Download our in-depth report: The Ultimate Guide to IT Security Vendors
In a little over a month – on May 25, to be precise – the EU's General Data Protection Regulation (GDPR) will take effect, and if your company is not in compliance, you risk incurring significant financial penalties.
More than 50% of companies subject to GDPR will not be in full compliance with its requirements even by the end of 2018, according to Gartner. That's a lot of exposure to the most significant compliance regulation to come along in many years.
This guide will help your company with GDPR compliance. We'll start with a discussion of the law and then move into strategies that can help you meet the GDPR's toughest requirements for data privacy and security. Here's a link to the official GDPR text, but a more user-friendly version can be found at gdpr-info.eu; if you do business with customers in the EU, you can't afford not to read the entire law.
Jump to section:
- What is GDPR?
- GDPR compliance assessment
- 12 steps to GDPR compliance
- Processor vs. controller
- Data Protection Officer
- Data protection impact assessment
- Right to access, rectification and erasure
- Protecting customer information
- Encryption and pseudonymization
- Other security measures
- Breach notification requirements
- Fines and penalties
The GDPR is designed to protect the personal data of EU citizens, and to do so it regulates how such data is collected, stored, processed, and destroyed. The definition of "personal data" is extremely broad: It includes names, addresses, and bank details, but also data related to religion, race, mental or physical characteristics, and even IP addresses, web cookies, contacts, and mobile device IDs, if they identify an individual.
Perhaps most importantly, the territorial scope of the law is very broad. Article 3 of the GDPR states that a company anywhere in the world is subject to the GDPR if it processes the personal data of anyone residing in the EU. It doesn't matter if your company has no offices or employees in the EU, or even if no transactions are carried out in the EU. If you process an EU citizen's personal data, then you need to comply with the GDPR or face the financial consequences.
Complying with the GDPR is a huge undertaking, but it's important to understand that it is a business project rather than just an IT or IT security project. The IT department can help ensure data integrity and security, but new business processes may need to be put in place to ensure that individuals can access their own data, that privacy is built into all systems and services, and that all other obligations of the regulation can be fulfilled.
The good news is that GDPR compliance isn't just about satisfying some unseen European bureaucrat. Companies that study their data model and take time to understand what they have may well end up being able to manage that data throughout its lifecycle much more efficiently. It's unlikely that any but the very smallest companies will be able to achieve this manually, so GDPR compliance will very likely necessitate the use of automated processes and other enterprise technologies. (See our guide to GDPR solutions and vendors.)
The bad news is that while GDPR compliance is occupying a huge amount of IT time and resources, it's not the only regulation in town. While GDPR compliance is important, it is vital not to forget about the other compliance and data privacy regulations that may apply to your organization.
Moving your organization into GDPR compliance is a process you ideally started many months ago, and there are a number of useful online tools that can help you assess how close you are to achieving compliance.
One of the most useful tools for small and medium-sized companies is the UK Information Commissioner's Office (ICO) data protection assessment. This includes a GDPR checklist for data controllers and a GDPR checklist for data processors. ICO also provides a useful tool to help assess your compliance with data protection in the specific areas of information and cyber security policy and risk, mobile and home working, removable media, access controls, and malware protection.
Microsoft has also produced a quick and simple assessment tool to see which stage you have reached in your compliance effort and what steps you need to do next.
The GDPR is made up of 99 articles that provide a detailed description of the regulation, and since every organization is different, it is impossible to provide an exact prescription that will guarantee your organization is in compliance.
There are general guidelines anyone can follow, however, and the ICO has produced a document recommending 12 steps that should be taken to fulfill general GDPR requirements:
- Make sure that key people in your organization (not just in the IT department) appreciate the importance of GDPR and compliance with it.
- Document the personal data that you hold, where it came from, and who you share it with. To do this you may need to organize an information audit.
- Review your current privacy notices and make any necessary changes.
- Check your procedures to ensure that you can accommodate the rights of individuals to be provided with their personal data in a commonly used format, and that you can delete their data on request.
