Cloud

9/30/2016
10:25 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

6 Ways To Prepare For The EUs GDPR

In less than 20 months, all US companies doing business in the EU will face new consumer privacy requirements. Here's how to prepare for them.

In less than 20 months, all companies handling personal data belonging to residents of the European Union will be expected to comply with a new set of privacy requirements under the EU General Data Protection Regulation (GDPR).

The GDPR introduces tough new privacy requirements for companies handling EU data and vests consumers with significantly greater control and rights over the manner in which their data is collected, shared, retained, and destroyed. The GDPR gives EU regulators the authority to impose fines ranging from 2 percent to 4 percent of a company’s global revenues for violations of the regulation.

“The May 2018 deadline for GDPR compliance may seem like a long way off,” says John Crossno, product manager at enterprise technology vendor Compuware, which did a recent survey on the preparedness of US firms for GDPR. “Given the complexity of change it will require in the way organizations handle personal data, it’s really not.”

Two-thirds of the CIOs at large companies in the survey said they had no plans yet for implementing critical GDPR requirements like data anonymization, customer consent, and the right to be forgotten.

Here, in no particular order, are the issues that US companies must be addressing right now to prepare for GDPR.

Develop And Articulate A Clear Privacy Policy

Under GDPR, companies must provide clear notice to their customers of the purpose for which their data is being collected, says Dana Simberkoff, chief compliance and risk officer at software vendor AvePoint.

Companies need to write a clear privacy policy that consumers will actually be able to read and understand.

In that policy, they need to clearly indicate what personal information is being requested or collected from consumers, says Simberkoff. Consumers have to be given a choice of whether or not to provide it, and any data that is collected needs to be clearly marked for the specific purpose for which it was collected.

In addition, any data that is collected for a stated purpose can only be used for that purpose and for which consent was obtained, she says.

The obligation to meet this requirement flows from the entity that collected the data to any other organization that might process or handle it. Both will be held jointly liable in the event the data is used inappropriately or if there is a data breach.

“The GDPR requires that you not only create policies that meet its mandate, but that you operationalize those policies and be able to prove that you have done so,” Simberkoff says. “Companies should already be practicing transparency around why you want to collect data and ensuring all data is only used for the exact purpose and within the boundaries of consent.”

Enable An Opt-In Requirement For Data Sharing

Most US companies currently use an opt-out policy when collecting and sharing consumer data. The opt-out model requires consumers to specifically ask data collectors and aggregators not to share their data with third parties. Otherwise, consent is assumed by default.

GDPR will require organizations to do just the opposite. They will not be allowed to collect or share EU consumer data by default. The EU consumer would specifically have to consent to such data collection and sharing by opting in.  The consent must be “freely given, specific, informed and unambiguous” Simberkoff says, quoting from the directive.

“Privacy policies must be clear and concise, and companies must provide consumers with an opt-in option to having their data shared with third parties,” she says. “Just offering an opt-out option will no longer be acceptable.”

In addition to requiring affirmative consent, GDPR also places restrictions on the ability of companies to obtain consent from children without specific parental authorization.

Start Implementing Privacy by Design

GDPR is big on the notion of privacy by design, a requirement that emphasizes the importance of baking in, rather than bolting on, privacy protections into products, processes, and services.

"Software and development practices that don't follow privacy by design principles put organizations at major risk in light of GDPR,” says Dan Blum, a senior analyst at KuppingerCole.

The earlier developers can implement privacy-friendly practices the more they can lower risks, reduce costs of compliance, and future-proof their software, he says.

Examples of privacy friendly software features under GDPR include opt-in, data use minimization, purpose-specificity, data anonymization and the right to be forgotten.

Larger organizations would benefit from establishing a privacy and data governance practice, if they don't already have one, to keep track of software and development requirements as to manage change, Blum says. “They will need developer awareness and training to get developers to align with these processes and do their part,” Blum notes.

The Information Commissioner’s Office in the UK recommends eight foundational principles for privacy by design that include fair and lawful processing of personal data, minimization, data retention, and data security controls.

Prepare For New Data Breach Reporting Requirements

GDPR requires companies to inform consumers about data breaches impacting their personal information. While that requirement is not particularly new for American companies—most states mandate it currently—the breach reporting requirements under GDPR are strenuous.

“At 72 hours, the timeline to report a breach is the tightest that we’ve seen with any regulatory measures,” says Eldon Sprickerhoff, founder and chief security strategist at eSentire. 

The potential fines that companies face for non-compliance are also the highest, he says. Importantly, non-compliance fines aren’t issued because of a data breach. “The fines are issued because an organization failed to properly report a data breach within the designated timeframe,” he says.

The key to preparedness for this requirement is knowing what data you have and what legislation covers that data Spickerhoff says. Also key is a good understanding of the threats against your organization and the ability to describe how well you are able to defend against those threats.

“Do you know what access risks exist? Can you demonstrate that you’re doing what you’ve claimed?” Spickerhoff asks. Ensuring that your organization has adequate measures to protect against cyber attacks is important, he says. “Including compliance reporting timelines as a part of incident response plans and policies is another vital exercise.”

Implement Controls For Tracking And Managing Data

GDPR gives consumers the right to ask companies holding data about them to erase that data upon request. It also gives them the right to ask for a copy of their digital data so they can transfer it to someone else if they choose to do so.

The so-called right to portability and the right to erasure or right to be forgotten provisions impose new requirements on companies doing business in the EU, says Eve Maler, vice president of innovation and emerging technology at ForgeRock.

“IT managers need to be asking themselves: can we track a customer’s personal data as it travels through our systems? Can we erase it if they request us to do so? Or better yet, can we provide them the tools to do this on their own?” Maler says. “These capabilities will be required under GDPR, and it’s a significant departure from business as usual.”

Be Ready For Data Protection Impact Assessments

The GDPR requires companies to do data protection impact assessments (DPIAs) to identify “high risks” to consumer data privacy that might surface during data processing, says AvePoint’s Simberkoff.

Only some types of data processing involving personal data will trigger the requirement. Some time between now and when GDPR goes into effect, EU data privacy authorities will release a public list of the types of processing they consider to be high-risk and needing a DPIA.

The impact assessments can be incorporated into the standard planning, development, test and deployment, and monitoring, processes, Simberkoff says. They will allow privacy teams to implement privacy by design and enable a risk-based approach to data protection.

Online tools are available that allow organizations to conduct DPIAs and the goal should be to go ahead and conduct the assessments in advance of GDPR, Simberkoff says.

When risks are identified, companies should implement measures to mitigate those risks, which under GDPR include data encryption and pseudonymization or anonymization of data.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IanM368
50%
50%
IanM368,
User Rank: Apprentice
1/20/2017 | 6:51:09 AM
GDPR Courses are the easiest way
The real challenge is the number of days left and number of firms needing to comply with this by that date.

UK companies need to be thinking about the less than 500 days left to ensure GDPR compliance and to ensure they have their ducks lined up.

Their is plenty to read on this, but companies should consider the easy option of going on a 1 day course and getting all the tools they need to take away to get their company on the journey. Courses are available at //assuredata.eu/ for example which provide the tools to then take away to make it happen.
Souheil.M
50%
50%
Souheil.M,
User Rank: Apprentice
10/3/2016 | 8:58:01 AM
A good brief introduction about the GDPR

An instructive introduction about the major functional impacts regarding the application of the new GDPR.  However I am wondering, in terms of technical measures that can fulfill the new requirements, there is no specific details about that. How one could be able to say, that this firm is compliant or not if there is no precise baseline to which the assessment can be done.!.

Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.