A new wave of privacy and security reform is about to sweep through Europe – and it affects most of the world, as well.
After years of back-and-forth and heated discussions about the current state of data security, the European Union has adopted a new data protection framework, called the General Data Protection Regulation, or GDPR. This Regulation is a totally new legal framework for how personal data is used and processed, and applies well beyond the borders of Europe.
By May 25th, 2018, organizations that handle private European data in the EU (European Union) need to have fully implemented the newly-created GDPR. And while a year and a half may sound far away, this is not a project to procrastinate, as there are several moving parts that need to be effective before the May deadline. The biggest change to note is that with the GDPR, any organization that processes, holds, or owns European data or is based in the EU needs to adhere to the regulation – or face heavy penalties.
So no matter where you or your company resides, if you keep (or process) even one European customer or users personal data, you are required to adhere to this new regulation. To ensure your compliance with the policy, especially in the areas related to application security, we break down the most important bits of the GDPR.
A Brief Overview of the GDPR and the Need for Higher Privacy and Security Standards
The EU GDPR is replacing the Data Protection Directive 95/46/EC, established in 1995. The Data Protection Directive was comprehensive for its time, before the explosion of data collection and big data. Yet the older document was non-binding, and the actual laws enforcing the Directive have differed wildly among countries within the EU.
As the EU has grown, corporations from all over the continent began business relationships and partnerships with other countries within and outside of Europe. As part of these synergies, customer data has freely flowed between organizations, public and private companies, and across country borders and even continents, each with its own data security policies in place, creating major holes for data security and privacy issues. That fact, coupled with the rapid pace of technology, which now supports the public use of personal data, often called PII, (personally identifying information) at a global scale – and with insecure results – are the driving factors behind the GDPR.
The regulation is, in short, to give European citizens more control of their personal data, while also streamlining the processes behind regulation of data.
Key Changes between the Data Protection Directive 95/46/EC and the GDPR:
The Regulation is long, and while it’s a crucial read for privacy and security professionals, here we’ve picked out the most important bits.
Application Security Requirements in the GDPR
When it comes to AppSec requirements in the GDPR, Articles 25, 32, 33,34, and 35 contain most of the details regarding what organizations need to focus on when securing the data that flows through their applications, as well as what to do in the case of a breach. The general requirements revolve around the concepts of preventing, assessing, and monitoring. Let’s take a look at the top five key takeaways from the data security sections of the GDPR:
The GDPR is making security an absolute requirement for organizations handling EU data, large and small. If in the past, your organization has foregone security processes due to lack of budget or manpower, increased administrative overhead, or the like, you may have been able to get away with it. Not anymore – it’s not worth the risk. Noncompliance to the GDPR can result in heavy fines, to the tune of €20 Million, or up to 4% of the company’s annual revenues for that year (whichever is larger that year!). Suffice to say, these financial penalties are likely to play a major role in motivating organizations to comply.
On the other side of the spectrum, those who do comply with regulations can use that fact as a competitive differentiator, using the GDPR compliance certificate to prove your organization’s high security standards and gain trusting customers as a result.
Bottom Line: Get it Right Now to Avoid Even Bigger Headaches Later
If you’re already behind in your security and privacy maturity level, enacting the GDPR in your organization may sound like a nightmare scenario. The good news about the Regulation is that while it may create a bit of a headache to initiate and get up to standards, it’s actually a pretty comprehensive way to secure your data, it is not just another check box . Compliance regulations like the GDPR (when properly built) are there to keep customers safe – something an organization should also have a vested interest it.
Next Steps | Further Resources to Help You Get Ready for the GDPR:
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.