The European Union will begin enforcement of its General Data Protection Regulation (GDPR) on May 25. Is your organization ready?
What does this mean? How will it impact your organization – and how to prepare for it? Here’s what every company that does business in Europe needs to know about GDPR:
May 25th is coming up on us all very soon. Do you know why that date is important? It is the date when the new EU privacy regulations take effect for any data holder or processor of personal data of an EU member. This regulation is separate and more comprehensive than US standards for privacy and those directives hold quite the weight. Non-compliance will lead to stiff penalties of up to 4% of gross profits or 20 million Euros.
You have several considerations if you use a third party service provider and it gets breached because you are still liable for this together with the third party. Contracts will need to be amended in order to properly balance these responsibilities. Adherence for the first 2 years was optional but that timeline is quickly coming to an end as stated above. So what do we do right now? There are specific articles that indicate what you must be able to demonstrate you and any of your third parties are doing with any personal data, the scope of which includes digital identification, mobile numbers and equipment that can tie a person to that data. We will focus on the solutions we recommend to have in place below.
The ability to audit and report who has accessed and whether they were a data controller or processor is one of the main named abilities you need to have in order to ensure compliance. The main difference in this directive is who owns the data and who accesses it and for what purpose and times when those permissions get revoked. This requires you to have a named Data Protection Officer to perform these tasks and inform controllers and processors ensuring that they know what the corporate policy is and what GDPR requires of them as well as be the main point of contact for any supervisory authority wanting to discuss issues or audit.
Another point is the protections needed to do this. We recommend using a framework such as HIPPA, PCI or NIST 800-53. We also recommend Data Leakage Protection (DLP) and an Identity Access Management (IAM) solution. These 3 things will give you protections needed for the reporting piece of the puzzle. Both Data and Access would be easily controlled and reported on and your processes would be easily documented with a verified solution. As a caveat you should also have a vulnerability management program to compliment the reporting for this directive.
DLP should be a standard to ensure that you can report and potentially block any unauthorized access to personal data. With this directive personal data and it’s meaning has expanded. This is not just Personally Identifiable Information (PII) but also any electronic data or device information that can be linked with the personal data to a particular user. This means DLP rules will need to be customized to include fields outside of the norm and new regular expression (regex) patterns that can detect the location and access of the personal data.
Identity Access Management (IAM) is the other side of what is important with this GDPR directive. What it addresses is the easy reporting of authentication on sensitive systems containing the personal data. The reason this is important is that depending on your need to access this data access to personal data should be granted to process for the needed amount of time then revoked and documented forensically. This will give you the ability to review authentication, authorizations, administration, and audit of the identities or users that are accessing the personal data easily.
While time is short it is important to note that there is still time. Putting in these protections to discover what is there is the starting point. We aim to assist with any questions you may have from a security perspective, please contact us. Also below is a quick breakdown of the articles into sections where you can learn more.
GDPR Article Breakdown
- Articles 1-22 discuss the data and other meanings for personal data and overall definitions of terms.
- Articles 23-37 govern the persons involved and their roles and responsibilities.
- Articles 38 and 39 show certification requirements. Articles 40-45 discuss the transfer of data to organizations.
- Articles 46-53 discuss the role and a description of who can be a supervisory authority and their charge.
- Articles 54-72 discuss interactions and the cooperation of the European Data Protection Board within the supervisory authority to investigate and certify adherence.
- Articles 73-79 discuss the ramifications and penalties for a breach and not complying.
- Articles 80-85 discuss provisions for special situations where data may be touched for purposes like employment or churches.
- Article 86-87 discuss how delegation acts and implementation acts are handled by committee.
- Articles 88-99 discuss the repeal of the old Directive 95/46/EC and this policies enforcement.