The upcoming EU General Data Protection Regulation (GDPR) is considered to be one of the strictest and most far-reaching data protection regulations as any company that handles EU customer or employee data falls under it. With GDPR coming into effect on May 25, 2018, businesses need to start preparing now to ensure the compliance on time.
To gain an insight into how organizations should prepare for the upcoming changes, we reached out cybersecurity thought leaders and asked them which initiatives should be taken to be compliant with GDPR.
1. Ashwin Krishnan is a technology industry expert with over two decades of experience in cybersecurity and cloud technologies. The author of Mobile Security for Dummies, Ashwin is currently a Senior Vice President of Products and Strategy at HyTrust, a late stage security startup. His speaking engagements include Mobile World Congress, RSA Security Conference, VMWorld, Telecom Industry Association, and Product Camp Silicon Valley.
Enterprise IT teams need to start preparing for GDPR with the following five tenets and assessment of tools and services that provide this:
- Identifying what data they are collecting of their customers – this requires the ability to discover, classify and tag customer data;
- Provide detail reporting of what data is being collected – requires strong reporting with traceback to the customer identification;
- Ability to transfer data back to the customer – tools to carve out customer data and provide to them in a consumable manner;
- Risk reduction by encryption & reduction–tool to ‘obfuscate’ and ‘destroy’ the amount and time for which data is collected;
- Data destruction aka complete annihilation of a customer’s data upon request – tool to destroy all of a customer’s data upon request with proof of the same.
2. Kristina Bergman, CEO at Integris Software
- Discover what personal information you have, where it is, and how you are using it.
- Adopt tools and processes to respond to subject access rights, such as the right to be forgotten.
- Keep records of your personal information processing activities and actions in preparation for audits and investigations.
- Understand your legal obligations for personal information along the information lifecycle, ranging from consent to retention, and monitor.
- Be ready to meet the tight reporting timelines mandated by the GDPR.
3. Michael Rakutko, Head of Professional Services at ERPScan, co-author of SAP Cybersecurity Framework designed to systemize all the necessary activities to secure SAP business applications from cyberattacks, espionage, sabotage, and fraud.
With the upcoming GDPR next year we will see significant changes in the way most organizations collect, process and store personal data. Much needs to be transformed. Besides, incentives are really strong – either comply or face fines up to 20 million euros. So, this is the perfect time for CISOs to get budget for protecting SAP systems from data breach.
In order to carry out tasks required by GDPR, companies should follow the plan:
- Assess data processes:
- Identify data items in SAP
- Find users having access to personal data
- Evaluate SAP security controls
- Assess risks to data subjects
- Prevent the data breach:
- Restrict access to personal data
- Implement and describe security controls to demonstrate compliance
- Manage personal data lifecycle
- Detect and respond:
- Monitor personal data access
- Detect SAP security threats
- Implement SAP incident response capabilities
4.As Global Sales Director at Cohesive Networks and Managing Director of Cohesive Networks UK, Chris Purrington is responsible for worldwide sales. With over 20 years in the software industry, Chris has extensive experience in leading ISVs to success in EMEA. Chris lead the sales team for 9+ years at Application Lifecycle Management company Borland where he was UK MD and VP UK, Ireland and Africa.
The first, major step to complying with GDPR is to understand the data the organisation holds. Multiple departments will likely hold lists of personal information, such as email lists for marketing, human resources’ personnel files, and so on. Understanding what you must protect is the first step to protecting it.
At the core, the GDPR requires data protection by design. Organisations must design data security into business processes. Another requirement is “pseudonymization” or the process of transforming personal data in such a way that the end data cannot identify the specific data. An example is encryption. Additionally, the GDPR also requires the associated information, like the encryption keys, must be kept separately from identifying data.
Specifically, IT teams can ease into GDPR with better monitoring and management. Automating any part of network scanning, log analysis, and compliance tracking can speed up time to compliance.
Next, teams should re-evaluate access controls to sensitive data. With cloud-based systems, it should be easier to implement strong authentication programs to apply the rule of “least privilege” required for each application.
Finally, add encryption in-transit to any existing security best practices. Cloud providers offer excellent encryption for data at rest, but only some services and intra-region transfers have data-in-motion encryption. Any data traveling between cloud regions, traveling over the public internet, and between organisation locations should be encrypted.
5. Anne P. Mitchell, Attorney at Law / Legislative ConsultantCEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance; Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law), California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Elevations Credit Union Member Council Member, Board of Directors, Asilomar Microcomputer Workshop Member, Board of Directors, Greenwood Wildlife Rehabilitation Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose.