- Update your procedures so you can handle those requests within the required timescales (usually one month).
- Identify the lawful basis for your processing activity in the GDPR, document it, and update your privacy notice to explain it.
- Review how you seek, record, and manage consent, and whether you need to make any changes.
- Consider how to verify individuals' ages and how you can obtain parental or guardian consent for any data processing activity.
- Make sure you have procedures in place to detect, report, and investigate a personal data breach.
- Understand when to carry out a Data Protection Impact Assessments (DPIA) – we'll discuss DPIAs in more detail shortly.
- Designate someone to take responsibility for data protection compliance and consider whether you are required to formally designate a Data Protection Officer.
- If you operate in more than one EU state, determine your lead data protection supervisory authority.
GDPR definitions and responsibilities
The GDPR includes a number of terms and responsibilities that affected companies need to understand if they hope to comply with the law. These next four sections outline the most important before we get into specific compliance technologies and strategies.
The GDPR makes a distinction between a data processor (basically, the entity processing personal data) and a data controller (the entity that decides the purposes and means of that data processing). Controllers are obligated to use processors (including public cloud operations) that "implement appropriate technical and organizational measures" taking into account "the state of the art and the costs of implementation" as well as the "nature, scope, context and purposes of the processing."
If your organization is a public authority or if its core activities involve "regular and systematic monitoring of data subjects on a large scale" or if you conduct large-scale processing of "special categories of personal data" (such as data about race, ethnic origin, political opinions, and religious beliefs), you need to appoint a Data Protection Officer (Articles 35-39) with expert knowledge of data protection law and practices.
If you are handling particularly sensitive personal data, then you need to carry out a "Data Protection Impact Assessment" (DPIA) of the possible impact of your processing activities on the people whose data is being processed.
Specifically, Article 35 of the GDPR states, "Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks."
For more on Data Protection Impact Assessments, see How a Data Protection Impact Assessment Helps You Comply with GDPR.
One of the most onerous obligations of the GDPR is to provide "Data Subjects" – the people whose data you are processing – with access to the data that you hold about them (Article 15). They can also request rectification or completion of data if it is inaccurate or incomplete, and they can request that you delete their personal data (also known as "the right to be forgotten").
This is onerous because Data Subjects can make requests in writing or verbally, and you need to be able to comply with the requests "without undue delay," and in any case within one month of receipt of the request.
But deleting data completely can be technically difficult to achieve, warns Mark Sangster, a vice president at managed detection and response service provider eSentire. "Most companies have backups and multiple versions of data in storage," he says. "How do you get to all of them and delete all of a person's data? And also, how do you prove it?"
He points out that when data is stored in the cloud, there may be multiple copies of it made by the cloud storage provider, and although it may be inaccessible it may not technically have been deleted.
The Right to Data Portability in Article 20 is another ambitious requirement of GDPR. It gives users a right to a copy of their data – and to have that data sent to another organization in "machine-readable format," if desired.
Data Subjects also have a "right to object ... at any time to processing of personal data," as outlined in Article 21. The law leaves organizations an out, however, if "the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject." The extent of the "legitimate interest" provision has already been the subject of much legal debate, and will continue to be so for some time to come.
The law is likely to change the way personal data is collected, with its requirement that consent be "freely given, specific, informed and unambiguous" and that information be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language."
The GDPR is designed to protect Data Subjects, but it goes to great lengths to avoid spelling out in technical terms what you need to do to ensure that you achieve suitable levels of data security. That's because it recognizes that making specific security recommendations is not the best way to protect personal data. Rather, it leaves the onus on organizations to ensure that they provide the appropriate level of protection.
Article 32 of the GDPR states: "In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed."
It's a common myth that the GDPR requires the use of data encryption, and some consultants appear to be pushing sales of encryption products by implying that all you need to do is encrypt all your data and you will satisfy 90% of GDPR requirements.
