Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:50 AM
Connect Directly

You Have One Year to Make GDPR Your Biggest Security Victory Ever

The EU's new razor-toothed data privacy law could either rip you apart or help you create the best security program you've ever had. Here's how.

This is not a drill. One year from today, the grace period for the European Union's General Data Protection Regulation (GDPR) ends, and enforcement begins. 

The bad news: GDPR has rigorous rules -- like a 72-hour breach notification window -- and sharp teeth -- like fines of up to 20 million Euros or 4% of your annual "turnover" (roughly equivalent to revenue), whichever is higher. And despite that, chances are high that you won't be ready to comply by the deadline if you even realize that you have to comply in the first place.  

The good news is that it could help you do many of the things you should have done and wanted to do all along: data inventory, better monitoring, principles of least-privileges, encryption, secure application development, and a better understanding of the business you support. 

How do you get there in 12 months? Here are some guidelines.

Assemble your team.

Team - as in Infosec, Privacy, and Compliance. But you also need to loop in other groups, such as:

Marketing. "You've got to have enforceable rules about what marketing does with people's data," says ESET senior security researcher Stephen Cobb. 

Your marketers may use private data the most, and may already be aware of GDPR's coming impact on their operations. One ad-serving technology company executive told Advertising Age recently, GDPR is "ripping the digital ecosystem apart" and the CEO of the DMA (Direct Marketing Association) group said in a statement last month that the GDPR deadline of "May 2018 should be a date that is in every marketer's diary."

HR. GDPR does not only apply to customers' data. It also applies to your employees' information.

Development/DevOps. GDPR has stipulations for "data protection by design and by default," which will have implications for the secure development of any applications. There are also new mandates for data collection and use-consent that will require changes to more than just autocheck boxes on your Web forms and the opt-out functions of your newsletters. 

Communications/PR. The 72-hour breach notification response time will require planning. In addition, an official process for handling privacy violation complaints will need to be established.

Legal. Compliance cannot be outsourced. Contracts with third parties may need to be revisited. 

Data Protection Officer, if you need one. GDPR mandates that certain organizations, depending upon several factors, will need someone explicitly assigned to the task of protecting data. According to the International Association of Privacy Professionals, 100% of the large enterprises in information and communication will need a DPO, as well as 100% of financial institutions and insurance firms. IAPP estimates that there will be a need for 75,000 DPOs worldwide, including roughly 9,000 in the US alone.

Although there are rules about the DPO being independent from the organization, these responsibilities could be assigned to an existing role, a new person could be hired, or the job could be outsourced. 

According to a survey by Blancco Technology Group, DPOs are not typical and costly. Fifty-nine percent of American companies are most likely to assign the responsibilities of DPO to an existing role, according to the survey. Half of respondents to a survey by Varonis say their organization does not yet have a DPO, but 47% of those that are planning to appoint one expect the individual to have a primarily IT-based professional background.

Assess your exposure.

Does GDPR apply to you? "You increase your risk by first of all not knowing if you were covered," says Cobb. As Cobb explained in a blog: "Your firm probably needs to comply with GDPR if: You monitor the behavior of data subjects who are located within the EU; You're based outside the EU but provide services or goods to the EU (including free services); or You have an 'establishment' in the EU, regardless of where you process personal data (e.g. cloud-based processing performed outside of the EU for an EU-based company is subject to the GDPR)."

Do you know what "private data" means in the EU? The definitions, which still vary somewhat by country, are far broader than the American understanding of personally identifiable information. Information about location, income, cultural information like religion and political affiliation, and perhaps even one's shoe size is protected under law. Also, "Child" means something different – in the US, parental consent is needed for minors under age 13, but in the EU, if parental consent is required for children, it means kids under 16.

How many EU citizens do you have in your databases – internal and external users? Remember too, that Brexit does not absolve you from worrying about UK citizens. The UK is not officially scheduled to leave the Union until March 29, 2019. Also, 68% of respondents to the Varonis survey expect that any British organization that violates GDPR will be "made an example of," as recompense for Brexit; 57% believe the UK will be among the top three most rigorous enforcers of the law while the country remains in the EU. 

In how many countries do you operate? The more countries' citizen privacy you've violated, the worse the penalties may be.

In which countries do you operate? Certain countries have a more vigorous privacy culture and history of privacy activism and are expected to enforce the regulation – either from a top-down or bottom-up approach – more rigorously than others. 

How much of your business model relies on profiling? This can fall into a lot of categories, from target marketing to loan approval. All the information about income bracket, geography, age, and favorite color so frequently requested in Web forms will now be protected by law. (The rules against profiling could even have implications for any automated surveillance controls you have in place to watch out for insider security threats.) Read more at the IAPP: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-5-profiling/

How much of your business model relies upon the processing of data? If you're an IT or telecommunications company that transmits or stores data, you fit into this category alongside the payment and payroll processors.             

