If you’re reading this post, it’s likely you’re doing so because you’ve heard of GDPR. Maybe you’ve been struggling with the enormity of the task for the last year or so. Maybe your organization already has a plan and staff in place to manage the countless processes the organization needs to get a handle on to comply with the regulation, which, if you’ve somehow forgotten, goes into effect on May 25, 2018—just about three months from now. Most probably, unless you work for a large organization with multitudinous resources, you’re in the midst of or just starting to think about how to manage that deadline (Ooops, procrastination). The harsh reality is, if you haven’t been preparing for months, your company will not meet the deadline. That said, not only is the General Data Protection Regulation not optional, but it’s a good baseline for how companies should be approaching data protection.
At its core, GDPR is a framework that helps companies navigate local, state, federal, and national data privacy laws—because they’re now centralized and standardized. Prior to its creation, each country within the European Union (EU) had its own set of requirements and recommendations, which made complying significantly challenging. Under GDPR, the rules are simpler, but the process of complying is like climbing Mt. Everest: It’s going to take months and months of detailed preparation, collaboration with and assistance from third parties (e.g., the right “gear”), and lots of hard work.
First things first
The first thing companies collecting, processing, and/or storing any personal data of EU citizens need to do is “develop a top-level data governance strategy aimed at meeting regulation requirements,” says Peter Merkulov, CTO at Globalscape. Easy, right? The fact is, many companies don’t even know where large swaths of their data reside. It’s been a bit of the Wild West in terms of how companies allow employees to collect and use data. Between cloud-based storage and collaboration tools, business applications, and the “businessification” of tools developed for the consumer market, it’s likely that no one department has a complete inventory of where all the personal data of its EU clients, partners, and employees is housed.
At a very basic level, consider the plethora of sanctioned tools (disregarding shadow IT, for a moment) in use by your company’s marketing team (e.g., Marketo, Act-On), finance and HR teams (which, in and of themselves, routinely use an array of third-party software ranging from payroll and accounting/general ledger to employee benefits including healthcare, 401(K) providers, etc.), and sales/customer service/general use (e.g., Salesforce, Oracle, Microsoft). Event at a small company, the number of platforms and tools in use that capture personal data can add up to hundreds of systems. Under GDPR, not only is your company responsible for data it collects, controls, and processes, but there is an oversight requirement. In other words, companies now must ensure their vendors and suppliers are also complaint. This doesn’t mean companies must audit every one of their vendor’s systems to ensure the provider is using proper encryption, secure file transfer, or least privilege-by-design, for instance, but it does mean a call between legal or compliance teams and careful reviews of executed contracts.
According to Darrin Reynolds, Head of Emerging Regulations at Amazon, companies “need to be conscientious about the companies they partner with now more than ever. At the very least, your provider needs to be GDPR aware. Ideally, though, anyone you’re working with can provide a letter of attestation and is willing to write or revise contracts to cover GDPR requirements.” Merkulov agrees and adds, “It is important to establish guidelines in advance of signing any sort of agreement with the vendor to ensure your compliance standards are being met. If a controller is already actively engaged in an agreement with a processor, it is critical to revisit these agreements and reevaluate based on changes to regulations in advance of their taking effect.”
In short, the first step in becoming GDPR-ready is: Know where your data reside. Once you’ve discovered all of those places, if your company is the controller of data on EU citizens, it’s time to start putting technical processes in place. If you’re working with data processors (hint: you are), it’s time to call those companies, talk with their legal or compliance team, and ensure they’re working towards (or have achieved) GDPR compliance.
After the “where” has been determined, GDPR requires companies to alter how they’ve been using data of EU residents. By May 25th marketing teams must change consent mechanisms—EU citizens must opt in rather than opt out (as is typically the case today) to communications or use of their data. In other words: No more auto-subscribe or pre-checked boxes. Companies will have to more clearly define terms and conditions, provide an easy way for removal or deletion of personal data upon request, show how data is securely transferred between entities (if applicable), and be able to demonstrate pseudonymization of personal data when and where aggregation and large-scale processing occur. It will be the obligation of data controllers to prove—when asked—how data subjects’ data were obtained and added to lists, consent mechanisms used to initiate marketing, and processes used for removing or destroying data.
At its core, GDPR is a framework that helps companies navigate local, state, federal, and national data privacy laws—because they’re now centralized and standardized. #InfoSecInsider #infosec Click to Tweet
In addition, says Merkulov, companies must “lay a foundation with a combination of company standards and system controls that mandate [and monitor] acceptable behavior. These standards should outline appropriate end user behaviors and how to address a security concern properly when one arises.” He adds that companies should provide proper training and tools for employees so they are able to comply with GDPR instead of defaulting to ingrained processes and procedures.
Further, while GDPR does not define precisely which technical controls need to be used to govern and secure EU citizens’ personal data, companies should take a close look at restricting data access, insisting on strong passwords coupled with two-factor or multi-factor authentication (especially in the case of administrator access), and how personal data is encrypted. Reviewing processes and procedures will allow companies to identify where processes are lax, and then take appropriate measures to ensure they’re doing everything in their power to prevent a breach.
In essence, GDPR is moving the focus from reactive defense to proactive prevention by establishing clear guidelines and imposing heavy fines in the face of noncompliance or breach. This is true for data controllers and their downstream data processors—companies will be responsible for some level of oversight (though definitively not management or audit) of suppliers/partners/vendors. “As a result of the GDPR directive,” says Merkulov, “for the first time, processors are now subject to penalties and civil claims by data subjects. Previously, only the controller was considered at fault.”
Whether your company is the data controller or the data processor, under GDPR EU citizens maintain the right to be informed, the right to access, the right to erasure, the right to inspect, the right to restrict, and more. Needless to say, GDPR isn’t messing around: it’s time to get your data house in order if it isn’t there already. When it comes to third-party processors, Merkulov offers these suggestions as a starting point:
- Clearly define “sensitive” or “personal data” as it’s spelled out in GDPR. Don’t assume everyone has the same definition.
- Prior to any data exchange, establish the level at which each data set is to be classified, and establish appropriate security controls in accordance with the classification.
- Review and/or re-write contracts to ensure the third party is following GDRP directives such as consent for processing personal data, right of access, right of rectification, and right of erasure.
- Contractually establish guidelines for breach notification. Under GDPR, companies must report a breach to the governing body within 72 hours; don’t find out your supplier was breached through a media announcement.
- Contractually define processes for third-parties, including:
- Maintaining records of how each company has achieved and will preserve compliance;
- How parties will partner in the event of a beach;
- Incident response and investigation practices; and
- Breach liability.
- Include the “right to audit” in third-party contracts.
Of course, though GDPR is a compliance mandate—and compliance assuredly does not equal security—its intended purposes is to spur good cybersecurity practices into motion. If approached as the baseline for data protection oversight, GDPR can be a game changer for companies’ data protection strategies. If, however, businesses look at GDPR as just another mandate that can be accomplished with checkboxes and audit reports, its effect will be minimal. Processes and procedures are a good start, but hardened data protection requires adherence to basic system administration (a.k.a., the “unsexy stuff”): asset inventory, secure implementation of technical controls, continuous monitoring and measurement of said controls, testing, remediation of vulnerabilities, more testing, and attention to high-priority alerts.
GDPR, most importantly, will require workers to approach data handling of EU data subjects’ data in a new way. In truth, this might be biggest challenge of all, but the best place to start is with education.