GDPR One Year Anniversary: A Risk-Based approach to GDPR is key for achieving compliance

This post also appears on the Gemalto Enterprise Security blog here.

Data protection has become a global hot topic since the General Data Protection Regulation (GDPR) took effect on May 25th last year. On the 22th of May 2019 the European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to May 2019 and it is clear that a lot of work still needs to be done. Let’s very briefly recall what GDPR is and some of its key concepts, before discussing about steps and security controls that will bring your organization one step closer to compliance.

1. What is the General Data Protection Regulation?

Millions of people daily entrust their personal data and information to various entities, and with information sharing occurring virtually everywhere, at retail shops, healthcare centers, gyms, financial institutions or websites, typically these people don’t know where their data goes or what other processing is done on it and by who. GDPR is designed to bring an up-to-date approach to privacy and security into Europe, with its aim being to provide EU citizens with a stronger control on the personal information they share with other entities, and to enforce to all member-states of the European Union a uniform legal framework.

To quickly summarize, GDPR mandates that Data Controllers (all the entities that control or process personal data) must have organizational processes in place and implement the proper technical measures in order to protect EU citizens’ personal data. This concept may seem like self-evident and easy to implement, but in the real-world trying to ensure compliance with GDPR has left many organizations struggling.

2. Who does the GDPR applies to?

The GDPR applies to businesses that collect and use personal information from citizens of the EU, regardless of where the business itself is located. This approach to privacy gives the GDPR a global reach and if a business offers goods or services to EU citizens or collects and analyzes their data through data collection, it needs to be compliant with the GDPR. The penalties for failing to comply to the GDPR are very severe, with fines of up to four percent of an organization’s yearly turnover or €20 million, whichever is greater, and also other penalties could apply to a range of privacy infringements.

3. What does the GDPR require?

The GDPR’s four main areas of focus are: Privacy rights, Data security, Data control and Governance.

As such, a few of the key considerations for achieving compliance with the regulation include the following:

3.1 Privacy by Design

At the core of GDPR is “Privacy by Design”, a concept created by Dr. Ann Cavoukian, the former Information and Privacy Commissioner for the Province of Ontario, Canada in the 1990s, and has been since a best practice guide for businesses for decades.

Privacy by Design refers to best practices, policies, procedures and data handling processes that are designed with privacy and data security in mind. Every aspect of a business, from the design of its Security and Privacy Policies, to the way it collects, uses and stores data from its employees and customers, must be shaped with in-depth privacy and security best practices from the get go.

3.2 GDPR’s Legal Bases for Data Processing

GDPR lists six possible legal bases for collecting consumer personal data, but for the vast majority of businesses the only possible legal bases that will apply are bases (i), (ii), and (iii) from the list below:

(i) Consent
(ii) To fulfill the legitimate interests of someone without intruding upon individual rights and freedoms
(iii) Fulfillment of a contract
(iv) Legal obligation
(v) Protection of someone’s vital interest
(vi) Public interest of vested authority

In the case of legitimate interests, a business must be able to prove to EU Data Protection Authorities (DPA’s) that the collection of personal information is essential for fulfilling a specific service to its customers, and the business can only keep the personal data for as long as it takes to fulfill that service.

3.3 Breach Notifications

The GDPR mandates that a business must inform very quickly (within 72 hours) and thoroughly EU Data Protection Authorities (DPA’s) of any security data breach involving European citizens.

4. What you can do as a CISO – A Risk-Based approach to GDPR is key

Although GDPR is a very complex regulation, at its core it is a legal framework designed to govern data protection. This means that GDPR’s main focus is the safeguarding of the personal information a business collects, creates, uses and shares, whether the PII data it’s collected from its employees, customers or third-party partners. Because the information is collected from different sources, a business must take a risk-based approach to data protection to best assess and mitigate risks under GDPR.

4.1 Data Mapping Analysis

The first step a business must take is to invest enough time in understanding the nature and the types of personal data and the information it needs in order to fulfill its services by doing a Data Mapping and Information Flow analysis. The UK’s Information Commissioner’s Office provides for free a great template with a working example to help you achieve this task and a few key questions you’ll need to answer are:

Why do you use personal data?
Who do you hold information about?
What information do you hold about them?
How the data is used?
Who has access to the data?
Is the data shared with a third party?
Where is the data stored and for how long?

Only after discovering all of the data your organization possesses will you be able to determine whether you use it and store it in ways that do not create privacy and security risks for your employees, customers, and third-party partners. Once you have identified all of the data and determined how you use it, here are a few other steps you can take to best implement a risk-based approach to data protection across all your assets:

4.2 Conduct Data Protection/Privacy Impact Assessments

GDPR mandates that businesses must conduct DPIAs in the case of high-risk processing activities and many organizations in the EU already conduct Privacy impact Assessments (PIAs) as part of legal or regulatory obligations. A Data Protection Impact Assessment (DPIA), is a defined process for assessing whether the way your business collects, uses, stores and discloses the personal data of individuals creates any privacy risks. DPIAs specifically help us to identify privacy risks and upcoming security problems and they are great tools in helping us identify solutions and recommend appropriate security controls when necessary.

