Read to learn how GDPR compliance impacts you, the basics of GDPR requirements, and GDPR compliance best practices.
This post contains the text from the White Paper: GDPR 101. Download the PDF.
The EU’s General Data Protection Regulation (GDPR) applies to any organization (operating in or out of the EU) that processes personal data, also known as personally identifiable information (PII), of EU citizens–whether that organization is a cloud-storage service, university, hospital, merchant, etc.
In this white paper, you will learn how GDPR compliance impacts you, the basics of GDPR requirements, and GDPR compliance best practices.
The GDPR is meant to unite and harmonize privacy laws across the EU, protect and empower EU citizens with data privacy, and will impose new requirements on organizations handling personal data. Before the GDPR, different businesses throughout the EU did slightly different things for data protection.
After four years of preparation and debate, the GDPR was approved by the EU parliament on April 14, 2016, replacing the 1995 EU Data Protection Directive. GDPR went into effect 20 days after being approved and has been directly applicable for all member states since May 25, 2018. Since then, organizations that are not following the GDPR potentially face severe fines.
Supervisory authorities (SA) are entities that will be responsible for GDPR enforcement and issuing non-compliance fines. A supervisory authority is an independent public authority established by a member state to represent the people and oversee/monitor businesses. The Information Commissioner’s Office in the UK is an example of a supervisory authority.
The GDPR applies to any organization that handles the personally identifiable information (PII) of EU citizens, whether that organization is in North America, Europe, or somewhere else in the world.
PII is data kept by an organization which can be used to “distinguish or trace an individual’s identity.” PII could include names, birth dates, birth places, mothers’ maiden names, addresses, emails, IP addresses, or social security/insurance numbers, such as UK National Insurance Numbers (NINO). “Linked PII” is any information that is linkable to an individual, like educational, medical, employment, or financial information. PII also includes payment card details such as the magnetic card stripe (also known as track data) and primary account numbers (PAN).
Since the GDPR applies to the personal data of all EU citizens, businesses in the UK who process EU citizen data post-Brexit will still need to follow its mandates whether or not the UK retains GDPR after Brexit is complete.
You also need to know what type of organization you are considered under GDPR compliance, since your GDPR responsibilities might vary slightly based on whether you’re a data controller or processor:
The GDPR guidelines state that an entity can face fines of up to €20 million or 4% of their Global Annual Turnover (aka revenue) whichever is greater. This is the maximum fine that can be imposed for serious violations (e.g., insufficient customer consent to process data, violation of the core “Privacy by Design” concepts).
According to article 28, there is a tiered approach to fines. A company can be fined 2% of annual global turnover for not having their records in order, 2% for not notifying the supervising authority and data subject about a breach, and 2% for not conducting an impact assessment.
It is important to note that these fines apply to both controllers and processors; for example, data cloud services will not be exempt from GDPR enforcement.
We still don’t know what types of organizations the governing bodies will go after, or how aggressively. However, since May 2018, they can fine organizations for non-compliance.
If your company has poor security practices that endanger personal information, it makes sense that you could get in trouble according to these EU laws and regulations, especially if you are breached. On the other hand, if your company takes data security seriously and is actively moving towards alignment with the GDPR or other data security standards, you will naturally fair better.
Here are a few key GDPR requirements you should know about:
Some aspects of the GDPR are easier to interpret than others. For example, the GDPR says that data owners are required to have an opt-in choice presented to them before a company can begin storing, processing, or transmitting their personal information. It’s easy to determine whether that requirement has been met or not.
On the other hand, the GDPR states, “protect your data by design and default.” With this requirement, it’s difficult to know if you’re perfectly compliant because it eludes to a lot of data security practices.