In fact the GDPR does mention the word "encryption" – but it only appears four times:
- "...implement measures to mitigate those risks, such as encryption."
- "...appropriate safeguards, which may include encryption"
- "...including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data."
- "...unintelligible to any person who is not authorised to access it, such as encryption"
It pointedly does not mandate the use of encryption, nor does it offer advice as to what encryption algorithms could be used, or whether it is talking about data at rest or in transit, or both.
Having said all that, encryption clearly does offer a way to satisfy many of the security requirements of GDPR, so it is hard to imagine that many organizations will try to comply without it.
Any encryption initiative will likely involve an encryption product that handles data encryption as well as manages encryption keys, and may also include a cloud encryption gateway to ensure that data that is sent to the cloud for storage or processing is also encrypted.
In North America, most companies have been pushed heavily to use encryption for some time, so this is not something that many companies are likely to struggle with – as least as far as data at rest is concerned. But data transfers between companies and their supply chains are not always encrypted, and this is an area that companies will have to look at carefully, according to Sangster. "Many companies will not have thought of this," he said.
Another important strategy is pseudonymization, or storing customer data in such a way that it can't be connected to an individual, typically by breaking that information up into several separate files so a hacker can't steal a file and get anyone's full information. There are a few vendors offering pseudonymization technologies, and expect greater demand for such features in databases, CRM systems and other applications that collect and store personal data.
See How Pseudonymization Helps You Meet GDPR Requirements, and see our reviews of top enterprise encryption products.
The regulation also provides guidance about what kinds of security measures may be considered "appropriate to the risk," including:
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.
- The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Controllers and processors that adhere to either an approved code of conduct or an approved certification may use these to demonstrate compliance.
The controller/processor relationships must be documented and managed with contracts that mandate privacy obligations. Ultimately, it is the controller who has the responsibility to ensure that any processors used (including cloud processors) have suitable privacy capabilities.
Article 33 of the GDPR requires companies to notify the relevant supervisory authority of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it."
There's a possible unintended consequence of this, according to Sangster. "It may not be in the interest of a company to spot a breach if they have to announce it," he points out. But he added that it is important for companies to avoid that "I don't want to know about a breach" attitude because the sooner a breach is discovered, the sooner they can take action to minimize the impact of the breach both to customers (or Data Subjects) and to the company itself.
However, detecting breaches is far from trivial – it takes an average of 191 days for data breaches to be detected, according to the Ponemon Institute's 2017 Cost of A Data Breach Study.
To minimize the time between breach and detection, companies can:
- Use breach detection tools such as intrusion detection and prevention systems and honeypots, decoy files or other deception technologies.
- Use global threat intelligence and monitor attack campaigns to know where to look for signs of a breach.
- Monitor logs and events to detect anomalous behavior.
- Provide staff training on how to detect breaches.
Article 34 of the GDPR also requires companies to notify the Data Subject without delay that their data has been leaked "when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons."
There's an important caveat here, though, and that is that you don't have to make such a notification if you have taken measures "that render the personal data unintelligible to any person who is not authorized to access it, such as encryption." One way to accomplish that is through pseudonymization.
You are also off the hook when it comes to data subject notifications if you have "taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise."
It is hard to imagine what those measures might be, but it could perhaps involve radical steps such as taking systems offline and keeping them offline until new passwords have been securely distributed to all customers.
According to Article 83 of the GDPR, companies that are not in compliance face GDPR fines (calculated on the organization's global annual turnover of preceding financial year) of up to 4% or €20 million (whichever is greater) for non-compliance, and 2% or €10 million (whichever is greater) for less important infringements. For companies with very large global turnovers, the GDPR fines have the potential to be very significant indeed.
But Sangster points out that there is no formal mechanism for checking that any company is in compliance. "It's likely that what will happen is that there will be a complaint from a customer, which will lead to an investigation," he says.
Looking for more on GDPR compliance? See Five Last-Minute GDPR Readiness Tips.