numbers (PAN).
Since the GDPR applies to the personal data of all EU citizens, businesses in the UK who process EU citizen data post-Brexit will still need to follow its mandates whether or not the UK retains GDPR after Brexit is complete.
You also need to know what type of organization you are considered under GDPR compliance, since your GDPR responsibilities might vary slightly based on whether you’re a data controller or processor:
Data Controller: Entities or individuals that need to process personal data in order to do business. They determine the purposes for which and the manner in which the personal data is processed.
Data Processor: Processors take and/or process personal data on behalf of the Controller.
WHY COMPLY WITH THE GDPR?
The GDPR guidelines state that an entity can face fines of up to €20 million or 4% of their Global Annual Turnover (aka revenue) whichever is greater. This is the maximum fine that can be imposed for serious violations (e.g., insufficient customer consent to process data, violation of the core “Privacy by Design” concepts).
According to article 28, there is a tiered approach to fines. A company can be fined 2% of annual global turnover for not having their records in order, 2% for not notifying the supervising authority and data subject about a breach, and 2% for not conducting an impact assessment.
It is important to note that these fines apply to both controllers and processors; for example, data cloud services will not be exempt from GDPR enforcement.
WHEN DO YOU NEED TO WORRY ABOUT GDPR?
We still don’t know what types of organizations the governing bodies will go after, or how aggressively. However, since May 2018, they can fine organizations for non-compliance.
If your company has poor security practices that endanger personal information, it makes sense that you could get in trouble according to these EU laws and regulations, especially if you are breached. On the other hand, if your company takes data security seriously and is actively moving towards alignment with the GDPR or other data security standards, you will naturally fair better.
INTRODUCTION TO GDPR REQUIREMENTS
Here are a few key GDPR requirements you should know about:
Breach notification: Data controllers must report personal data breaches no later than 72 hours after they are aware of the breach.
Consent: Consent must be obtained from individuals for processing personal data.
Data Protection Officers (DPO): Appointing DPOs will be mandatory for companies that are public authorities, process high volumes of personal data, or process special categories of personal data.
Data subject access requests (DSAR): The time limit to comply with DSAR has been reduced from 40 days to one month.
Privacy by design: Products, systems, and processes must consider privacy-by-design concepts during development.
Privacy Impact Assessments (PIA): PIAs must be carried out in certain situations.
Privacy notices: Privacy notices must be more transparent, using clear and plain language, and easily accessible.
Profiling: An individual has the right to not be subject to profiling, and profiling for marketing purposes will always require explicit consent.
Record keeping: Each data controller must keep a record of processing activities.
Right to portability: Users may request a copy of personal data in a portable format.
Right to erasure: Data subjects have the right to request for their data to be deleted.
Right to object: Individuals should be advised that they have the right to opt out of direct marketing.
Some aspects of the GDPR are easier to interpret than others. For example, the GDPR says that data owners are required to have an opt-in choice presented to them before a company can begin storing, processing, or transmitting their personal information. It’s easy to determine whether that requirement has been met or not.
On the other hand, the GDPR states, “protect your data by design and default.” With this requirement, it’s difficult to know if you’re perfectly compliant because it eludes to a lot of data security practices.
Even though GDPR compliance isn’t currently as well-defined as a standard like the Payment Card Industry Data Security Standard (PCI DSS), it’s important to be aware of and implement reasonable data security best practices. It’s impossible to say with absolute clarity that an entity is absolutely compliant with GDPR because associated testing procedures are not specifically defined yet. Currently, various supervisory authorities are working on checklists and similar guidance, which indicates that there will likely be more specific audit protocols as time goes on.
For the time being, you can actively and carefully address GDPR regulations, document your efforts, collect your results, and show risk analysis/assessment results.
One of GDPR’s primary purposes is to help organizations protect individual’s data, ensuring that organizations improve their data security.
CONSENT TO PROCESS DATA
Gathering data needs to be an opt-in process–not automatically collected or inferred (e.g., statements that if one enters data they consent to have data processed).
