Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

5/9/2017
10:30 AM
Vishal Gupta
Vishal Gupta
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Deciphering the GDPR: What You Need to Know to Prepare Your Organization

The European Union's upcoming privacy regulations are incredibly complex. Here are four important points to keep in mind.

With the European Union's General Data Protection Regulation (GDPR) set to go into effect in May 2018, global businesses must have a clear understanding of how the new guidelines will affect how they process and store customer data. For IT departments and security teams, that means a little "light reading" in the form of nearly 100 pages of extremely dense text, filled with the sort of lawyer-speak that makes deciphering clear takeaways next to impossible.                            

With the European Union threatening to fine noncompliant organizations up to €20 million (almost $22 million) or 4% of their global annual revenue for the previous year (depending on which is higher), failing to understand the regulation could sink an organization altogether, or at least have a major impact on the bottom line. To make your life easier, I'll go through the most critical articles of the GDPR, explaining what security professionals need to know, and why.

Article 16: Right to Rectification
In one of the GDPR's shortest articles (54 words), the EU states that citizens are entitled to the "right to rectification." This means that customers have the right to have inaccurate information about themselves corrected in a timely fashion. At first this sounds simple, but it becomes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network.

Article 25: Data Protection by Design and by Default
The 25th article of the GDPR starts with one doozy of a sentence:

Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Essentially, this is a long-winded way of saying that data must be protected while at rest, in transit, and in use. In some instances, where sensitive personally identifiable information is being processed, organizations are also required to put technical measures in place that anonymize the individual in order to protect his or her privacy.

Article 25 goes on to say that, and that organizations can only process the portions of the data that are relevant to the analysis being conducted, which will require companies to provide both "technical and organizational" privacy assurances. Plus, these security assurances must be applied to data by default, reducing the possibility that information is leaked or misused.

Article 30: Records of Processing Activities
Article 30 of the GDPR deals with record keeping, specifying how companies and the third-parties they work with must track the flow of customer data throughout its life cycle. For security teams, this means that they must deploy IT solutions that can provide real-time auditing capabilities and capture granular usage details. These details include: the nature of the activity (viewing, editing, printing, and so on), the user who performed the activity, the time and location (IP address) of the activity, and more.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.

Having access to this data is just the start. The purpose of the record keeping is to have evidence in case of inevitable audits by a "supervisory authority," whose powers are also defined within the GDPR's text. Who plays the role of the "supervisory authority" will be determined on a case-by-case basis, depending on the member states involved. This means that the oversight bodies will likely have slightly different policies and procedure, further complicating the situation. My assumption is that none of these bodies will be shy about using their auditing powers, especially in the first few months, in order to prove the EU is committed to enforcing the GDPR's regulations.

Article 46: Transfers Subject to Appropriate Safeguards
The final article is the 46th, which is arguably one of the most important in the GDPR. Article 46 requires organizations to apply the same stringent data protections, no matter where the information is transferred or stored. This article is crucial because it addresses the key concern behind the GDPR's inception — that once European citizen data is transferred outside the EU, it can become subject to surveillance by nation-states, which has been deemed a privacy violation by the Commission.

To remain in compliance with this requirement, security teams must look at security tools that are applied at the data level. This way, as the data travels, the security precautions remain in place, allowing the organization to freely share information throughout its international network.

The good news is that we still have over a year before the GDPR takes effect. As an industry, we still have time to put the necessary measures in place. Cybersecurity and IT leaders must come together and pool our collective expertise to determine the optimal strategy for achieving compliance with the GDPR.       

Now, the bad news. Don't expect your CEO to be open to the idea of sacrificing efficiency for compliance's sake. Instead, IT departments must find ways to ensure security without stifling collaboration. That being said, I know the security industry is up for the challenge, and whether the 2018 rollout goes smoothly or not, I'm confident we'll come out the other side of this in one piece.

Related Content:

As the CEO and founder of Seclore, Vishal Gupta has led Seclore from a niche Indian startup to a global player in the enterprise digital rights management (EDRM) market, with over 8,000 companies in 29 countries using the solutions every day. Seclore partners with leading ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-16
NASA CFITSIO prior to 3.43 is affected by: Buffer Overflow. The impact is: arbitrary code execution. The component is: over 40 source code files were changed. The attack vector is: remote unauthenticated attacker. The fixed version is: 3.43.
CVE-2019-10100
PUBLISHED: 2019-07-16
BigTree-CMS commit b2eff67e45b90ca26a62e971e8f0d5d0d70f23e6 and earlier is affected by: Improper Neutralization of Script-Related HTML Tags in a Web Page. The impact is: Any Javascript code can be executed. The component is: users management page. The attack vector is: Insert payload into users' pro...
CVE-2019-10100
PUBLISHED: 2019-07-16
PluckCMS 4.7.4 and earlier is affected by: CWE-434 Unrestricted Upload of File with Dangerous Type. The impact is: get webshell. The component is: data/inc/images.php line36. The attack vector is: modify the MIME TYPE on HTTP request to upload a php file. The fixed version is: after commit 09f0ab871...
CVE-2019-13612
PUBLISHED: 2019-07-16
MDaemon Email Server 19 skips SpamAssassin checks by default for e-mail messages larger than 2 MB (and limits checks to 10 MB even with special configuration), which is arguably inconsistent with currently popular message sizes. This might interfere with risk management for malicious e-mail, if a cu...
CVE-2019-10100
PUBLISHED: 2019-07-16
Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Scripting (XSS) - CWE-80. The impact is: Execute java script code on users browser. The component is: web app. The attack vector is: the victim must open a ticket. The fixed version is: 2.3.1, 2.2.2 and 2.1.3.