The European Union’s (EU’s) General Data Protection Regulation (GDPR) goes into full effect May 25, 2018, and it impacts any company, worldwide, that processes or stores personal data of EU residents. The new rules grant people more rights regarding how companies handle their personally identifiable information (PII), and it imposes heavy fines for non-compliance and data breaches--up to 4 percent of a company’s yearly revenue. The GDPR also requires that companies report data breaches within a 72-hour window. (See “General Data Protection Regulation (GDPR) requirements, deadlines and facts” for more specifics on the regulation.)
Even if you don’t do business with the EU, it’s likely to have impact on global security standards going forward. Consequently, companies working in the EU or with GDPR-impacted data are quickly trying to come into compliance ahead of time. For security teams, this means making sure that PII is adequately protected and that the proper reporting processes are in place.
As Brian Vecci, Technology Evangelist for Varonis says, “Most companies aren’t prepared at all. You’ve got companies sitting in the midwest of the United States, that because someone from the EU signed up for their newsletter, are suddenly subject to one of the most onerous privacy regulations ever. That’s what I so grand about the GDPR. It cuts across all verticals. It doesn’t just impact financial organizations, or hospitals. If you have PII from one of the 28 member states, then it impacts your organization.
For good or bad, GDPR does not define any specific data protection controls that an organization must follow. Each organization is allowed to determine, for itself, the necessary security controls for the collected data, confidentiality and risk.
Olivier Van Hoof, Pre-Sales Manager of Europe for Collibra says GDPR starts with data governance, “You’ve got to put a data governance platform in place before you can really begin to secure the data. It’s a lot more than just technically securing the data. Most organizations are beginning by looking at their business processes first, then looking at the logical processes that collect the data, and then to the physical data itself. GDPR is also about understanding that the data is really owned by the individual. You’re really just hosting the data.”
What does GDPR mean by “personal” data?
The definition of personal data under the GDPR is very broad, far more so than most other country’s current or previously existing personal data protections. It includes any information relating to a specific individual, whether that data is private, public, or professional in nature. It applies not only to names, addresses and financial information, but anything that could identify an individual (e.g., IP addresses, logon IDs, biometric identifiers, geographic location data, video footage, customer loyalty histories, social media posts and photos). If it is identifiable to a specific individual, it’s included.
The impact of the GDPR means that you not only are going to have to protect more types of data in the future, but expend more effort in identifying existing data that perhaps wasn’t considered PII before. Vecci says, “Before even if you had PII from one of the EU states, what you had collected might not have been considered PII in that country. Now, all of sudden starting in May, it is PII.”
GDPR-impacted companies will need to identify, to the best of their abilities, information that was not tracked or indexed before. For example, a recorded customer support call may need to be located, protected, tracked, and reported.
What are the new user rights for PII?
Documented “opt-in” consent must be given for every person (or their legal guardian). The consent must explicitly identify the data collected, what it is used for, and how long it will be kept. Further, participants can remove their consent at any time and request that their personal data be deleted (as long as they supply one of the approved reasons).
Under the GDPR, individuals may also control what happens with their PII. Besides the ability to request that it be deleted, they can get factual errors corrected, see what data of theirs is stored, and even export it for their personal review and use. These important rights are net new for most organizations.
Vecci sees most companies initially just trying to understand how big of an GDPR issue they have. They don’t know what they don’t know. They need to find out where the data is stored and whether it is covered by GDPR. Then they have to least-privilege protect it and track it. Luckily, my company Varonis has been doing exactly that since the beginning. We specialize in not only finding the data, but determining who has access to what, and whether they need access to the data. With other data protection regulations it was enough to keep the data safe from the outside. Now it has to be better secured on the inside, because Article 25 of the GDPR says the data has to be least privilege protected by design and by default. And you can’t do that without first understanding where it is and who can access it.”
How does the GDPR affect the structure of security teams?
The GDPR defines multiple roles with rules and responsibilities for each role. A data subject is an individual whose personal data is being collected. A data controller is the organization that collects the data. A processor is an organization that processes the data on behalf of a data controller. Controllers and processors must maintain written records of what data was collected, how it was appropriately collected, how it was used, and when it was disposed of.
Although great for data subject’s control and privacy, most companies do not already have these types of data protection tracking systems. Security teams will have to not only protect the data against traditional threats, but do so in a way that is transparent, documented, and retrievable to possibly large numbers of data subjects, all while maintaining strong security of the data. Every computer security team member will have to be trained in GDPR compliance and what it means to the organizations existing and future security controls.
Many of the participating enterprises, private and public, must have an official data protection officer (DPO). The DPO is a key figure in not only maintaining legal compliance to the GDPR, but needs the technical knowledge or staff to secure data and ensure business continuity. The DPO is expected to operate independent of the organization that employs him or her. The EU felt the DPO position was crucial enough that they issued a separate, more detailed 18-page document about the position.
The DPO position might seem a natural fit for a CSO, and it might be. CSO’s are certainly familiar with technical computer security requirements and controls, as well as interfacing with top management. But a DPO has to have a strong understanding of privacy and compliance requirements, which is typically better understand by chief privacy officers (CPO) or other privacy advocates. On the other hand, privacy officers may not understand the technical side of things. Smaller businesses, with much smaller management teams, may end appointing the employee with the “best fit”, like a comptroller, or even choose an external DPO, which may or may not work with other companies, as well. In all cases, the GDPR requires that the DPO be an independent auditor of compliance and be directly accessible to the data subjects, the complying organization, and GDPR supervisors. When data is collected from the subject, the contact details of the entity’s controller and DPO must be given.