Also, by implementing a well-defined process to determine when DPIAs need to be conducted, businesses will also be able to prove accountability to Data Protection Authorities (DPA’s), thus getting one step closer to achieving full GDPR compliance.

4.3 Ensure Privacy and Security by Design and by Default

The GDPR requires privacy and security not only “by design” as we explained earlier, but also “by default.” This means that industry best practices will now be mandated activities in the daily operations of your business and will need to be demonstrable to Data Protection Authorities (DPA’s) if requested. That’s why organizations must take steps toward rethinking their security and privacy strategy and establishing privacy as a foundational principle in all of their operations.

4.4 Prove Accountability to Regulators

Finally, GDPR requires that organizations maintain detailed documentation of all their compliance efforts. To comply to this guideline, you must be prepared to show to Data Protection Authorities (DPA’s) evidence of your documented security policies and also demonstrate that your policies are being monitored and enforced regularly. Your goal is to be able to demonstrate that you are collecting, using, sharing, maintaining and disposing personal information in responsible, ethical and lawful ways.

5. Security controls that you may already implementing that also apply to GDPR

Now, let’s explore some key security controls that need to be in place for GDPR compliance, and if you are already implementing them into your organization you get the added bonus of “free” compliance:

5.1 Identity and Access Management (IDAM)

Having proper Identity and Access Management (IDAM) controls in place will help control and limit access to personal data only to authorized employees. The two key security principles are applicable to IDAM, the principles of least privilege and separation of duties, both ensuring that employees have access only to personal data or assets needed for their job function.

IDAM help us with GDPR compliance by ensuring that, only those who need access to personal information data in order to perform their job, have access. In this setup, security awareness and privacy training should be provided to all employees to warrant that the intended purpose for collection of personal data is maintained.

5.2 Data Loss Prevention (DLP)

Data Loss Prevention (DLP) are technical controls that help us prevent the loss of personal data. These controls are critical in preventing a breach that may do irreversible damage to the business and according to GDPR, organizations, whether they have the role of the Data Controller or the Data Processor of personal data, are held liable for the loss of any personal data they collect. Integrating DLP controls to your security strategy adds another layer of protection to the business, by controlling and restricting the transmission of personal data outside the corporate network.

5.3 Encryption & Pseudonymization

Encryption and pseudonymization are both techniques that we can use to prevent unauthorized access to personal data. Encryption is the process of converting information or data into a code and pseudonymization replaces or removes information in a data set that identifies an individual. Especially pseudonymization is something GDPR recommend but doesn’t require, however, if a security breach occurs, investigators will consider it a big plus if the organization responsible for the breach has implemented these types of technical controls and technologies as an added layer of security.

5.4 Incident Response Plan (IRP):

This is self-explanatory, all businesses must have an Incident Response Plan (IRP) outside of legal and compliance needs. A well thought and tested IRP should have well defined stages such as preparation, identification, containment, eradication, recovery and lessons learned. In the case an incident occurs that involves personal data, GDPR has some requirements from your organization, most notably Breach notification, and in the case of high-risk breaches even informing the affected data subjects for the incident, and both scenarios should be well covered by your IRP.

5.5 Third-Party Risk Management

GDPR compliance is just as important for third-party relationships as it is internally for an organization. Under GDPR Data Processors are bound by their Data Controller’s policies, and as long as your organization processes, stores, or transmits the personal data of EU citizens with a third party it could be liable in a case of a breach. If your organization trusts the processing of personal data to a data processor or sub-processor, and a breach occurs, GDPR also mandates that data processors to have an active role in the protection of personal data. Regardless of the policies enforced by the data controller, the data processor of personal data must be compliant with GDPR and can be liable for any incidents associated with the loss or unauthorized disclosure to personal data. Sub-processors are also required to be compliant with the GDPR, based on each contractual relationship established between the Data Processor and the sub-processor.

5.6 Information Security Policy Management

A strong Information Security policy is the glue that holds together all the previously discussed security controls and compliance requirements, and is the document that both describes the organization-wide security and privacy strategy and at the same time it can be a great accountability tool when it comes to DPA’s. To be effective, a security policy must receive company-wide acceptance in order to effectively manage and update the needed security controls in an always changing cyber risk world. If it is well managed and followed accordingly, policy management is the foundation for achieving compliance towards GDPR or any other future privacy regulation like e-Privacy.

6. Achieving Compliance

By enforcing frameworks such as the GDPR, more control is handed back to the people/consumers and this extra control greatly helps in raising the level of trust people feel towards government institutions and businesses, which in turn can boost revenues and profits. GDPR requirements are more than a checklist and if your organization process the personal data of EU data subjects, then you must take the time to explore the security controls you have in place to support GDPR requirements and ensure that personal data is accounted for, protected, and processed appropriately.