Know Your GDPR:

Article 35: data protection impact assessment. It isn't the first article that pertains to cybersecurity, but it's the first one you should think about. According to the Blancco survey, 41% of American organizations are currently undergoing a data protection gap analysis.

Article 7: consent. As the International Association of Privacy Professionals explains, "silence, pre-ticked boxes or inactivity" are not adequate ways of conferring consent. Also, GDPR gives data subjects the right to withdraw consent at any time and, as the law mandates "it shall be as easy to withdraw consent as to give it." 

Article 16: right to rectification. EU citizens have the right to have inaccurate information about themselves corrected. As CEO and founder of Seclore Vishal Gupta wrote in a column for Dark Reading earlier this month, "At first this sounds simple, but it comes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network."

Article 17: right to erasure (right to be forgotten): As IAPP explains, "This right allows individuals to request the deletion of personal data, and, where the controller has publicized the data, to require other controllers to also comply with the request."  

Article 25: data protection by design and by default. As Roxane Suau of Pradeo describes it: "This is one of the most important aspects of GDPR. On the one hand, it is expected companies will include data privacy protection as part of their development process. On the other hand, they must apply the appropriate technical means and methods and organizational processes to ensure only relevant data collection, processing and storage."

Article 30: records of processing activities. Article 30 states that written records be kept about data subjects, data recipients, cross-border data transfers, and security measures placed upon them. These records must be presented to data protection authorities on request. 

Article 32: security of data processing. Article 32 is the biggest cybersecurity Article, but it allows for some risk management. It requires data controllers and processors "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk," including measures like pseudonymization/encryption; the ability to guarantee confidentiality, integrity, and availability; the ability to restore access to data in a timely manner after an incident, and; a process for regular security testing.

Articles 33-34: breach notifications to supervisory authorities and data subjects (within 72 hours of breach discovery)  

Article 46: transfers subject to appropriate safeguards. As Gupta wrote, this addresses the concern that when European citizen data gets "transferred outside the EU, it can become subject to surveillance by nation-states." To remain in compliance with this article, Gupta recommends data-level security tools that will hold security precautions in place while it travels. These precautions will also help meet the requirements of Privacy Shield.

Respondents to both reports from Varonis and Blancco named the right to be forgotten, the records of data processing activities, security of data processing, and the 72-hour breach notification rule, as the biggest concerns.

Find your data. Start monitoring.

"What you can't do is expect to navigate all that without knowing where that data is and what data you've got," Cobb says.

"If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement” for the “right to be forgotten,” said Richard Stiennon, chief strategy officer for Blancco Technology Group, in a statement. Stiennon goes on to say that companies often use “insecure and unreliable data removal methods, such as basic deletion and free data wiping software.” 

Brian Vecci, technical evangelist of Varonis, agrees and suggests organizations that are behind start simply by instituting basic monitoring, followed by automatic data classification.

Without at least knowledge of what data you have and how it's being used, Vecci says, it's impossible to institute any practices of  least privilege or keep adequate records. "It's like trying to clean up your garage in the dark," he says. "Just turn on the lights."

NEXT PAGE: Set new process, policies, enforcement fot GDPR



Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
5/29/2017 | 2:50:51 PM
I would think it would not be any more complex than HIPAA we had to go through here in US.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
5/28/2017 | 3:09:24 PM
DPO and "costl[iness]"
In my experience, the organizations that try to tack on data-privacy repsonsibilities to another, not directly related role and/or go cheap on this tend to do quite poorly with their privacy efforts -- especially as the person doing that job and several others for a very undermarket compensation level feels overwhelmed.

When it comes to compliance and risk management, you get what you pay for.
User Rank: Moderator
5/26/2017 | 1:13:01 PM
What Authority Does a Foreign Entity Have on a Sovereign Nation?
There's been quite a bit of chatter on the GDPR, but to date, I haven't seen anyone address the fundamental question of just exactly how the EU could enforce a regulation on an entity not under their rule.

Why would the United States agree to comply with a foreign regulation? If that's the case, does an edict by Kim Jong-Un have the same weight of enforcement, and if not, why not?

Sara's article has a very valid point of using this event to strengthen our own security programs, but in the end, it's not for the EU to dictate how we protect our data.
Pablo Valerio
Pablo Valerio,
User Rank: Strategist
5/25/2017 | 5:36:43 PM
Going on different directions
Hi Sara, great article and summary of the upcoming GDPR requirements.

Looks to me that the EU and the US are going on opposite drections. The FCC is taking down privacy protections while the EU is increasing them.

It looks like Europe will play an important role in protecting privacy worldwide, as large corporations need to comply with the Regulation since they have "some" business in Europe.

And there will be no "grace" period after May 2018. In fact the GDPR is already in effect since May 2016. We are in the middle of the two-year grace period now!
<<   <   Page 2 / 2
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel&Atilde;&macr;&Acirc;&iquest;&Acirc;&frac12;s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.