Avoid Tunnel Vision When Preparing for GDPR
The European Global Data Privacy Regulation (GDPR) comes into force on May 25, 2018. For those who are unfamiliar with it, the GDPR is a regulation that applies to any company that processes EU citizens’ data. The GDPR is universally applicable and does not require local governments to pass enabling legislation.
For some time, IDC has conducted GDPR workshops and helped customers to prepare for the upcoming legislative change. From legal advice to impact assessments, we work together with our partners to create and enhance our customers' organizational and technical capabilities and to ensure that their processes are designed to deliver GDPR compliance in the most pragmatic and cost-effective way. It is very easy to develop tunnel vision reading through the many pages of complex legislation and fixate on the severe penalty of 4% of revenue for non-compliance, thus drawing oneself closer to what we refer to as a "black hole of security spending". The points below are written with the aim of restoring your peripheral vision, which can often get lost, particularly in larger corporate environments.
Point 1: Your key focus should be on identity and access management (IAM).
Data is undoubtedly at the center of the GDPR, with personal data protection being the main focal point. However, for data protection technologies to function properly, identity information is required. Moreover, identities, roles, and access models should be aligned with the context of your business and the way in which data is processed to satisfy the GDPR requirement of an "appropriate" level of data protection. "Appropriate" in this case does not only mean that you have a specific data protection technology installed, but that this technology works together with other technologies to provide an adequate level of data protection. It remains to be seen how specific GDPR paragraphs and clauses will be interpreted after the regulation comes into force, but we have already observed companies acquiring software products based on unverified assumptions, which may not be sufficient to fulfil the "privacy by design" requirement of the GDPR. One of these assumptions is operational and sufficient IAM.
- Applications that process GDPR-relevant data have a solid access control model
- Access control is supported by a periodic review process; and
- Your IAM technologies incorporate security controls that do not undermine security controls around the data
Point 2: Do not forget the backups, especially offsite ones.
The importance of regular backups has been stressed often enough that its appearance on our list should come as no surprise. The GDPR puts an interesting spin on backups as they may contain GDPR-relevant data. The first reaction we usually see is fear of the need to encrypt all seven or more years of backups that are retained as required by local tax regulations. Again, we would recommend not jumping straight to the technical solution (encryption in this case) without conducting an impact assessment. It should be pointed out that data often gets (re-)aggregated at backup time, meaning that pseudonymized data from two or more sources can be combined again when on backup media. If there is no database-level encryption, data on backup media can be deanonymized when correlated from multiple sources.
- Be aware of data aggregation and disaggregation on backup media
- If you do not encrypt backup data, make sure it is properly protected by access control
- Ensure that backup administrators are in the privileged access group and that the group is properly monitored
Point 3: Detection may be more important than protection.
While there is a buzz in the industry about "proactive defense", 100% protection is actually an unattainable dream in the era of state-sponsored actors. GDPR requires that organizations report personal data breaches to the supervisory authority "no later than 72 hours after becoming aware of it" (art. 33). It may be speculation at this point as no precedents are available for reference, but we would argue that a failure to detect in time and subsequent failure to report would lead to an inquiry into the adequacy of security controls, and may therefore be perceived as a compliance failure. GDPR requires a reasoned justification in the event of a delay. Unlike simple notification regarding the existence of a breach, GDPR requires a significant amount of breach-related details to be included in the report. Reporting is further complicated by the requirement for data processors to report relevant incidents to data controllers "without undue delay" (ibid.), thereby imposing a 72-hour time limit for data controllers to collect relevant data and report to the supervisory authority.
- Personal data breach-related security controls are in place and fully functioning
- Incident reporting is explicitly stated in the agreement with third parties if used for data processing
- Information required for GDPR reporting is available and can be collected within the specified timeframe
We sincerely hope this short selection of the topics that are discussed at our GDPR workshops will help you prepare for the upcoming change. Please do not hesitate to contact us if you are interested in finding out more.