Even though GDPR compliance isn’t currently as well-defined as a standard like the Payment Card Industry Data Security Standard (PCI DSS), it’s important to be aware of and implement reasonable data security best practices. It’s impossible to say with absolute clarity that an entity is absolutely compliant with GDPR because associated testing procedures are not specifically defined yet. Currently, various supervisory authorities are working on checklists and similar guidance, which indicates that there will likely be more specific audit protocols as time goes on.
For the time being, you can actively and carefully address GDPR regulations, document your efforts, collect your results, and show risk analysis/assessment results.
One of GDPR’s primary purposes is to help organizations protect individual’s data, ensuring that organizations improve their data security.
Gathering data needs to be an opt-in process–not automatically collected or inferred (e.g., statements that if one enters data they consent to have data processed).
Make sure your process follows this opt-in process. Make modifications as necessary to make it a clear opt-in choice for individuals. Record this choice in logs. This choice can’t be slipped into a big terms-and-conditions statement, it needs to be separate. You need to have clear and concise privacy notice documentation available to all individuals. Privacy notice documents should include your lawful basis to gather and process data, the type of data being collected, the retention period of the collected or processed data, and should state who the data will be shared with.
For children under the age of 16, consent has to be verifiable, with processes in place to verify an individual’s age. Your privacy notice must be written in simple language that children will understand. You’ll also need to obtain parental or guardian consent for any data processing activity.
GDPR has some core principles on communicating with those you obtain PII from. This could be directly to an individual who is giving you their PII or to an entity that provides you with previously collected PII.
These principles center around clear communication to data owners on what data you are getting, why you need it, and how it will be treated (including your data retention periods and how data will be deleted/destroyed). This communication is required to be transparent, using clear and plain language, and easily accessible to your customers. This communication will need to explain topics such as your lawful basis for getting their data, how long it will be kept, and what their rights are regarding the data you are processing or storing.
According to the GDPR, an individual’s rights include:
There are some exemptions to an individual’s rights. For example, there are legal and legitimate reasons that organizations could be allowed to keep data beyond retention periods–even if a data subject exercises their right to erasure. For example, an organization may be required to hold records for the IRS, HIPAA requirements, PCI requirements, or legal cases. In these cases, the organization would obviously need a legal basis for keeping such data.
It’s best to consult with legal counsel to understand your business’s unique position.
In most cases, you’ll not be able to charge individuals for complying with a request to access information. You’ll need to comply with a data subject access request (DSAR) within one month. If you handle a large number of access requests, consider how to deal with requests more quickly (e.g., a portal for public access).
You can refuse or charge for requests that are manifestly unfounded or excessive. If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay, within one month of the refusal/charge.
Consider whether it’s possible to develop systems that allow individuals to access their information easily online.
A PII data breach is a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Supervisory authorities must be told within 72 hours of when the controller becomes aware of a data breach–where feasible, and unless the controller can demonstrate that the breach is unlikely to result in risk to the rights of the data subject. Controllers may also give reasons for delay, if applicable. If individuals face an adverse impact, you should contact individuals directly.
Failure to report a breach when required to do so could result in a fine, in addition to the fine for the breach itself.
This is why you need to establish policies and procedures to detect, report, and investigate a personal data breach. You could start to address this by creating an incident response plan. A well-executed incident response plan can minimize breach impact, reduce fines, decrease negative press, and help you get back to normal operations more quickly. Without an incident response plan, employees scramble to figure out what they’re supposed to do, and this is when mistakes can occur.
An incident response plan should be set up to address a suspected data breach in a series of phases with specific needs to be addressed. The incident response phases are:
INCIDENT RESPONSE PHASE TIMELINE
Preparation often takes the most effort in your incident response planning, but it’s by far the most crucial phase to protect your organization. This phase includes the following steps:
Identification (or detection) is the process where you determine whether or not you’ve actually been breached by looking for deviations from normal operations and activities.
An organization normally learns they’ve been breached in one of three ways:
When an organization becomes aware of a possible breach, it’s understandable to want to fix it immediately. However, without taking the proper steps and involving the right people, you can inadvertently destroy valuable forensic data. Forensic investigators use this data to determine how and when the breach occurred, as well as devising a plan to prevent similar future attacks.
