If you’re like me, you believe that simplicity is key, especially when it comes to privacy, security, and information risk management. With legislation like the General Data Protection Regulation (GDPR), that need for simplicity is particularly relevant.
The goal of the GDPR is to provide EU citizens with a right to privacy while simplifying what that means for organizations who collect, process, and store private information. You might hear terms like Data Protection Agency (DPA) and one-stop shop in this context. The key takeaway here is that the EU is centralizing privacy legislation, a stark contrast to the state-by-state approach in the US.
The GDPR itself is legislation, as in legal, as in (potential) lawsuits. In order to avoid these lawsuits (and the crippling fines that accompany them), organizations need to take steps to comply with the law.
So what do you need to know (the short version, anyway)?
- Enforcement goes into effect May 25, 2018.
- If you have data on EU citizens, even if your organization is located outside of the EU, the GDPR applies to you.
- Fines for non-compliance are brutal. For serious violations, you’re looking at 4% of annual global turnover or 20 million Euros.
- Serious violations include things like “not having sufficient customer consent to process data” or “violating the core of Privacy by Design concepts.”
- The GDPR includes a tiered approach to fines for less serious violations.
- You can get hit for 2% of annual global turnover for things like “not having [your] records in order (article 28)” or “not notifying the supervising authority and data subject about a breach” or “not conducting impact assessment.”
- The list of Data Subject elements (anything that can directly or indirectly identify an individual) may be more detailed that you thought.
- From the GDPR website: “It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
- No more hiding behind long, complicated legalese when requesting consent to collect data. If your form isn’t both “intelligible” and “easily accessible,” you’re violating the law.
- Parental consent must be collected for children under 16.
- This is more restrictive than the Children’s Online Privacy Protection Rule (COPPA), which applies to children up to 13 years of age.
- You may need to appoint a Data Protection Officer (DPO), particularly if you are:
- “A public authority;”
- “An organization that engages in large scale systematic monitoring;” or
- “An organization that engages in large scale processing of sensitive personal data.”
- If you have a data breaches of private information, you have to notify the DPA within 72 hours and the affected individuals “without undue delay.”
- If you can demonstrate how your processes align with the GDPR’s expectations for “Data Subject Rights,” you’ll be in a good way. Specifically, these rights include the following:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
When it comes to Privacy by Design, the GDPR website references guidelines from the Organisation for Economic Co-operation and Development (OECD). Originally published is September 1980, these guidelines fall into the “oldie but a goodie” category. These guidelines set forth the following principles:
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification Principle
- Use Limitation Principle
- Security Safeguards Principle
- Openness Principle
- Individual Participation Principle
- Accountability Principle
If you’re looking for simplest path to get from where you are today to where you need to be, I recommend that you consider the following:
- Perform a GDPR compliance/readiness assessment.
- Start with the bullet points listed in this article, and then expand your efforts to include the entire law.
- If you’ve got the know-how in-house, great! If not, find a partner who can help.
- Perform an internal “Privacy by Design” assessment to gauge how closely your organization’s data management practices adhere to the eight (8) principles defined in the OECD guidelines.
- Sit down with your legal counsel and ask them for their input.
- Combining their input with your readiness assessments puts you in a much stronger position.
- Update your incident response procedures, especially as they pertain to a potential breach of privacy information.
- Update your existing IT/security policies and procedures to reflect GDPR expectations for Data Subject Rights.
- Perform an access management assessment to determine which accounts (user and privileged) have access to privacy data.
- Once that assessment is complete, you may need to make changes to ensure that you’re managing that access in a manner that reduces risk to your organization.
- Review (and update) your logging and monitoring controls to ensure that your teams are notified immediately of inappropriate attempts to access sensitive data sets.
- Tighten your information security controls around Internet-facing systems (technical vulnerabilities) and social engineering attacks (human vulnerabilities) to reduce the risk that an attacker can gain access to your internal network.
GDPR is going to require changes for many organizations, but truth be told, these are changes for the better. If you take a measured approach to simplifying how this legislation impacts your organization, you can make those changes in a controlled, cost-effective manner that minimizes disruption to your day-to-day operations.
Most importantly, you’ll be doing right by your customers. They may never see (or fully understand) the effort you put forth to keep their data safe, but as someone who’s worked in the same trenches as you, I get it.
And for that, you have my thanks.
By night, I’m a husband, father, writer, filmmaker, martial artist, musician, and gamer. I think it’s fair to say that I’ve earned every gray hair in my beard, having spent my career fulfilling infosec roles in consulting, higher education, retail, and public utilities.
I like to share what I’ve learned over the years with local and regional information security professional organizations, as well as attendees at larger information security conferences. In addition to writing articles like this one, I teach information security courses, both domestically and internationally.
At the end of the day, I just want to help folks get one step closer to doing what they want to do securely. If you have a topic you’d like to learn about, hit me up and I’ll see what I can do.