Make sure your process follows this opt-in process. Make modifications as necessary to make it a clear opt-in choice for individuals. Record this choice in logs. This choice can’t be slipped into a big terms-and-conditions statement, it needs to be separate. You need to have clear and concise privacy notice documentation available to all individuals. Privacy notice documents should include your lawful basis to gather and process data, the type of data being collected, the retention period of the collected or processed data, and should state who the data will be shared with.
For children under the age of 16, consent has to be verifiable, with processes in place to verify an individual’s age. Your privacy notice must be written in simple language that children will understand. You’ll also need to obtain parental or guardian consent for any data processing activity.
COMMUNICATING PRIVACY INFORMATION
GDPR has some core principles on communicating with those you obtain PII from. This could be directly to an individual who is giving you their PII or to an entity that provides you with previously collected PII.
These principles center around clear communication to data owners on what data you are getting, why you need it, and how it will be treated (including your data retention periods and how data will be deleted/destroyed). This communication is required to be transparent, using clear and plain language, and easily accessible to your customers. This communication will need to explain topics such as your lawful basis for getting their data, how long it will be kept, and what their rights are regarding the data you are processing or storing.
According to the GDPR, an individual’s rights include:
Right to be informed: Data subjects have the right to know about the collection and use of their personal data.
Right of access: Individuals have the right to access their personal data and verify the lawfulness of the data processing.
Right of rectification: Individuals have the right to have their personal data rectified if it’s inaccurate or incomplete.
Right to portability: Users may request a copy of personal data in a portable format that can be transferred to another entity (e.g., CSV file).
Right to erasure: Data subjects have the right to request for their data to be deleted.
Right to object: Individuals should be advised that they have the right to opt out of direct marketing.
Right not to be subject to automated decision-making including profiling: An individual has the right to not be subject to profiling, and profiling for marketing purposes will always require explicit consent.
There are some exemptions to an individual’s rights. For example, there are legal and legitimate reasons that organizations could be allowed to keep data beyond retention periods–even if a data subject exercises their right to erasure. For example, an organization may be required to hold records for the IRS, HIPAA requirements, PCI requirements, or legal cases. In these cases, the organization would obviously need a legal basis for keeping such data.
It’s best to consult with legal counsel to understand your business’s unique position.
SUBJECT ACCESS REQUESTS
In most cases, you’ll not be able to charge individuals for complying with a request to access information. You’ll need to comply with a data subject access request (DSAR) within one month. If you handle a large number of access requests, consider how to deal with requests more quickly (e.g., a portal for public access).
You can refuse or charge for requests that are manifestly unfounded or excessive. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay, within one month of the refusal/charge.
Consider whether it’s possible to develop systems that allow individuals to access their information easily online.
A PII data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Supervisory authorities must be told within 72 hours of when the controller becomes aware of a data breach–where feasible, and unless the controller can demonstrate that the breach is unlikely to result in risk to the rights of the data subject. Controllers may also give reasons for delay, if applicable. If individuals face an adverse impact, you should contact individuals directly.
Failure to report a breach when required to do so could result in a fine, in addition to the fine for the breach itself.
This is why you need to establish policies and procedures to detect, report, and investigate a personal data breach. You could start to address this by creating an incident response plan. A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to normal operations more quickly. Without an incident response plan, employees scramble to figure out what they’re supposed to do, and this is when mistakes can occur.
INCIDENT RESPONSE PHASES
An incident response plan should be set up to address a suspected data breach in a series of phases with specific needs to be addressed. The incident response phases are:
- Phase 1: Prepare
- Phase 2: Identify
- Phase 3: Contain
- Phase 4: Eradicate
- Phase 5: Recover
- Phase 6: Review
INCIDENT RESPONSE PHASE TIMELINE
PHASE 1: PREPARE
Preparation often takes the most effort in your incident response planning, but it’s by far the most crucial phase to protect your organization. This phase includes the following steps:
Ensure your employees receive proper training regarding their incident response roles and responsibilities
Develop and regularly conduct tabletop or full simulation exercises (i.e., incident response drill scenarios) to evaluate your incident response plan
Ensure that all aspects of your incident response plan (e.g., training, hardware, and software resources) are approved and funded in advance
PHASE 2: IDENTIFY
Identification (or detection) is the process where you determine whether or not you’ve actually been breached by looking for deviations from normal operations and activities.
