Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/30/2016
10:25 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

6 Ways To Prepare For The EU’s GDPR

In less than 20 months, all US companies doing business in the EU will face new consumer privacy requirements. Here's how to prepare for them.

In less than 20 months, all companies handling personal data belonging to residents of the European Union will be expected to comply with a new set of privacy requirements under the EU General Data Protection Regulation (GDPR).

The GDPR introduces tough new privacy requirements for companies handling EU data and vests consumers with significantly greater control and rights over the manner in which their data is collected, shared, retained, and destroyed. The GDPR gives EU regulators the authority to impose fines ranging from 2 percent to 4 percent of a company’s global revenues for violations of the regulation.

“The May 2018 deadline for GDPR compliance may seem like a long way off,” says John Crossno, product manager at enterprise technology vendor Compuware, which did a recent survey on the preparedness of US firms for GDPR. “Given the complexity of change it will require in the way organizations handle personal data, it’s really not.”

Two-thirds of the CIOs at large companies in the survey said they had no plans yet for implementing critical GDPR requirements like data anonymization, customer consent, and the right to be forgotten.

Here, in no particular order, are the issues that US companies must be addressing right now to prepare for GDPR.

Develop And Articulate A Clear Privacy Policy

Under GDPR, companies must provide clear notice to their customers of the purpose for which their data is being collected, says Dana Simberkoff, chief compliance and risk officer at software vendor AvePoint.

Companies need to write a clear privacy policy that consumers will actually be able to read and understand.

In that policy, they need to clearly indicate what personal information is being requested or collected from consumers, says Simberkoff. Consumers have to be given a choice of whether or not to provide it, and any data that is collected needs to be clearly marked for the specific purpose for which it was collected.

In addition, any data that is collected for a stated purpose can only be used for that purpose and for which consent was obtained, she says.

The obligation to meet this requirement flows from the entity that collected the data to any other organization that might process or handle it. Both will be held jointly liable in the event the data is used inappropriately or if there is a data breach.

“The GDPR requires that you not only create policies that meet its mandate, but that you operationalize those policies and be able to prove that you have done so,” Simberkoff says. “Companies should already be practicing transparency around why you want to collect data and ensuring all data is only used for the exact purpose and within the boundaries of consent.”

Enable An Opt-In Requirement For Data Sharing

Most US companies currently use an opt-out policy when collecting and sharing consumer data. The opt-out model requires consumers to specifically ask data collectors and aggregators not to share their data with third parties. Otherwise, consent is assumed by default.

GDPR will require organizations to do just the opposite. They will not be allowed to collect or share EU consumer data by default. The EU consumer would specifically have to consent to such data collection and sharing by opting in.  The consent must be “freely given, specific, informed and unambiguous” Simberkoff says, quoting from the directive.

“Privacy policies must be clear and concise, and companies must provide consumers with an opt-in option to having their data shared with third parties,” she says. “Just offering an opt-out option will no longer be acceptable.”

In addition to requiring affirmative consent, GDPR also places restrictions on the ability of companies to obtain consent from children without specific parental authorization.

Start Implementing Privacy by Design

GDPR is big on the notion of privacy by design, a requirement that emphasizes the importance of baking in, rather than bolting on, privacy protections into products, processes, and services.

"Software and development practices that don't follow privacy by design principles put organizations at major risk in light of GDPR,” says Dan Blum, a senior analyst at KuppingerCole.

The earlier developers can implement privacy-friendly practices the more they can lower risks, reduce costs of compliance, and future-proof their software, he says.

Examples of privacy friendly software features under GDPR include opt-in, data use minimization, purpose-specificity, data anonymization and the right to be forgotten.

Larger organizations would benefit from establishing a privacy and data governance practice, if they don't already have one, to keep track of software and development requirements as to manage change, Blum says. “They will need developer awareness and training to get developers to align with these processes and do their part,” Blum notes.

The Information Commissioner’s Office in the UK recommends eight foundational principles for privacy by design that include fair and lawful processing of personal data, minimization, data retention, and data security controls.

Prepare For New Data Breach Reporting Requirements

GDPR requires companies to inform consumers about data breaches impacting their personal information. While that requirement is not particularly new for American companies—most states mandate it currently—the breach reporting requirements under GDPR are strenuous.

“At 72 hours, the timeline to report a breach is the tightest that we’ve seen with any regulatory measures,” says Eldon Sprickerhoff, founder and chief security strategist at eSentire. 

The potential fines that companies face for non-compliance are also the highest, he says. Importantly, non-compliance fines aren’t issued because of a data breach. “The fines are issued because an organization failed to properly report a data breach within the designated timeframe,” he says.

The key to preparedness for this requirement is knowing what data you have and what legislation covers that data Spickerhoff says. Also key is a good understanding of the threats against your organization and the ability to describe how well you are able to defend against those threats.

“Do you know what access risks exist? Can you demonstrate that you’re doing what you’ve claimed?” Spickerhoff asks. Ensuring that your organization has adequate measures to protect against cyber attacks is important, he says. “Including compliance reporting timelines as a part of incident response plans and policies is another vital exercise.”

Implement Controls For Tracking And Managing Data

GDPR gives consumers the right to ask companies holding data about them to erase that data upon request. It also gives them the right to ask for a copy of their digital data so they can transfer it to someone else if they choose to do so.

The so-called right to portability and the right to erasure or right to be forgotten provisions impose new requirements on companies doing business in the EU, says Eve Maler, vice president of innovation and emerging technology at ForgeRock.

“IT managers need to be asking themselves: can we track a customer’s personal data as it travels through our systems? Can we erase it if they request us to do so? Or better yet, can we provide them the tools to do this on their own?” Maler says. “These capabilities will be required under GDPR, and it’s a significant departure from business as usual.”

Be Ready For Data Protection Impact Assessments

The GDPR requires companies to do data protection impact assessments (DPIAs) to identify “high risks” to consumer data privacy that might surface during data processing, says AvePoint’s Simberkoff.

Only some types of data processing involving personal data will trigger the requirement. Some time between now and when GDPR goes into effect, EU data privacy authorities will release a public list of the types of processing they consider to be high-risk and needing a DPIA.

The impact assessments can be incorporated into the standard planning, development, test and deployment, and monitoring, processes, Simberkoff says. They will allow privacy teams to implement privacy by design and enable a risk-based approach to data protection.

Online tools are available that allow organizations to conduct DPIAs and the goal should be to go ahead and conduct the assessments in advance of GDPR, Simberkoff says.

When risks are identified, companies should implement measures to mitigate those risks, which under GDPR include data encryption and pseudonymization or anonymization of data.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IanM368
50%
50%
IanM368,
User Rank: Apprentice
1/20/2017 | 6:51:09 AM
GDPR Courses are the easiest way
The real challenge is the number of days left and number of firms needing to comply with this by that date.

UK companies need to be thinking about the less than 500 days left to ensure GDPR compliance and to ensure they have their ducks lined up.

Their is plenty to read on this, but companies should consider the easy option of going on a 1 day course and getting all the tools they need to take away to get their company on the journey. Courses are available at //assuredata.eu/ for example which provide the tools to then take away to make it happen.
Souheil.M
50%
50%
Souheil.M,
User Rank: Apprentice
10/3/2016 | 8:58:01 AM
A good brief introduction about the GDPR

An instructive introduction about the major functional impacts regarding the application of the new GDPR.  However I am wondering, in terms of technical measures that can fulfill the new requirements, there is no specific details about that. How one could be able to say, that this firm is compliant or not if there is no precise baseline to which the assessment can be done.!.

Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industry’s conventional wisdom. Here’s a look at what they’re thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.