Endpoint //

Privacy

5/9/2017
10:30 AM
Vishal Gupta
Vishal Gupta
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Deciphering the GDPR: What You Need to Know to Prepare Your Organization

The European Union's upcoming privacy regulations are incredibly complex. Here are four important points to keep in mind.

With the European Union's General Data Protection Regulation (GDPR) set to go into effect in May 2018, global businesses must have a clear understanding of how the new guidelines will affect how they process and store customer data. For IT departments and security teams, that means a little "light reading" in the form of nearly 100 pages of extremely dense text, filled with the sort of lawyer-speak that makes deciphering clear takeaways next to impossible.                            

With the European Union threatening to fine noncompliant organizations up to €20 million (almost $22 million) or 4% of their global annual revenue for the previous year (depending on which is higher), failing to understand the regulation could sink an organization altogether, or at least have a major impact on the bottom line. To make your life easier, I'll go through the most critical articles of the GDPR, explaining what security professionals need to know, and why.

Article 16: Right to Rectification
In one of the GDPR's shortest articles (54 words), the EU states that citizens are entitled to the "right to rectification." This means that customers have the right to have inaccurate information about themselves corrected in a timely fashion. At first this sounds simple, but it becomes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network.

Article 25: Data Protection by Design and by Default
The 25th article of the GDPR starts with one doozy of a sentence:

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Essentially, this is a long-winded way of saying that data must be protected while at rest, in transit, and in use. In some instances, where sensitive personally identifiable information is being processed, organizations are also required to put technical measures in place that anonymize the individual in order to protect his or her privacy.

Article 25 goes on to say that, and that organizations can only process the portions of the data that are relevant to the analysis being conducted, which will require companies to provide both "technical and organizational" privacy assurances. Plus, these security assurances must be applied to data by default, reducing the possibility that information is leaked or misused.

Article 30: Records of Processing Activities
Article 30 of the GDPR deals with record keeping, specifying how companies and the third-parties they work with must track the flow of customer data throughout its life cycle. For security teams, this means that they must deploy IT solutions that can provide real-time auditing capabilities and capture granular usage details. These details include: the nature of the activity (viewing, editing, printing, and so on), the user who performed the activity, the time and location (IP address) of the activity, and more.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

Having access to this data is just the start. The purpose of the record keeping is to have evidence in case of inevitable audits by a "supervisory authority," whose powers are also defined within the GDPR's text. Who plays the role of the "supervisory authority" will be determined on a case-by-case basis, depending on the member states involved. This means that the oversight bodies will likely have slightly different policies and procedure, further complicating the situation. My assumption is that none of these bodies will be shy about using their auditing powers, especially in the first few months, in order to prove the EU is committed to enforcing the GDPR's regulations.

Article 46: Transfers Subject to Appropriate Safeguards
The final article is the 46th, which is arguably one of the most important in the GDPR. Article 46 requires organizations to apply the same stringent data protections, no matter where the information is transferred or stored. This article is crucial because it addresses the key concern behind the GDPR's inception — that once European citizen data is transferred outside the EU, it can become subject to surveillance by nation-states, which has been deemed a privacy violation by the Commission.

To remain in compliance with this requirement, security teams must look at security tools that are applied at the data level. This way, as the data travels, the security precautions remain in place, allowing the organization to freely share information throughout its international network.

The good news is that we still have over a year before the GDPR takes effect. As an industry, we still have time to put the necessary measures in place. Cybersecurity and IT leaders must come together and pool our collective expertise to determine the optimal strategy for achieving compliance with the GDPR.       

Now, the bad news. Don't expect your CEO to be open to the idea of sacrificing efficiency for compliance's sake. Instead, IT departments must find ways to ensure security without stifling collaboration. That being said, I know the security industry is up for the challenge, and whether the 2018 rollout goes smoothly or not, I'm confident we'll come out the other side of this in one piece.

Related Content:

As the CEO and founder of Seclore, Vishal Gupta has led Seclore from a niche Indian startup to a global player in the enterprise digital rights management (EDRM) market, with over 8,000 companies in 29 countries using the solutions every day. Seclore partners with leading ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.