When you discover a breach, remember:
After containing the incident, you need to find and eliminate policies, procedures, or technology that led to the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.
Whether you or a third party do this, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing sensitive data (with your liability increasing).
Recovering from a data breach is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again as quickly as possible.
After the cause of the breach has been identified and eradicated, you need to ensure all systems have been hardened, patched, replaced, and tested before you consider reintroducing the previously compromised systems back into your production environment.
After the forensic investigation, meet with all incident response team members and discuss what you’ve learned from the data breach, reviewing the events in preparation for the next attack.
This is where you will analyze everything about the breach. Determine what worked well and what didn’t in your response plan. Then revise your incident response plan.
No one wants to go through a data breach, but it’s essential to be prepared for one.
The first step in your GDPR compliance effort should be to discover and document all of the PII data that flows into and out of your organization.
Data discovery and mapping is a basic principle of all data security efforts; you can’t protect what you don’t know is there. This process consists of assigning a person or a group with the task of going through all departments/groups in a company and searching for PII with various tools, conducting interviews, reviewing documents, mapping software data flows, etc. You’ll also want to run data discovery software to fully map out where data is being stored. For example, SecurityMetrics PIIscan can assist in this process.
Once you know what PII you get, where it flows and where it may be stored, it’s critical to document all of this information in the form of network diagrams, data flow diagrams, and process descriptions. Often people are surprised how much data they have and where it is used and by what groups in a company.
Data protection impact assessments (DPIA) are essentially a formal risk assessment process (similar to those defined in ISO 800-30). This risk assessment will use information gathered from your data mapping exercise as well as information about all the systems and networks used to process data.
This process is critical to implementing a “data protection by design and default” philosophy, which will be discussed later. In addition, any hardware, people, processes, and conditions that could represent a risk to this data processing will have to be evaluated. For example, if you use Linux servers, there will be specific risks involved with various versions of software and even hardware platforms used. It would also potentially include risks for power loss or physical damage to a facility to be totally complete. Though you may want to focus first on risks to data loss or corruption.
You’ll also want to review or redo the DPIA when there’s a potential change in risk represented by new or changed processing operations, specifically to risks that might affect the rights and freedoms of data subjects, including:
Data protection officers (DPO) are responsible for data protection compliance and need to have knowledge and experience, organizational support, and the authority to carry out their role effectively. You must appoint a data protection officer if you are:
Even if you don’t fall into one of these categories, it’s highly recommended to appoint/designate a data protection officer.
For US-based companies (without a physical presence in the EU), this requirement gets a bit trickier, since this representative should be located in the EU, but more information will likely be released in the future to address such concerns.
The concept of “data protection by design and by default” leads to the need for security controls placed on your systems, processes, and individuals that deal with PII data.
Based on security best practices, here are a few of the major areas that will need your attention:
If you want to be serious about working towards GDPR compliance you’ll need to have documented evidence that your systems embody the principle of “data protection by design and by default”.
If you process large amounts of PII data, consider a full GDPR compliance assessment to make sure all proper security safeguards and technologies are in place.
GDPR compliance doesn’t have to be a confusing or impossible task. Break your GDPR compliance efforts into small, manageable pieces.
Start by understanding the flows of PII in your unique environment. Until you understand your flows, it’s impossible to understand exactly what must be secured and what business/security practices need to be altered. Most of your effort will likely be updating and/or generating new documentation and policies about how you receive and process personal data (e.g., privacy notices).
Remember, GDPR compliance is never completely finished. Your environment is constantly shifting with new changes to workforce, technology, and security processes. Because of this, now is an ideal time to rethink your data security and reduce your GDPR compliance workload.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.
https://www.securitymetrics.com/gdpr-defense
.svg)
