With the European Union's General Data Protection Regulation (GDPR) set to go into effect in May 2018, global businesses must have a clear understanding of how the new guidelines will affect how they process and store customer data. For IT departments and security teams, that means a little "light reading" in the form of nearly 100 pages of extremely dense text, filled with the sort of lawyer-speak that makes deciphering clear takeaways next to impossible.
With the European Union threatening to fine noncompliant organizations up to €20 million (almost $22 million) or 4% of their global annual revenue for the previous year (depending on which is higher), failing to understand the regulation could sink an organization altogether, or at least have a major impact on the bottom line. To make your life easier, I'll go through the most critical articles of the GDPR, explaining what security professionals need to know, and why.
Article 16: Right to Rectification
In one of the GDPR's shortest articles (54 words), the EU states that citizens are entitled to the "right to rectification." This means that customers have the right to have inaccurate information about themselves corrected in a timely fashion. At first this sounds simple, but it becomes increasingly complex as you factor in third-party vendors that have come into possession of the data. Complying with this will require additional controls that allow organizations to either alter or delete data that has already left the network.
Article 25: Data Protection by Design and by Default
The 25th article of the GDPR starts with one doozy of a sentence:
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Essentially, this is a long-winded way of saying that data must be protected while at rest, in transit, and in use. In some instances, where sensitive personally identifiable information is being processed, organizations are also required to put technical measures in place that anonymize the individual in order to protect his or her privacy.
Article 25 goes on to say that, and that organizations can only process the portions of the data that are relevant to the analysis being conducted, which will require companies to provide both "technical and organizational" privacy assurances. Plus, these security assurances must be applied to data by default, reducing the possibility that information is leaked or misused.
Article 30: Records of Processing Activities
Article 30 of the GDPR deals with record keeping, specifying how companies and the third-parties they work with must track the flow of customer data throughout its life cycle. For security teams, this means that they must deploy IT solutions that can provide real-time auditing capabilities and capture granular usage details. These details include: the nature of the activity (viewing, editing, printing, and so on), the user who performed the activity, the time and location (IP address) of the activity, and more.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.
Having access to this data is just the start. The purpose of the record keeping is to have evidence in case of inevitable audits by a "supervisory authority," whose powers are also defined within the GDPR's text. Who plays the role of the "supervisory authority" will be determined on a case-by-case basis, depending on the member states involved. This means that the oversight bodies will likely have slightly different policies and procedure, further complicating the situation. My assumption is that none of these bodies will be shy about using their auditing powers, especially in the first few months, in order to prove the EU is committed to enforcing the GDPR's regulations.
Article 46: Transfers Subject to Appropriate Safeguards
The final article is the 46th, which is arguably one of the most important in the GDPR. Article 46 requires organizations to apply the same stringent data protections, no matter where the information is transferred or stored. This article is crucial because it addresses the key concern behind the GDPR's inception — that once European citizen data is transferred outside the EU, it can become subject to surveillance by nation-states, which has been deemed a privacy violation by the Commission.
To remain in compliance with this requirement, security teams must look at security tools that are applied at the data level. This way, as the data travels, the security precautions remain in place, allowing the organization to freely share information throughout its international network.
The good news is that we still have over a year before the GDPR takes effect. As an industry, we still have time to put the necessary measures in place. Cybersecurity and IT leaders must come together and pool our collective expertise to determine the optimal strategy for achieving compliance with the GDPR.
Now, the bad news. Don't expect your CEO to be open to the idea of sacrificing efficiency for compliance's sake. Instead, IT departments must find ways to ensure security without stifling collaboration. That being said, I know the security industry is up for the challenge, and whether the 2018 rollout goes smoothly or not, I'm confident we'll come out the other side of this in one piece.