Van Hoof says, “Most large European companies have already hired DPOs, but I’ve seen outsourced DPOs or shared DPOs by smaller and medium-sized businesses.”
Data protection and processing records must be kept and made available for routine and regular inspection, not only by auditors, but by individual data subjects. How will a complying entity ensure that the records are available for individual private inspection, while at the same time kept secure from unauthorized viewers? Will each individual subject require a new identity management tracking and access control system, for what could be potentially millions of data subjects? Probably, at the very least. Or could an organization meet the GDPR requirements by simply printing out an individual’s records and mailing a hard copy to them? These are the important details the DPO, management and security team must work out.
[Related: What are the GDPR requirements?]
National data protection authority
Each participating country (also known as a member state) has a national data protection authority (DPA). DPAs are responsible for determining compliance and enforcing relevant laws at a national level, but are required to be very independent, even of their nation’s own government control. Tricky stuff.
Member states may have one or more national DPAs for complying entities to choose. Each entity can choose one DPA, which regulates GDPR compliance for the entire entity, regardless of how many member states the company operates in or derives its data from (something known as “one-stop-shop”). The “lead supervisor authority” has the ability to control data processing and protection happening in other member states. Some critics correctly note that companies operating in multi-member states may shop for the most flexible DPA with which to operate, much like they already do for lower taxation and organizational independence today.
Some experts aren’t sure how much benefit would be gleaned by “DPA shopping”. Van Hoof says, “You’re going to see a lot of coordination and communication among DPAs from the different countries. Although there are going to be some differences among DPAs in each country because of their local laws and regulations, 95 percent of what they do will be general and the same no matter what country.”
DPAs were established under a previous EU data protection law, but significantly strengthened under the GDPR. The DPAs are essentially the official regulators, and police in the GDPR scheme. The DPA helps decide on matters of law, and it can investigate companies for potential violations and hold controllers or processors legally responsible for GDPR violations and assess penalties. It also decides if an entity can transfer data outside of the EU, and if so, what protections must be applied. For a particular organization, their DPO is likely to be the primary contact to the DPA and vice-versa. Because of the inherent responsibilities, both the DPO, and especially the DPA, are likely to be composed of teams of people and not a single person.
If a data subject feels a violation has occurred they can contact either the DPO or DPA, which was selected by the involved company and communicated to the subject. This can be awkward in practice, as a controller’s or processor’s DPO or DPA may not be in the same country or speak the same language, as the subject.
Data breaches must be reported quickly
Personal data breaches (including theft, data loss, destruction, or adulteration) must be reported immediately, or at least within 72 hours, to the lead supervisor authority (i.e., DPA). The impacted individuals must be notified if an adverse impact is expected. However, if the data is appropriately encrypted or anonymized, and that ultimate protection has not been breached, then the individuals do not have to be notified.
Security teams are probably going to come under more pressure to make sure all PII data is appropriate encrypted or anonymized. Previously, encryption efforts were mostly focused on protecting portable devices which were deemed more at risk for misuse if lost, stolen, or exploited. GDPR compliance is likely to result in a rush for even greater data encryption across the enterprise, ensuring that that remains encrypted even if stolen, and anonymizing or making the data “pseudo-anonymous” whenever possible. CEOs and other C-level officers would love to hear that their reporting requirements for any possible data breaches are minimized.
Further, security teams will likely become under increased pressure to quickly determine if a data breach has resulted in a reportable event faster than ever. Seventy-two hours is a quick time window for many organizations, especially when trying to see if any fact can prevent the breach from having to be reported to impacted data subjects or the press.
How to prepare
It goes without saying that everyone in companies tasked with collecting, storing, processing, GDPR-impacted data should already be learning the basics of GDPR and what your company needs to do to prepare. Teams of people dedicated to GDPR preparation and compliance should be formed. Your company should probably create a custom document introducing the GDPR to impacted employees and customers, highlighting the areas for concern and improvement. Your most critical employees should be trained on GDPR and their knowledge tested.
If your company needs to have a GDPR data compliance officer, appoint someone or get hiring.
Next, assess your company’s readiness for GDPR compliance (e.g. people, tools, and processes), noting the areas for the most concern. Simply determining what data you already have that applies to the GDPR will be a big starting task. And how to contact those people and give the relevant required information? Most companies are going to need to create new systems to track data according to GDPR standards or modify existing systems.
Identify ahead of time what your company might have to do in the event of a personal data breach event. Seventy-two hours isn’t a lot of time. Who do you contact? Who contacts them? What information must you provide? Who and what determines whether data subjects have to be notified? Don’t let the first time you are figuring out how to respond to a GDPR personal data breach event be your first breach.
Of course, a whole multitude of companies are waiting for you to ask for their services or products.
The GDPR is a new gold standard in personal data privacy protection. Its efforts are to give data subjects more control over the data and to ensure the transparency of operations and protection than what has normally been done previously. It’s a wonderful thing for privacy protection, but a lot of work for those who are tasked to comply.
Van Hoof sees the GDPR as an opportunity for companies, “A lot of companies are seeing the GDPR as just another extra burden. Another cost. But I think it should be seen as an opportunity. Companies have been collecting data for a long time and aren’t even sure what data they have or whether they need it. They often don’t need it. GDPR will force them to re-examine why they collect the data, how long to retain it, how they process it, and overall be more efficient. It’s a chance to streamline not only the data but the processing around the data. It’s an oppo