GDPR Explained: What are the Technical Security Requirements?
The upcoming GDPR will bring substantial changes to how organizations process personal data. Companies will learn how to be transparent and credible or face fines of up to €20 million or 4% of annual global turnover – whichever is the greatest. The key elements of GDPR will be explained here.
In general, there are 3 broad groups of GDPR technical security requirements:
- Assessing existing data processes and systems.
- Restricting personal data activities.
- Monitoring data breaches.
In this article, I would like to clarify how we came up with the above and what the operational impacts on companies wanting to make business in EU are.
GDPR Explained: Drivers
Nowadays, the main concern of the international community is data privacy. Every time we buy a product online, pay our taxes or use a service, we have to hand over some of our personal data. Clearly, cyber theft of the data exposes us to significant personal risks.
Even without our knowledge, information about us is being generated and captured by companies and agencies we are likely to have never consciously interacted with. Big data analysis techniques enable organizations to track and predict individual behavior and can be used for control and persuasion.
Taken together with the growing public concern, data protection principles were devised in more than 100 countries worldwide.
GDPR Explained: Scope
General Data Protection Regulation due to be enforced from May 2018 will be probably the strictest and the most comprehensive law.
All organizations having customers, business partners or employees in EU fall under the scope of the regulation.
We’ve identified 6 groups of GDPR proposals related to cybersecurity:
- Data Subject Rights
To be informed about processing of the personal data, to have access to the data, to be forgotten, to be notified about a data breach, and so on. The rights along with privacy principles dictate the implementation of security controls and managing personal data lifecycle.
- Privacy Principles (Privacy By Design and Privacy By Default)
Companies should implement in their systems such privacy principles as integrity and confidentiality, accountability and compliance, data minimization and others by design and default.
- Data Protection Officer Duties
DPO duties include advising organization of their obligations pursuant to the regulation and monitoring compliance with the regulation. Thus, organizations shall provide ways and means to DPO for monitoring compliance of IT systems.
- Data Protection Impact Assessment
DPIA includes such tasks as identification of data flows, evaluation of security controls, assessing effects of a presumed data breach and mitigating privacy risks.
- GDPR Technical Cybersecurity Requirements
In Article 32, GDPR requires that “controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. They mention 4 classes of the measures:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Data Breach Notification
Organizations shall monitor access to personal data and effectiveness of security controls in order to detect data breaches in their systems. If a data breach is likely to result in a risk to the rights of natural persons, the organization shall notify supervisor authority. If the risks are high, the organization shall also notify affected data subjects.
GDPR Explained: Tasks
These proposals imply performing a set of security tasks. The following figure illustrates the idea:
Once an IT system is identified to be in the scope of GDPR, we shall assess data processes of the system. That means to identify personal data processed in the system, find users having access to the data, evaluate security controls, and identify risks to data subjects in case of the data breach.
The second step is mitigating identified risks: restrict access to personal data, implement security controls, and configure blocking and erasing rules for personal data.
The third step is to detect breaches and respond to them. We have to monitor access to personal data, detect ongoing cyberattacks, and prepare incident response plans.
It’s noteworthy, that GDPR in many different ways requires monitoring access to the data and effectiveness of security controls. I expect we’ll see a large number of GDPR-related use-cases in SIEM and incident management tools.
Hopefully GDPR was explained here and you’ve got the right idea. GDPR can play a very good job in case companies not only formally comply with GDPR technical requirements but actually use the initiative to protect their systems and businesses. After all, the ultimate goal of the GDPR is to facilitate digital economy and build a strong foundation for trust in the Internet.