Am I Affected by the European General Data Protection Regulation?
It’s a year until the biggest shakeup to Europe’s privacy laws in nearly a generation takes effect. The European General Data Protection Regulation (GDPR) will bring sweeping new rules into force, including new consumer rights over how personal data is used, and mandatory 72-hour data breach notifications. Yet there’s still confusion over which companies and what types of data are covered by the law. With firms currently complying with less than 40% of GDPR principles on average, time is running out.
That’s why Delinea is running a new monthly blog series designed to raise awareness about the GDPR, as the clock counts down to 25 May 2018. It’s not intended as a comprehensive checklist but will hopefully get more organizations thinking and acting. With potential fines of up to four percent of global annual turnover to be levied for serious transgressions, the stakes are high.
First up: exactly what is the scope of the new legislation?
The first thing to note is the wider scope of the GDPR compared to the current directive, which UK organizations know as the Data Protection Act. The new GDPR firstly applies to all organizations based in the European Union. That means all those with major subsidiaries or headquarters in the EU, but also could include those who merely have a few sales staff operating in the region. For those not “established” in the EU, the law will still apply as long as they process the personal data of EU citizens and residents. These firms will have to designate a representative inside the EU to handle such matters.
As we’ll discuss in a later blog, all UK firms are covered by the GDPR, even post-Brexit.
The GDPR will also apply not just to data controllers (as per the Data Protection Act) but also to the data processors which usually work on behalf of the controller. The Information Commissioner’s Office (ICO) provides a clear example of the difference: if a local authority stores data on its citizens with a third-party cloud provider rather than on its own in-house servers, the cloud company is the data processor and the local authority is the data controller.
So What Constitutes Personal Data?
The sweep of data covered by the GDPR is also greater than anything that has gone before. Personal data refers to “any information relating to an identified or identifiable natural person" -- where “identifiable” means anyone that can be identified by “all means reasonably likely to be used.” The breadth of personal data applicable to the GDPR is so wide that organizations are urged to minimize their risk exposure by wiping any customer data they don’t need, and either anonymizing or pseudonymizing the remainder where possible.
While regulators will surely allow for bedding in the period after 25 May 2018, their patience won’t last forever and there could be big public cases pending to show they mean business. The bottom line is: comply or face fines.
The legislation, as we’ve discussed, covers a huge number of areas. But one, in particular, stands out: the mandating of data breach notifications within 72-hours. This means firms will have to get better not only at visibility into systems to spot breaches early on in the kill chain, but also at preventing them in the first place. After all, no organization wants the bad publicity, fines, and reputational damage that inevitably result from a breach.
How to Comply
The question is: how to comply? The GDPR is not explicit on what controls are needed to mitigate risk in this area -- in fact, that may well be a deliberate move designed to future-proof the law as new technologies come and go and ensure organizations don’t resort to a tick-box approach to compliance.
However, it does state that data should be processed in a way that “ensures appropriate security of the personal data, using appropriate technical and organizational measures,” taking into account “the state of the art and the costs of implementation.” Staying up-to-date with the latest technology advances and following best practices, security advice is, therefore, key to avoiding a damaging breach. Or at least if you are breached they’ll help you to avoid follow-on fines for negligence.
So many of these breaches come about because organizations are still reliant on password-based authentication systems. Poor password management makes the attackers’ job so easy, allowing them to crack or hack privileged accounts and gain access to your organization’s most sensitive data.
That’s why we’d always recommend risk-based multi-factor authentication (MFA), which can decide if a log-in attempt is risky or not and ask for more info from the user if necessary. Combine this with a “least privilege” approach -- ensuring staff has no more access to systems, commands, and functions than they strictly need -- and you’ll be off to a great start with GDPR compliance.
Next month we’ll be taking a look at data classification: why GDPR compliance should start with knowing what you’re processing, where it’s stored, and how it’s used.