This is not a drill. One year from today, the grace period for the European Union's General Data Protection Regulation (GDPR) ends, and enforcement begins.
The bad news: GDPR has rigorous rules -- like a 72-hour breach notification window -- and sharp teeth -- like fines of up to 20 million Euros or 4% of your annual "turnover" (roughly equivalent to revenue), whichever is higher. And despite that, chances are high that you won't be ready to comply by the deadline if you even realize that you have to comply in the first place.
The good news is that it could help you do many of the things you should have done and wanted to do all along: data inventory, better monitoring, principles of least-privileges, encryption, secure application development, and a better understanding of the business you support.
How do you get there in 12 months? Here are some guidelines.
Assemble your team.
Team - as in Infosec, Privacy, and Compliance. But you also need to loop in other groups, such as:
Marketing. "You've got to have enforceable rules about what marketing does with people's data," says ESET senior security researcher Stephen Cobb.
Your marketers may use private data the most, and may already be aware of GDPR's coming impact on their operations. One ad-serving technology company executive told Advertising Age recently, GDPR is "ripping the digital ecosystem apart" and the CEO of the DMA (Direct Marketing Association) group said in a statement last month that the GDPR deadline of "May 2018 should be a date that is in every marketer's diary."
HR. GDPR does not only apply to customers' data. It also applies to your employees' information.
Development/DevOps. GDPR has stipulations for "data protection by design and by default," which will have implications for the secure development of any applications. There are also new mandates for data collection and use-consent that will require changes to more than just autocheck boxes on your Web forms and the opt-out functions of your newsletters.
Communications/PR. The 72-hour breach notification response time will require planning. In addition, an official process for handling privacy violation complaints will need to be established.
Legal. Compliance cannot be outsourced. Contracts with third parties may need to be revisited.
Data Protection Officer, if you need one. GDPR mandates that certain organizations, depending upon several factors, will need someone explicitly assigned to the task of protecting data. According to the International Association of Privacy Professionals, 100% of the large enterprises in information and communication will need a DPO, as well as 100% of financial institutions and insurance firms. IAPP estimates that there will be a need for 75,000 DPOs worldwide, including roughly 9,000 in the US alone.
Although there are rules about the DPO being independent from the organization, these responsibilities could be assigned to an existing role, a new person could be hired, or the job could be outsourced.
According to a survey by Blancco Technology Group, DPOs are not typical and costly. Fifty-nine percent of American companies are most likely to assign the responsibilities of DPO to an existing role, according to the survey. Half of respondents to a survey by Varonis say their organization does not yet have a DPO, but 47% of those that are planning to appoint one expect the individual to have a primarily IT-based professional background.
Assess your exposure.
Does GDPR apply to you? "You increase your risk by first of all not knowing if you were covered," says Cobb. As Cobb explained in a blog: "Your firm probably needs to comply with GDPR if: You monitor the behavior of data subjects who are located within the EU; You're based outside the EU but provide services or goods to the EU (including free services); or You have an 'establishment' in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR)."
Do you know what "private data" means in the EU? The definitions, which still vary somewhat by country, are far broader than the American understanding of personally identifiable information. Information about location, income, cultural information like religion and political affiliation, and perhaps even one's shoe size is protected under law. Also, "Child" means something different – in the US, parental consent is needed for minors under age 13, but in the EU, if parental consent is required for children, it means kids under 16.
How many EU citizens do you have in your databases – internal and external users? Remember too, that Brexit does not absolve you from worrying about UK citizens. The UK is not officially scheduled to leave the Union until March 29, 2019. Also, 68% of respondents to the Varonis survey expect that any British organization that violates GDPR will be "made an example of," as recompense for Brexit; 57% believe the UK will be among the top three most rigorous enforcers of the law while the country remains in the EU.
In how many countries do you operate? The more countries' citizen privacy you've violated, the worse the penalties may be.
In which countries do you operate? Certain countries have a more vigorous privacy culture and history of privacy activism and are expected to enforce the regulation – either from a top-down or bottom-up approach – more rigorously than others.
How much of your business model relies on profiling? This can fall into a lot of categories, from target marketing to loan approval. All the information about income bracket, geography, age, and favorite color so frequently requested in Web forms will now be protected by law. (The rules against profiling could even have implications for any automated surveillance controls you have in place to watch out for insider security threats.) Read more at the IAPP: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-5-profiling/
How much of your business model relies upon the processing of data? If you're an IT or telecommunications company that transmits or stores data, you fit into this category alongside the payment and payroll processors.
Know Your GDPR:
Article 35: data protection impact assessment. It isn't the first article that pertains to cybersecurity, but it's the first one you should think about. According to the Blancco survey, 41% of American organizations are currently undergoing a data protection gap analysis.
Article 7: consent. As the International Association of Privacy Professionals explains, "silence, pre-ticked boxes or inactivity" are not adequate ways of conferring consent. Also, GDPR gives data subjects the right to withdraw consent at any time and, as the law mandates "it shall be as easy to withdraw consent as to give it."
Article 16: right to rectification. EU citizens have the right to have inaccurate information about themselves corrected. As CEO and founder of Seclore Vishal Gupta wrote in a column for Dark Reading earlier this month, "At first this sounds simple, but it comes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network."
Article 17: right to erasure (right to be forgotten): As IAPP explains, "This right allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request."