An organization normally learns they’ve been breached in one of three ways:
The breach is discovered internally (e.g., review of intrusion detection system logs, alerting systems, system anomalies, or anti-virus scan malware alerts).
Law enforcement discovers the breach while investigating the sale of stolen personal information.
A customer complains to you because your organization was the last place they used their personal information before it was used in fraudulent ways.
PHASE 3: CONTAIN
When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you can inadvertently destroy valuable forensic data. Forensic investigators use this data to determine how and when the breach occurred, as well as devising a plan to prevent similar future attacks.
When you discover a breach, remember:
Don’t make hasty decisions
Don’t wipe and reinstall your systems (yet)
PHASE 4: ERADICATE
After containing the incident, you need to find and eliminate policies, procedures, or technology that led to the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.
Whether you or a third party do this, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing sensitive data (with your liability increasing).
PHASE 5: RECOVER
Recovering from a data breach is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again as quickly as possible.
After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider reintroducing the previously compromised systems back into your production environment.
PHASE 6: REVIEW
After the forensic investigation, meet with all incident response team members and discuss what you’ve learned from the data breach, reviewing the events in preparation for the next attack.
This is where you will analyze everything about the breach. Determine what worked well and what didn’t in your response plan. Then revise your incident response plan.
No one wants to go through a data breach, but it’s essential to be prepared for one.
GDPR SECURITY REQUIREMENTS AND BEST PRACTICES
DATA MAPPING AND TRACKING
The first step in your GDPR compliance effort should be to discover and document all of the PII data that flows into and out of your organization.
Data discovery and mapping is a basic principle of all data security efforts; you can’t protect what you don’t know is there. This process consists of assigning a person or a group with the task of going through all departments/groups in a company and searching for PII with various tools, conducting interviews, reviewing documents, mapping software data flows, etc. You’ll also want to run data discovery software to fully map out where data is being stored. For example, SecurityMetrics PIIscan can assist in this process.
Once you know what PII you get, where it flows and where it may be stored, it’s critical to document all of this information in the form of network diagrams, data flow diagrams, and process descriptions. Often people are surprised how much data they have and where it is used and by what groups in a company.
DATA PROTECTION IMPACT ASSESSMENTS
Data protection impact assessments (DPIA) are essentially a formal risk assessment process (similar to those defined in ISO 800-30). This risk assessment will use information gathered from your data mapping exercise as well as information about all the systems and networks used to process data.
This process is critical to implementing a “data protection by design and default” philosophy, which will be discussed later. In addition, any hardware, people, processes, and conditions that could represent a risk to this data processing will have to be evaluated. For example, if you use Linux servers, there will be specific risks involved with various versions of software and even hardware platforms used. It would also potentially include risks for power loss or physical damage to a facility to be totally complete. Though you may want to focus first on risks to data loss or corruption.
You’ll also want to review or redo the DPIA when there’s a potential change in risk represented by new or changed processing operations, specifically to risks that might affect the rights and freedoms of data subjects, including:
A new technology being deployed
A profiling operation likely to significant impact individuals
When there’s large scale processing of special categories of data
DATA PROTECTION OFFICERS
Data protection officers (DPO) are responsible for data protection compliance and need to have knowledge and experience, organizational support, and the authority to carry out their role effectively. You must appoint a data protection officer if you are:
A public authority or body (except for courts acting in their judicial capacity)
An organization carrying out regular and systematic monitoring of data subjects on a large scale
An organization processing special data categories on a large scale–like health records–(as detailed in Article 9) and personal data relating to criminal convictions and offenses (as detailed in Article 10)
Even if you don’t fall into one of these categories, it’s highly recommended to appoint/designate a data protection officer.
