The upcoming GDPR compliance deadline of May 2018 affects any organization across the world that collects, processes, or stores data on citizens of the European Union. The intent behind the GDPR is to better protect the privacy of EU citizens, and the mechanism to do so is through harmonizing the existing data privacy laws across Europe.
“The six core principles show us that it is simply to ensure that the personal information and attributes of people, like you and I, are afforded the care and protection they deserve and we expect.” –The Six Commandants of GDPR, Tripwire Blog, March 2017
It is important for organizations to make sense of the GDPR given the steep potential fines for lack of compliance. This blog series will provide some guidance on understanding how to respond to the GDPR.
Cloudy and Clear Direction for GDPR
What is interesting about the regulation is the language. In some cases, it’s vague and intentionally future-proofing, and in other cases, it’s very prescriptive. For example, Article 37 states, "The controller and the processor shall designate a data protection officer (DPO) in any case where…." So, hire a data protection officer if your organization meets the criteria. What has been confusing is what organization size is required to appoint a DPO. The regulation alludes to organizations that are "processing on a large scale." Either way, as noted in a recent blog, the DPO is here to stay whether it is a full-time position at a larger and better-resourced organization or a virtual part-time job for smaller organizations that are less resourced. In Article 33: "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent." (Meaning a fine is possible if you do not report a data breach within 72 hours.) One phrase recently noted by our experts, “adequate measures,” strongly suggests that monitoring and controls for data processing are needed to ensure the confidentiality and integrity of their processing systems and the information they contain. A security strategy should be in place, one that potentially aligns with a security framework and/or standards. For the purposes of this blog series, (And yes, we need a series to thoroughly discuss this adequately.) we will focus on the vague language in the GDPR related to security provisions. Why? Sounds like many folks are struggling with this. A recent IDC survey noted that "defining state-of-the art" was a top five GDPR challenging requirement. And it is important for all stakeholders to understand each other’s viewpoint to all happily become compliant. This Making Sense of the GDPR blog series will focus on the various points of views on some of the vague language seen in the GDPR:
- Legal Point of View
- Marketing Point of View
- Data Protection professional Point of View
- Point of Views from organizations responding to the regulation
- Viewing the GDPR from a Security Framework Lens
Navigating the Fog
The comprehensive regulation is also riddled with lots of fog. Folks are walking away with very different understandings. There are two vague words that appear quite frequently in GDPR. They are "appropriate" and "state-of-the art." We can all look these terms up in a dictionary, but we need to really understand what they mean in context. Let’s start this blog series and review the words at hand in the regulation context. Here are the terms in the regulation context:
GDPR: Article 32 Security Processing Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The Fog Clears
On this Article 32 example, organizations must demonstrate that they have considered "state of the art," AKA best or high-quality, technology. This does not always translate into the latest tech. High quality is when it does a meaningful, valued function consistently. Such examples of high value and reliable function are monitoring systems for unauthorized changes in real time or encrypting data during all transmissions. Proof of evidence, AKA reports that these functions are actually occurring, is required. Organizations must demonstrate that they have implemented “appropriate” efforts to deliver security that addresses the risk level determined by the Data Protection Impact Assessment in Article 35. For example, your risk assessment noted that there was a high propensity of critical vulnerabilities found on the systems that process and store the data. The organization must show an effort to discover, prioritize and manage this risk of vulnerabilities with ongoing reporting. So, if we speak in layman terms, show that you are doing the best to protect the EU data. And show that you can discover a breach in a timely manner. Weigh in on your interpretation of these GDPR terms in the blog comments section. Also, watch for the next blog, which talks more about how to understand the GDPR language. If you are curious about what Tripwire can offer for your GDPR efforts, look here.