Article 25: data protection by design and by default. As Roxane Suau of Pradeo describes it: "This is one of the most important aspects of GDPR. On the one hand, it is expected companies will include data privacy protection as part of their development process. On the other hand, they must apply the appropriate technical means and methods and organizational processes to ensure only relevant data collection, processing and storage."
Article 30: records of processing activities. Article 30 states that written records be kept about data subjects, data recipients, cross-border data transfers, and security measures placed upon them. These records must be presented to data protection authorities on request.
Article 32: security of data processing. Article 32 is the biggest cybersecurity Article, but it allows for some risk management. It requires data controllers and processors "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk," including measures like pseudonymization/encryption; the ability to guarantee confidentiality, integrity, and availability; the ability to restore access to data in a timely manner after an incident, and; a process for regular security testing.
Articles 33-34: breach notifications to supervisory authorities and data subjects (within 72 hours of breach discovery)
Article 46: transfers subject to appropriate safeguards. As Gupta wrote, this addresses the concern that when European citizen data gets "transferred outside the EU, it can become subject to surveillance by nation-states." To remain in compliance with this article, Gupta recommends data-level security tools that will hold security precautions in place while it travels. These precautions will also help meet the requirements of Privacy Shield.
Respondents to both reports from Varonis and Blancco named the right to be forgotten, the records of data processing activities, security of data processing, and the 72-hour breach notification rule, as the biggest concerns.
Find your data. Start monitoring.
"What you can't do is expect to navigate all that without knowing where that data is and what data you've got," Cobb says.
"If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement” for the “right to be forgotten,” said Richard Stiennon, chief strategy officer for Blancco Technology Group, in a statement. Stiennon goes on to say that companies often use “insecure and unreliable data removal methods, such as basic deletion and free data wiping software.”
Brian Vecci, technical evangelist of Varonis, agrees and suggests organizations that are behind start simply by instituting basic monitoring, followed by automatic data classification.
Without at least knowledge of what data you have and how it's being used, Vecci says, it's impossible to institute any practices of least privilege or keep adequate records. "It's like trying to clean up your garage in the dark," he says. "Just turn on the lights."
Set new processes and policies and ways to enforce them.
Decide whether or not you're going to set different policies for EU citizen data or apply those standards to all data. "That presumes that you know the difference between EU citizens and others," Vecci points out. Before you can decide whether to segregate that data or secure it differently, you must first set processes and technologies for properly classifying it, he says.
Data collection and consent. What can you avoid collecting altogether? What can you do to make consent for data collection as user-friendly and low-friction as possible, while also making sure that it's very clear what is being collected and how it will be used?
Data storage. Should you consider separate storage on EU-based servers, to make some of the Article 46 rules on data transfer easier to follow?
Data retention/destruction. The Blancco study found that only basic deletion was used by 28% of IT pros in the US, and free data wiping solutions by 25%.
Get your developers on board. Secure development practices, encryption, pseudonymization, identity, vulnerability assessments, and proper security testing are, to varying degrees, mandated or encouraged by GDPR. The data protection by design and by default rule means that bolted-on application security isn't enough anymore.
Revisit procurement procedures and third-party contracts. According to Gartner analysts, "Outside parties must also comply with relevant requirements that can impact supply, change management and procurement processes."
Prepare for breach response and complaint response: You will need to have a system for receiving and responding to complaints. According to Gartner analysts, "If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls."
Get that extra budget.
Here are some things to tell your board of directors and CFO when you need extra money for this effort.
GDPR would have cost Tesco Bank billions. Had GDPR been in place when Tesco Bank was breached and hit with a heist in November 2016, they might have been liable to fines of up to £1.9 billion ($2.46 billion USD) for its November 2016 breach. Cybercriminals lifted roughly £2.5 million from 9,000 of Tesco's customers, but the breach could have cost the bank far, far more than that.
The GDPR requires data controllers have adequate security protections in place, and a violation of that rule could have cost the bank up to 4 percent of its sizeable annual turnover. Seventy-five percent of the people surveyed in the Varonis study said that the fines imposed as a result of breaching the regulation could "cripple" some organizations.
Fines aren't the only punishment. As Ilias Chantzos, Symantec's senior director of global government affairs and cybersecurity policy wrote May 12: “Data Protection Authorities have many more arrows in their quiver that may prove even more problematic than the fines. Decisions by [data protection authorities] such as ban of processing of certain categories of data or suspension of data flows can kill complete business models." He also mentions that there are no caps on liability and law suits.
Don't assume the laws won't be enforced. Not only can nations' data protection authorities take action against violators, but individual European citizens can. Individuals have already had major legal victories against giant companies over privacy, the quintessential case being Austrian Max Schrems' complaints about Facebook's data transfers.
Individuals are now further empowered by GDPR, and any violations, particularly in the form of data breaches, could draw more attention and class action suits than US companies might expect from Americans.
Just keep things secure.
"GDPR is not that onerous when you think about it," Vecci notes.
Knowing what and where your data is, being able to change it or destroy it, making sure that only the people who should have access to it do, and keeping it secure are really just common sense controls that organizations already apply to other assets, he says.
"We would never have a bank account with no protections around it ... but we treat data that way," he says.
GDPR is a way of codifying this data security and gives CISOs more leverage to do it. It also broadens the definition of "private data," which means that more systems and data will need protections; something that Vecci says was necessary already.
"Meeting the regulations really just means doing the basics."