For US-based companies (without a physical presence in the EU), this requirement gets a bit trickier, since this representative should be located in the EU, but more information will likely be released in the future to address such concerns.
DATA SECURITY BEST PRACTICES
The concept of “data protection by design and by default” leads to the need for security controls placed on your systems, processes, and individuals that deal with PII data.
Based on security best practices, here are a few of the major areas that will need your attention:
Remote Access Security: If you use remote access, make sure to implement adequate security, such as multi-factor authentication and proper firewall configuration.
Web Application Security: You should perform application security assessments and/or implement web application firewalls (WAFs) in front of public-facing web applications to monitor, detect, and prevent web-based attacks.
Firewall Security: Firewalls can restrict incoming and outgoing network traffic through rules and criteria configured by your organization. Firewalls should be configured to restrict inbound and outbound traffic to just that which is necessary for business (e.g., this does not mean allow all ports outbound because it’s easy for business).
Wireless Network Security: Security best practice is to set up your Wi-Fi with Wi-Fi Protected Access II (WPA2), as well as making sure to segment guest and non-guest wireless networks with a firewall if you offer Wi-Fi to customers. Make sure to regularly scan for rogue wireless access points.
Password Policies: Secure passwords should have at least 10 characters including an upper- and a lower-case letter, a number, and a special character.
Malware Prevention: Antivirus or anti-malware software needs to be installed on all systems commonly affected by malware. Make sure anti-virus programs are updated on a regular basis to detect known malware. Also consider installing proactive, comprehensive security systems dedicated to monitoring system irregularities, such as intrusion detection systems (IDS), and data loss prevention (DLP) tools.
Physical Security: The best way to control physical threats is through a physical security policy that includes all rules and processes involved in preserving onsite business security. If you keep confidential information, products, or equipment in the workplace, secure these items in a locked area. If possible, limit outsider access to one monitored entrance, and (if applicable) require non-employees to wear visitor badges at all times.
Penetration Testing: A penetration test is an exhaustive, live examination designed to discover and exploit weaknesses in your system. These weaknesses are then reported with suggestions for remediation actions. Organizations should regularly perform penetration tests (e.g., yearly and after major network changes).
Pseudonymisation (e.g., PII data encryption): A process that transforms personal data in such a way that the resulting data can’t be attributed to a data subject without the use of additional information (e.g., encryption, data separation).
File Integrity Monitoring (FIM): FIM systems are designed to alert you when changes to important files have been made (and are often more effective than anti-virus software). You should regularly review and monitor logs generated by your FIM software (e.g., at least daily).
Security Training: Employees should receive regular training about GDPR and security best practices, especially for implementation teams working on networks and systems dealing with PII. Security training is your best defense against phishing and social engineering.
Patching: Patching is keeping software on systems up to date, particularly for all critical components in your GDPR flow pathway (e.g., Internet browsers, firewalls, application software, databases, operating systems).
Vulnerability Scanning: A vulnerability scan is an automated, high-level test that looks for and reports potential known vulnerabilities. Make sure to regularly scan against and analyze all your internal and external ports for exploitable vulnerabilities (e.g., internal and external vulnerability scans against).
If you want to be serious about working towards GDPR compliance you’ll need to have documented evidence that your systems embody the principle of “data protection by design and by default”.
If you process large amounts of PII data, consider a full GDPR compliance assessment to make sure all proper security safeguards and technologies are in place.
GDPR compliance doesn’t have to be a confusing or impossible task. Break your GDPR compliance efforts into small, manageable pieces.
Start by understanding the flows of PII in your unique environment. Until you understand your flows, it’s impossible to understand exactly what must be secured and what business/security practices need to be altered. Most of your effort will likely be updating and/or generating new documentation and policies about how you receive and process personal data (e.g., privacy notices).
Remember, GDPR compliance is never completely finished. Your environment is constantly shifting with new changes to workforce, technology, and security processes. Because of this, now is an ideal time to rethink your data security and reduce your GDPR compliance workload.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.