What is it, when is it coming, and what steps should you take to comply?
If you’ve been following the information security news or Twitter feeds, then you’ve no doubt seen the increase in traffic around the General Data Protection Regulation (GDPR). And there’s a good chance you’ve been ignoring it, as well. It’s time to pay attention, for GDPR is going to affect your job.
There are less than 18 months remaining before the GDPR comes into force, but that’s doesn’t mean that you have more than a year to start implementing the requirements. And if you think the GDPR doesn’t apply to you because you’re not in the European Union, then you should definitely finish reading this post.
At it’s heart, this regulation was developed to increase consumer confidence in online services and e-commerce by making the protection of personal information a fundamental right for EU citizens. At the core of the GDPR is greater transparency and control over your data when it’s being collected and after it’s been collected. A positive interpretation of the GDPR is that organizations can earn consumers’ trust by giving them a sense of security that their data is stored and safeguarded appropriately. Instead of being a cost, the GDPR could be viewed as an opportunity to increase business in the world’s second largest trading bloc (the European Union).
Despite that rosy outlook on the principles behind the GDPR, it’s also clear that this new regulation will place a burden on any company doing business in the EU or just collecting data on EU citizens. If you think the GDPR might be limited to businesses based in the EU, you’re not quite correct on that point.
The GDPR applies globally, in fact, to all organizations that wish to do business with or monitor the behaviour of individuals in the European Union irrespective of where the organization’s headquarters are located or where they store and process that data. Let that sink in for just a moment. If you collect data on EU citizens, you’re subject to the GDPR. Unless your business is very tightly limited to exclude the European Union, chances are that you’ll have to deal with GDPR compliance. This broad scope is intended as a benefit. Bear in mind that the GDPR is really the successor to the EU Data Protection Directive, so it’s viewed, in part, based on how it improves that existing standard.
Brian Honan of BH Consulting puts it this way:
“Compliance is simpler and theoretically less expensive because the law applies equally across the entire EU and organisations can choose one preferred data protection authority for reporting.”
The GDPR isn’t just an expansion of scope for the EU Data Protection Directive. It’s also a much more stringent regulation overall, including more severe penalties for non-compliance. The most serious instances of non-compliance can carry fines up to a maximum of 4% of the company’s worldwide revenues or €20 million, whichever of the two is the higher amount. These consequences are meant to be, to put it plainly, consequential. In addition to the expanded fines, the GDPR:
- Introduces mandatory breach notification. Organizations that suffer a security breach that causes the exposure of personally identifiable data will need to report incidents to their designated data protection authority within 72 hours of the breach being identified
- Introduces designated Data Protection officers with expert knowledge of data protection laws. The role must be independent, autonomous, and have a direct line of reporting to senior management.
There are obviously other requirements that the GDPR puts forth, but this post isn’t intended to be an exhaustive exploration of the entire regulation. It’s intended to convince you to learn more and quickly. If you’re mentally asking the question “What products do I need to buy to be compliant?,” then it’s time to rip the band-aid off. You cannot achieve compliance with GDPR by purchasing and implementing a bunch of security products.
The regulation is deliberately worded to be technologically neutral and future-proofed, which is appropriate given how data and data security change over time. It is possible, however, to establish an initial, working interpretation of what organizations must to do from an information security standpoint for compliance. The key for data security is the phrase “adequate measures.” Data controllers must implement “adequate measures” to ensure the confidentiality and integrity of their processing systems and the information they hold. This includes:
- Applying critical security controls to detect, manage and mitigate appropriately any vulnerabilities to the data processing environment.
- Configuring systems in accordance with an enterprise policy and maintaining that configuration.
- Actively identifying systems that deviate from the established policy.
- Continuously monitoring log files to alert to any potential breaches or vulnerabilities
- Maintaining the ability to detect, respond to, and remediate any incidents effectively
- Engaging securely with cloud services.
We went back to Brian Honan for his interpretation of these steps and what they mean for organizations that are looking to achieve and maintain compliance. Here’s what he had to say:
“While the regulations don’t say it explicitly, my interpretation is that GDPR effectively requires organisations to have a defined security strategy. The systems, controls, and processes that you use to monitor data assets should align with generally accepted security standards and frameworks like ISO/IEC 27001/27002, NIST Cybersecurity Framework or CIS Critical Controls.”
Perhaps not surprisingly, the standards that the GDPR sets are really the sorts of standards that industry has already established. That’s not the say that implementation of these standards is easy or cheap, but the sign post clearly points in the direction of these best practices.
With that, we return to the aspect of this regulation with which businesses are most concerned: the fines. Obviously, avoiding a breach and implementing the required processes and controls is key to avoiding fines, but it’s reasonable to argue that not all breaches can be avoided. Brian Honan had some words of wisdom to add here, as well:
“An initial reading suggests that being able to show appropriate security measures prior to an incident may reduce the financial impact of that event. That’s a business case for increasing security investment that you can take straight to the board.”
If you’re interested in learning more about GDPR, Brian and I (mostly Brian) are delivering a webcast in March that expands on some of what’s discussed here.
Register your seat today!
EU time: Thursday, March 2, 2017 – 11:00 AM GMT
US time: Wednesday, March 1, 2017 – 11:00 AM PST
Also, if you are interested in learning more about preparing for the General Data Protection Regulation, you can read more here.