Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Marc French
Marc French
Connect Directly
E-Mail vvv

GDPR 101: Keeping Data Safe Throughout the 'Supply Chain'

There are a lot of moving pieces involved with data collection, retention, and processing in the EU's new General Data Protection Regulation. Here's how to break down responsibilities between your security team and service providers.

While there has been a lot of chatter about the magnitude of penalties organizations may find themselves hit with (up to €20 million in fines) under the impending General Data Protection Regulation (GDPR), there isn't nearly enough talk about how to avoid penalties in the first place.

Sure, there are conversations about pre-ticked opt-in boxes and breach notification protocols ("You have 72 hours to report personal data breaches to the appropriate authorities," for one). But businesses are failing to address the root of the problem — the data itself.

To ensure compliance with GDPR, personal data must be kept only for as long as necessary, an issue that clearly is up for debate, as length of time varies by organization and industry. Then there is the "right to be forgotten," which means that data subjects can request that their data be deleted at any time.

But to understand how to identify, recall, and protect that data, organizations must first understand the nature of the data itself. For example, if I, Marc French, log in to your website, you need to keep track of where I go — and in a timely manner. If I ask for you to remove my data so the Googles and Facebooks of the world can't access bits and pieces of my "identity," you're now obligated by law to destroy any trace of it. And, if you don't know where that data is, you can't get rid of it.

Whether it's in the finance department's hands, the marketing department's in-boxes, or even with your shipping company for deliveries, there are a lot of different parties that are constantly using, holding, and updating personal data. That's why it's important to look at the data custody process in terms of tiers and outside forces — a supply chain, essentially.

Here are three examples of supply chain data you might not be considering but that could have GDPR impacts:

1. Escalation personnel phone numbers of your European IT staff for the cloud service to which you subscribe. Phone numbers are personal data, and you need to ensure that they do not leave the cloud service to its downstream partners without your consent.

2. The event registration data you collected for that big marketing conference that includes dietary restrictions for attendees. Not only is the attendee registration data considered personal data, but you are now also collecting sensitive medical data by way of the dietary restrictions. Because of this, you need to track what the caterer is doing with the information that is provided.

3. Your building's security desk that signs in visitors to your office, prints a badge, and gives it to the visitor, who later returns it upon leaving. Not only is data on the badge likely personal, but how you dispose of it, or how the security vendor handles it in its system, has GDPR implications.

As you can see with data collection, retention, and processing, there are a lot of moving pieces involved, and each of these parties comes into contact with personal data at some point along the line. Because of this, there's now a responsibility for both data processors (such as service providers) and data controllers (such as your organization) to work together in the case of a breach under GDPR.

According to the regulations, both parties might be liable for breaking the law and are required to notify regulators, their customers, and end users, and, ultimately, both parties are obligated to pay all fines and compensate customers for damages. If anyone in your supply chain loses control of the data, you too may also be responsible — and experience both pricey financial and reputational costs.

Before you develop a plan for working with the different tiers, the first step will be to consider how you classify the data. It's important that you qualify the data you collect and determine its value/risk to the business before doing anything else. For example: Is the data critical to your revenue stream (credit card data), or would the loss of the data be catastrophic to your intellectual property strategy (formula to your specialty cola)? If so, you rate the risk/value high.

Next, you'll need to rank your vendors. Ask employees who are provisioning new vendors what data they are collecting, and then rank the vendors based on the data valuation you developed during step one. They'll typically be split into two levels, which many organizations break down as:

Tier 1: Vendors that operate on the most sensitive data you have. You will want to do a dive deep with these folks and conduct a thorough vendor review, ensure contractual protections, and regularly review them for compliance and security.

Tier 2:  These vendors may operate on less sensitive data. Keep track of these folks in a central system on a regular schedule, so you can dust the list off and sample your internal customers to see if they are using additional services that might elevate them to tier 1. You may be surprised that the tier 2 vendor you set up two years ago has become tier 1 as the partnership has evolved.

With the GDPR deadline upon us, it is important to start work closely with tier 1 and tier 2 vendors to guide your organization's data protection strategy moving forward.

Related Content:

Marc French is the senior vice president and chief trust officer at Mimecast. He has more than 25 years of technology experience in engineering, operations, product management, and security. Prior to his current role, Marc was the CSO of Endurance International Group/Constant ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.