At the end of the day, GDPR compliance is simple, organizations must be transparent to their customers about their legal bases for collecting their data, and they must offer them control as to whether or not they want to share their data with others. Then, organizations must follow through and ensure that they only use the data they collect for the purposes they initially outlined, always within the boundaries of consent provided by their customers, and make sure that they respect all their rights granted to them under the regulation.

One Year After GDPR: Significant rise on Data Breach reporting from European Businesses


It’s been one year since the European Union (EU) enforced the General Data Protection Regulation (GDPR)¹, a legislation designed to protect the personal data of EU citizens and lay specific rules and guidelines on how their data is collected, stored, processed and deleted by various entities. GDPR requires that organizations must disclose to national Data Protection Agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.

Penalties for organizations failing to comply with the new notification requirements of the regulation include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. A lot of studies at the time showed that companies would not be ready for the 25th of May 2018 which led a lot of privacy professionals to assume the worst when they tried to hypothesize about what could happen when the new European legislation would come into effect.

Rise in the number of data breaches

The European Data Protection Board (EDPB)², the EU body in charge of the application of GDPR still hasn’t developed any official standards to clarify how independent EU DPAs will publicly report specific statistics/numbers about GDPR, and this currently makes collecting and analyzing data on GDPR compliance somewhat challenging. A number of European DPAs have voluntarily confirmed in recent months that the new regulation has led to a significant rise in reported data breaches, clearly demonstrating the impact GDPR has had on raising awareness with the general public as well as organizations regarding their rights and obligations under EU data protection law.

So far, the most reliable data regarding the number of data breaches currently available seems to be from some of the DPAs as well as the overview reports³ published by the EU’s Commission on the implementation of the GDPR. From the data we can deduct that EU DPAs received more than 95,000 complaints from EU citizens since May 2018 and from these complaints nearly 65,000 were data breach notifications.

The law firm DLA Piper analyzed data breach reports⁴ that have been filed by 23 of the 28 EU member states since GDPR came into full force and at the end of January 2019 also the European Commission reported that EU data protection regulators had collectively received 41,502 data breach notifications⁵.

“The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively.” DLA Piper says in its report and that the Netherlands recorded the most data breach reports per capita, followed by Ireland and Denmark. “The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita,” the report says.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of the “one-stop shop” mechanism and with numerous U.S. high-profile technology leaders like Facebook, Microsoft, Twitter and Google choosing to have their European headquarters in Ireland, it will be very interesting to study the yearly data breaches report from Ireland’s DPA when it comes out.

With the EU elections approaching in a few weeks it will be very thought-provoking to analyze how imposed safeguards from EU DPAs and GDPR on the use of political data during elections will affect political parties and how this will influence the collection of personal data related to political opinions and communicating political views to target audiences during the election period.

Anyhow we must be prudent with current data because we are still in a transitional year and with most EU DPAs having a median time for investigating a data breach from 12 to 15 months (or even more), a lot of cases that currently are under investigation are incidents that happened under older Data Protection laws.

GDPR Penalties

Germany is the leading country currently in the number of fines with German organizations receiving 64 of the GDPR fines that have been imposed so far. This includes the two largest fines to date, an organization that published health data on the internet (€80,000) and the second a chat platform (€20,000 for failing to hash stored passwords). “So far 91 reported fines have been imposed under the new GDPR regime,” DLA Piper reports, “But, not all of the fines imposed relate to personal data breaches.”

The largest fine to date is €50 million against Google by France’s Data Protection Authority, but the fine did not relate to a data breach, but to the processing of personal data from Google without authorization from its users. The remaining fines from countries like Austria and Cyprus were comparatively low in value.

Looking into the future

The objective of GDPR was to bring uniformity to data protection laws across EU member states and control how organizations should store personal data and how they must respond in the event of a data breach, emphasizing the importance of creating trust that allows the digital economy to grow inside the European community.

As GDPR reaches its first birthday in a few days, it is clear that the regulation is still young and both regulators and companies are still figuring out its impact and importance. Data Protection Authorities across the EU will soon be publishing annual reports, which should give us a wider and better picture of the level of compliance.

Transparency is a necessity that will help the EU further increase awareness of GDPR and let’s not forget that the rest of the world, especially countries that are very close partners with the EU like the United States, are closely observing in order to better understand the effects and the strengths and weaknesses of the regulation.

References

1. General Data Protection Regulation (GDPR)
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

2. European Data Protection Board (EDPB)
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/enforcement/what-european-data-protection-board-edpb_en

3. First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities.
http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

4. DLA Piper GDPR Data Breach Survey
https://www.dlapiper.com/~/media/files/insights/publications/2019/02/dla-piper-gdpr-data-breach-survey-february-2019.pdf

5. GDPR in numbers Infographic
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf

 

This post first appeared on the Gemalto blog here.