A new wave of privacy and security reform is about to sweep through Europe – and it affects most of the world, as well.
After years of back-and-forth and heated discussions about the current state of data security, the European Union has adopted a new data protection framework, called the General Data Protection Regulation, or GDPR. This Regulation is a totally new legal framework for how personal data is used and processed, and applies well beyond the borders of Europe.
By May 25th, 2018, organizations that handle private European data in the EU (European Union) need to have fully implemented the newly-created GDPR. And while a year and a half may sound far away, this is not a project to procrastinate, as there are several moving parts that need to be effective before the May deadline. The biggest change to note is that with the GDPR, any organization that processes, holds, or owns European data or is based in the EU needs to adhere to the regulation – or face heavy penalties.
So no matter where you or your company resides, if you keep (or process) even one European customer or users personal data, you are required to adhere to this new regulation. To ensure your compliance with the policy, especially in the areas related to application security, we break down the most important bits of the GDPR.
A Brief Overview of the GDPR and the Need for Higher Privacy and Security Standards
The EU GDPR is replacing the Data Protection Directive 95/46/EC, established in 1995. The Data Protection Directive was comprehensive for its time, before the explosion of data collection and big data. Yet the older document was non-binding, and the actual laws enforcing the Directive have differed wildly among countries within the EU.
As the EU has grown, corporations from all over the continent began business relationships and partnerships with other countries within and outside of Europe. As part of these synergies, customer data has freely flowed between organizations, public and private companies, and across country borders and even continents, each with its own data security policies in place, creating major holes for data security and privacy issues. That fact, coupled with the rapid pace of technology, which now supports the public use of personal data, often called PII, (personally identifying information) at a global scale – and with insecure results – are the driving factors behind the GDPR.
The regulation is, in short, to give European citizens more control of their personal data, while also streamlining the processes behind regulation of data.
Key Changes between the Data Protection Directive 95/46/EC and the GDPR:
The Regulation is long, and while it’s a crucial read for privacy and security professionals, here we’ve picked out the most important bits.
- With the GDPR, any company either based in the EU or which deals with any data involving EU citizens or organizations are required to comply, no matter where the company is based or where data processing takes place.
- The scope of what personal data includes is broader. Under the GDPR, personal data includes anything that might identify an EU citizen, including IP addresses and cookie IDs.
- Breach notification protocols have been overhauled. Companies will now need to report incidents that could risk customer data to their country’s Data Protection Authority within 72 hours of discovery. For major breaches, the affected company has an additional requirement of informing their customers or users themselves. The regulation document offers specific breach notification requirements, including:
- If the breach notification is not given within 72 hours, the data controller, or company that owns the data, must offer justification for the delay.
- Data processors, or companies that deal with data but don’t actually own it (cloud services like Amazon Web Services), are also required to report on breaches without “undue delay,” though a specific timeframe isn’t offered in this case.
- Data controllers need to create or maintain an internal breach register, documenting any incidents that may have compromised personal data, what effects there were, if any, and what remediation steps were taken.
- The need to designate a Data Protection Officer (DPO) is a part of the Regulation, separate from a CISO. The role of the DPO is to ensure the organization complies with this regulation, and of course any other applicable compliance requirements and manage the notifications and registrations to attain and maintain compliance. The DPO will be responsible for implementing the policies and procedures required to manage data outsourcing and processing activities, and should report directly to management.
- The EU will establish one single supervisory authority as a ‘one-stop shop’ approach to regulating data privacy, as opposed to each country having their own (with their own rules, requirements, etc.) and rules not applying to countries outside the EU.
Application Security Requirements in the GDPR
When it comes to AppSec requirements in the GDPR, Articles 25, 32, 33,34, and 35 contain most of the details regarding what organizations need to focus on when securing the data that flows through their applications, as well as what to do in the case of a breach. The general requirements revolve around the concepts of preventing, assessing, and monitoring. Let’s take a look at the top five key takeaways from the data security sections of the GDPR:
- In order to discover any weak points in how data is processed or handled, the GDPR mandates that organizations assess their current systems and processes for how they currently handle data and perform a gap analysis to find what works and what needs to be changed or removed.
- There needs to be Privacy/Security by Design and by default to ensure data is secured from the inception of the application or system. This concept describes the idea that security and privacy need to be considered during the planning phases, as opposed to during development (or even later in the SDLC).
- Companies will be required to “ensure a level of security appropriate to the risk,” with the following specifics:
- Encryption and pseudonymisation of personal data.
- The ability to restore personal data availability in the event of a security incident or technical issue in a timely manner.
- Ensuring ongoing confidentiality, integrity, and availability (the tenets of InfoSec) of data processing systems and services.
- Establishing a process for regular security testing and assessment of the effectiveness of security practices and solutions in place.
- Organizations should practice the principle of least privilege, as well as regularly ‘cleaning house’ and removing any data that is no longer needed.
- Lastly, it is recommended, though not mandated, the organizations, especially larger ones, create centralized application and data repositories to maintain better control over customer data.
What Happens If Organizations Don’t Comply with the General Data Protection Regulation?
The GDPR is making security an absolute requirement for organizations handling EU data, large and small. If in the past, your organization has foregone security processes due to lack of budget or manpower, increased administrative overhead, or the like, you may have been able to get away with it. Not anymore – it’s not worth the risk. Noncompliance to the GDPR can result in heavy fines, to the tune of €20 Million, or up to 4% of the company’s annual revenues for that year (whichever is larger that year!). Suffice to say, these financial penalties are likely to play a major role in motivating organizations to comply.
On the other side of the spectrum, those who do comply with regulations can use that fact as a competitive differentiator, using the GDPR compliance certificate to prove your organization’s high security standards and gain trusting customers as a result.
Bottom Line: Get it Right Now to Avoid Even Bigger Headaches Later
If you’re already behind in your security and privacy maturity level, enacting the GDPR in your organization may sound like a nightmare scenario. The good news about the Regulation is that while it may create a bit of a headache to initiate and get up to standards, it’s actually a pretty comprehensive way to secure your data, it is not just another check box . Compliance regulations like the GDPR (when properly built) are there to keep customers safe – something an organization should also have a vested interest it.
Next Steps | Further Resources to Help You Get Ready for the GDPR:
- Official website of the General Data Protection Regulation, with the full text of the regulation and further resources
- 12 Steps in Preparing for the General Data Protection Regulation, via the UK’s Information Commissioner’s Office
- Need help? Talk to us about how automated security testing can take you from zero to AppSec hero in no time!