Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

1/28/2019
10:30 AM
Jason Wang
Jason Wang
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

3 Ways Companies Mess Up GDPR Compliance the Most

The best way to conform to the EU's new privacy regulation is to assume that you don't need to hold on to personal data, versus the opposite.

The General Data Protection Regulation (GDPR) has been in effect since May 2018, and companies that have done their due diligence to comply with the regulation may feel confident they have their bases covered. However, GDPR compliance rules are not as simple as they might seem at first glance, and there are special use cases that every company should consider. If compliance officers rush through checking the boxes and do not carefully assess the scope of GDPR, and how it relates to the company's data collection practices, they most certainly will have holes in their compliance plan.

Here are three examples of frequently overlooked compliance issues that could put companies at risk.

1. It's not just about consumer data
GDPR was designed to create more protections for consumers whose data is collected by different companies. But the scope of the regulation is much more expansive and can be applied in ways many companies didn't account for in their initial compliance plans. In addition to consumer personal data, companies are also required to handle the personal data of employees, job applicants and non-customers (e.g., people who fill out a form but don't purchase) with a new standard of care.

The regulation mandates that all data processing activities have a legal justification, so the best practice is to collect only the data that is necessary for essential data processing activities for consumers, job applicants, and everyone in between. Companies should evaluate their data processing practices with the goal of data minimization in order to stay compliant with GDPR.

Recommendation: Don't just review data capture practices; review data retention practices for all data. Make sure you're properly disposing of old resumes, employee personal data, and any other records whose usefulness has expired.

2. Policy vs. Reality
Any company that aims to process personal data must establish policies governing how data is collected, stored, and processed to stay compliant with GDPR. While good data governance is the cornerstone to GDPR compliance, simply having policies in place is not sufficient for compliance. Companies must go a step further to ensure that employees fulfill the obligations of data processing defined under GDPR. Functionally, this means companies are obligated to make sure that what people do on a day-to-day basis aligns with the GDPR policies. And if the behavior of employees doesn't meet a company's standards, then corrective action must be taken. 

Often, breach of policy is unintentional — for example, if a customer support agent is on a call with a customer and saves personal information about the customer in a system where it does not belong. Or if an enterprising employee experiments with new software or establishes free software-as-a-service accounts and forgets to report them to the compliance officer at the company. While these scenarios may seem like little issues, they expose companies to big risk because both examples are GDPR violations.

Recommendation: To mitigate risk, we recommend running frequent "mini" audits. Our security and compliance team has learned firsthand that compliance is easiest to incorporate into daily workflow when audits are part of workflows. While most companies run quarterly audits at best, annual audits at worst, mini audits that are time-boxed will signal to your company that compliance isn't a quarterly event but, rather, a continuous practice. Better yet, automate the audit process with tools so when policy and reality drift apart, the deviation is spotted right away.

3. Edge Cases
The data that encapsulates "personal information" under GDPR isn't always as straightforward as basic demographic information. For example, job title is an unexpected category of personal information. Around 99.9% of the time, job title is not considered personal information that is protected under GDPR, but it certainly can be depending upon the situation. For example, consider this job title: Chancellor of Germany. There is only one person in the world today that holds this position, meaning the identity of the individual can be revealed by this particular detail. So, in this case, job title must be considered personal information under GDPR, and is therefore a protected class of data. The catch is if one job title counts as personal information, then all job titles must be considered as potential personal information and treated as such.

Recommendation: As part of your regular data audits, allocate some time to look at the information you collect that you don't mark as personal information. Just using the "non-personal" information, can a clever person deduce if a data point belongs to a specific person? If so, then you might want to rethink what's personal information and what is not.

Complying with GDPR is more involved and extensive than it initially appears, but it is not an impossible standard. The best advice is to assume that you don't need any data versus the opposite, that you do. In this way — in the spirit of GDPR — companies will inevitably provide the highest-caliber personal data protection for their users and ensure accountability for personal data processing throughout the organization.

Related Content:

Jason Wang is the founder and CEO of TrueVault, a data security company that is transforming how companies handle personal data. Businesses use personal data to shape customer experience, but security risks mount as more sensitive data is collected. TrueVault tackles this ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...