In the wake of data breaches, hacks and leaks of trust like those by Cambridge Analytica, user privacy has quickly become a key issue of our time. While the United States’ policymakers have yet to take on the challenge of just how to define the rules of our connected and integrated online society and the data that runs through it in a comprehensive way, European regulators have already taken a crucial step. That step, of course, is Regulation 2016/679 of the European Parliament — or, as it is more commonly known, the General Data Protection Regulation (GDPR).
While the GDPR was passed in Brussels, companies around the world and the security professionals that protect them have also been directly impacted. This is not only because they could be interacting with data owned by or about European citizens, but because of rising expectations of users at home in their own countries.
Just how much security managers have been affected and in what ways they will have to adapt is just beginning to be understood because, as noted by CSO Magazine, the GDPR leaves much to interpretation. For example, what exactly is a “reasonable” level of protection for personal data?
While businesses are still finding their way through this new reality, this article explores how, with the right understanding, organizations and security managers can use the expectations of the GDPR to promote privacy without stepping in the way of business or minimizing security.
What is the GDPR?
If you haven’t heard of the GDPR in the two years since its passage, don’t worry; according to an IDC survey of 700 companies in European countries, 22% weren’t aware of the GDPR. An additional 52% knew about it, but not how it would impact them.
Adopted in April of 2016, the GDPR is the first comprehensive reworking and replacement of European data protection and privacy legislation in over twenty years and could be the most significant and far-reaching regulatory framework to hit organizations in just as many countries.
As with many EU efforts, the GDPR’s purpose is to replace the varying guidelines, laws and policies in place across Europe with a single, consistent EU regulation. In the end, it provides a standardized set of expectations about how an organization must manage and protect personally identifiable information (PII) on employees, customers and other applicable data sets was defined.
However, the scale and reach of the GDPR extend far beyond the EU’s borders. Any organization that holds data on EU citizens, regardless of where it is located or operates, is affected by this legislation. Similarly, companies housing, processing or transmitting data within the EU on any data subject, regardless of their location, may also be in scope.
Compliance with GDPR became mandatory, beginning May 25th, 2018. For more information on data security compliance and regulations by industry that may be affected by the GDPR, Infosec provides a comprehensive look at them here.
So just what kind of things make up “data”? The GDPR defines, that, too, and it includes:
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What does the GDPR mean for my organization and customers?
One of the GDPR’s most extensive focus areas is the empowerment of users and data owners with new rights, tools and expectations that allow them to have more say and awareness of how their data is used. Known as the ARCO rights, the legislation builds on a foundation of providing users with control over their data, including:
- Right to access my personal data
- Right to rectify my personal data
- Right to cancel the use of my personal data
- Right to oppose to any data-gathering process
Additionally, the GDPR expands the data owner’s rights when it comes to the right of deletion and the right of portability. The former is as simple as it sounds, allowing them to control what is known and shared about themselves, including the right to remove data elements. The latter allows users the right to request all of the data held about them by an organization to be available to them in a common readable format. This also means that organizations collecting data on users will have to provide an overview of all the data categories, the purpose of collecting the data, how it was collected and all of the parties that have the ability to access or handle the data itself.
How will the GDPR impact organizational security processes?
The implementation of these rights, especially the concepts of deletion, portability and information on its use, means organizations need to be ready with the proper systems, policies and roles to make it all happen, especially within the security domain. Some of the key security functions and process areas affected by the GDPR include how data is transferred, how security breaches are reported, how privacy policies are written and how consent for collection is obtained and managed.
While this article begins to explore these concepts and how they affect the role of a security manager in complying with the GDPR, a full Privacy Impact Assessment(PIA), among other steps, is also recommended to enhance an organization’s privacy posture.
How security breaches are reported
Security managers need to be aware of the enhanced notification requirements and timelines laid out in the legislation. Article 33 of the GDPR, which requires data processors to notify a data controller of a data breach or a security incident involving personal information as soon as they can. It also requires data controllers to report the security breach discovery to a supervising authority within 72 hours. Article 34 also requires the data controller to notify the individuals involved in a data breach if it will have an adverse impact on them. Any negative impact can be mitigated by the data controller taking steps to render the data unintelligible to others — for example, with encryption.
This policy also includes vendors that work with or around an organization’s data. Under the GDPR, organizations need to know how vendors operate, what security frameworks they use and how they manage and protect data. Without knowing these aspects, organizations open themselves up to non-compliance with the GDPR as well as other risks.
These regulations put more expectations on the security manager to determine what an incident is or is not and, from there, its severity. Within that 72-hour window, the security team needs to be able to identify an incident, determine what happened and prove if PII was lost or violated. To meet these expectations, security managers need to make sure that incident management policies and preparations are in place and that they know how to assist in communications to stakeholders about the incident and its impact.
How data is transferred
Security managers will also have to walk their organizations through the changes that the GDPR outlines for how data in motion is secured. At its broadest level, personal data cannot be transferred to countries outside of the European Economic Area unless they are able to guarantee that the same level of data protection controls are in place at its destination as outlined in the GDPR. Security managers are also required to ensure that proper data encryption is in place to protect the data in motion to appropriate standards.
Enhanced data collection consent and management requirements
Security processes and policies around data collection, the initial and ongoing consent for it to occur and its management will also need to be updated to maintain compliance with the EU legislation. The GDPR asks companies to collect only what is necessary and to be able to justify it with a reason valid under Article 6 of the legislation. Just what is a justifiable reason? Specifically, Article 6 states:
“1. Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.“
Additionally, consent to collect user data must be specific to the data being collected and only for the purposes for which it is being collected.
Most importantly, the GDPR also includes the ability for a user to revoke their consent at any time. These notions apply to any process in which there is a personal data exchange, including cookies, mailing lists, email subscription forms and apps. For security managers, understanding what constitutes “normal” or “necessary” use of data is critical.
This also means that organizations need to have the platforms, systems and tools to manage these requests, consent agreements and data rules. Security managers need to understand both the laws and the processes implemented so they can protect these information assets and comply with the policies required to keep the data secure.
Enhanced sanctions for non-compliance
So what happens if an organization is found to not be in compliance with the GDPR? Well, the legislation covers that in great detail, too. To start, Article 83 of the legislation walks through the sanctions that an organization can be subject to in the EU, beginning with the possibility of a written warning for the first or unintentional violations through to large fines for preventable or repeated offenses.
In specific, Article 83 of the GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. Violations that could reach this type of penalty can include the insecure transfer of personal data, a lack of consent for data collection, disclosure of personal data to a non-EU or compliant body, or a failure to provide users with the ability to exercise their rights as owners of their own data.
How else has the GDPR changed the role of security manager?
The GDPR can be seen as a response to recent high-profile data breaches, proving that the public and their governments have lost their patience with security lapses that could have been prevented. To that end, two other sections of the GDPR, Article 35 and 25, lay out requirements for security operations, ranging from having and following a vulnerability and patch management policy, maintaining endpoint and perimeter tools (e.g., firewalls and incident detection software), and enforcing acceptable use of organizational technology. The last thing security professionals should want to happen are audits resulting from GDPR regulatory bodies asking why they have expired antivirus definitions.
Finally, Article 35 includes a Data Protection Impact Assessment subsection that requires that, when necessary, organizations shall carry out a review to assess if data processing is performed in accordance with the GDPR “at least when there is a change of the risk represented by processing operations.” If they aren’t already in place, change management processes need to be followed and security managers need to have the ability to effectively audit business operations to ensure compliance with these articles.