Way back in 2012, the European Commission laid down initial plans for the European Union’s data protection reform. It took the relevant parties four years to reach an agreement on what would be involved and how it will be enforced. And now, here we are! As close as ever to the May deadline in the year Europe finally takes the leap to be “fit for the digital world”, and business will be changing the way which data is handled, processed, and protected with the General Data Protection Regulation (GDPR).
Being citizens of today’s crazy world, almost everything we do and have revolves around data. Every time we use a service, you better bet that our data is being recorded and analyzed. Our names, addresses, ID numbers, credit card info, etc. are constantly being collected, tracked, analyzed, and in many cases even saved by organizations. With data being everywhere and the contents being so valuable, data breaches have become inevitable. Hackers gonna hack, and businesses have notoriously fallen short when it comes to the protection of their customers data, meaning that the hackers have been doing pretty well at this raging cyber war.
And here enters GDPR. But first, let’s quickly rewind and refresh our memories on what the GDPR is.
Shortly put, the GDPR is a new set of rules in place for EU citizens to have more control over their data while simplifying the data-related regulations for businesses. The new rules and regulations aim to reflect the fast-paced and connected world we live in.
Following four years of long debates and vast preparation, the European Parliament approved the GDPR in April 2016. And so, the GDPR will come into effect on the 25th of May, 2018, and all EU member-nations are expected to have incorporated the GDPR into their own laws by the 6th of May.
GDPR and Organizations
Under the GDPR, organizations will need to ensure that all personal data gathered is done in a legal-manner and under strict conditions. Organizations are duty-bound to protect the data from exploitation and must respect the rights of data-owners. Organizations will also face some pretty serious penalties for failing to protect the data.
It’s important to note that the GDPR applies to organizations and individuals operating and residing within the EU, as well as organizations outside the EU which offer services or goods to customers in the EU. The GDPR essentially is a legislation that extends around the world, as companies based outside the EU will still need to comply.
And on the topic of how the GDPR will affect businesses, the European Commission says that “By unifying Europe’s rules on data protection, lawmakers are creating a business opportunity and encouraging innovation”. The Commission claims that by having one authority for the entire EU, it should make it a simpler and cheaper process for businesses operating within the region. This will be done by products and technologies providing what is essentially “data protection by design and by default” (Art. 25).
GDPR and Citizens
One of the biggest changes brought by the GDPR is how citizens are now armed with the right to know when their data has been breached. Organizations will be required by law to notify the designated and relevant national organizations as soon as a breach is detected to help ensure their customers’ keep their data from being abused. Furthermore, customers will now have a more transparent view of how their data is processed.
It really feels like many organizations have already been making some steps towards that transparency between them and their customers. I, for one, have already started receiving emails from companies giving me much more information on how my data is used. Additionally, many organizations have been contacting customers to see whether or not they still want to be part of their database, making it as easy as ever for a customer to opt-out of being on mailing lists.
Finally, the GDPR is at last bringing up the much buzzed-about ‘right to be forgotten’ process’ (Art. 17). This process allows citizens who no longer want their data to be processed and to exist and flow through systems to have it deleted (once proving there’s no grounds to keep it).
GDPR and Data Breaches
As mentioned earlier in this blog post, once the GDPR comes into effect, it will introduce a new set of rules all organizations must follow when it comes to a data breach. For starters, organizations are obligated to report any breach or unauthorized occurrence revolving around the personal data of its customers. If a name, address, health record, bank detail, or any other bit of private data is breached or accessed by a malicious party, the organization is obliged to tell those affected and must report it to the relevant regulatory body so that the vastness of the damage can be restricted.
When a data breach occurs, the breach must be reported to the relevant regulatory body within 72 hours of the organization being made aware. At the same time, if the breach calls for customers to be notified, the GDPR rules that customers must be informed to handle the damage ‘as soon as possible’.
When a breach occurs, the organization must let those affected know via a breach notification (Art. 33) directly sent to the victims. Meaning, a press release or a notice on the company website does not cover the organization’s obligation to let its customers know. The notification must be one-on-one.
Fines and Penalties
The GDPR does not mess around. Failure to comply with GDPR has come serious financial repercussions and will depend of the severity of the data breach along with if the organization seems to have taken the compliance and security regulations seriously. Fines range from 10 million euros to 4% of the organization’s annual global turnover (meaning, for some companies, billions of euros). There is a maximum fine of 20 million euros (or if a greater number – 4% of annual global turnover) for violations of data owners, not giving the customers access when requesting their data, illegal or unauthorized international transfer of personal data, and failure to put the necessary GDPR procedures in place.
GDPR and AppSec
I recommend reviewing the following Articles to learn more about the application security requirements in the GDPR (click the number to jump to the Article): 25, 32, 33, 34, and 35. These Articles recap what organizations need when securing the data flowing through their applications in addition to what needs to be done if there is a data breach. Here are some notable takeaways:
I hope this blog post is able to shed some light on what is to come during this year of GDPR. So, is your organization GDPR ready? Tweet us the answer!
Did you know that Checkmarx fully complies with GDPR? Checkmarx’s CxSAST makes addressing the new GDPR guidelines much easier with a static code analysis solution as it applies the following requirements:
Click here to learn more!
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.