Specific to businesses that send emails and email marketing, as that is the area in which we work, and what my unique expertise is in, and with respect to email marketing and other email sending practices, it’s important to note that under the GDPR, the term “data” includes email addresses. First and foremost, for any email address that is collected, the person’s consent to the collection and use of that email address must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” In other words, a business must not collect, let alone use, a business’ or person’s email address unless they have provided the collecting business with clear, specific, informed consent. Pre-checked boxes are not considered informed consent. Neither is “lack of action” (such as not complaining about the email they are receiving from the business).
In fact, the GDPR specifically says: “Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.” Additionally, that consent applies only to that use which the collecting business has clearly specified at the time of obtaining the consent. For example, if the business collects an email address so that the business can “email them a free white paper”, that is the only purpose for which the collecting business can use their email address. The collecting business cannot add that email address to a mailing list or otherwise use it for email marketing (or anything else).This means that the collecting business has to disclose every single way that they might use that email address – clearly and in plain language – at the time that the owner of the email address is giving their consent. If a particular use of the email address was not clearly disclosed at the time that they gave their consent, then it wasn’t informed consent for that purpose, and the collecting business cannot use the email address for that particular use. Moreover, the collecting business must document the consent, and store that documentation regarding the consent.
The GDPR of course also addresses data retention, and with respect to email addresses it means that
a) the collecting business needs to keep all of the data they collect secure, and
b) the withdrawing of consent (such as unsubscribing) “shall be as easy to withdraw consent as to give it.”
Also, if the collecting business’ data is breached, they must notify the Data Protection Authority within 72 hours, and inform all affected parties “without undue delay”. It’s also important to note that legal action under the GDPR is available both for individuals, and against individuals. This ‘private right of action’ is available to any citizen of the EU and, presumably, any individual anywhere against an EU-based email sender.
6. Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. He is a frequent speaker and commentator on technology and security issues. Previously, he was a senior vice president at Gartner.
The GDPR adds another layer of complexity, not to mention potential cost and associated resources, to the issue of critical information asset management that so many organizations are struggling to come to terms with. At the Information Security Forum, we consider this to be the biggest shake-up of global privacy law in decades as it redefines the scope of EU data protection legislation, forcing organizations worldwide to comply with its requirements. Businesses face several challenges in preparing for the reform, including an absence of awareness among major inner stakeholders. The benefits of the GDPR will create several compliance requirements, from which few organizations will completely escape.
Organizations must consider in advance the steps they should take to prepare. The resources that may be needed – including time, people, policy and governance structures – will take time to agree and fund. There are actions that can help organizations get up to speed quickly, which will be beneficial regardless of last minute amendments, including changes to data breach reporting periods or fine percentages.
In advance of the GDPR’s enforcement, an organization should have completed its preparations. In doing so, the following questions should be asked:
Executive management will be responsible for ensuring that an organization meets its legal obligations to implement the GDPR’s requirements. A Data Protection Officer (DPO) should be designated to act as a focal point for ongoing data protection activities. An organization’s governance functions, including information security, legal, records management and audit should ensure they are familiar with the requirements of the GDPR and have the necessary people, processes, and technical solutions in place to achieve compliance.
- Has responsibility and funding for GDPR compliance been assigned?
- Can the skills to achieve GDPR compliance be deployed, developed or recruited?
- Can the requirements of the GDPR be implemented by May 2018?
7. Chris Berry, Ciphr’s CEO
The HR team will have an important role to play in protecting the data held of employees, leavers, and job applicants. It’s essential that HR departments start thinking about what’s needed and ensure provision is made to meet the new requirements. GDPR will fundamentally change how organizations handle their employees’ personal data. The main changes are around the way staff can access, correct, delete and transfer their details.
For those working in HR, this means a rethink about how personal data is collected, used and kept, from handling recruitment and employer references, to monitoring staff performance and handling records. Key changes will include making sure that permission has been opted-into, and not assumed. Also, ensuring that when consent is withdrawn, the affected data is deleted appropriately, and safeguarding data.
Added to this, new accountability measures will make it important that systems are in place to show that the regulations are being met.
Ciphr’s white paper offers HR teams 10 ways to start getting GDPR-ready.
- Start the Discussion
- Assess your Current Compliance
- Review Privacy Notices and Policies
- Educate Yourself on the Requirements
- Consider Consent
- Put Processes in Place
- Be Ready to Respond Swiftly
- Consider appointing a Data Protection Officer
- Develop a Data Breach Response Program
- Consider a Self-Service System
8. Pascal Geenens, cyber security evangelist at Radware
The largest concern for IT teams and organizations is to comply with the enhanced rights of citizens to request access to their data and the right to erasure. The transparency right requires organizations to provide, within one month, with a limited right to extend this period for up the 3 months, any citizen that requests it, in clear, readable and understandable language, extensive details regarding the usage of their personal data. Additionally, the right to data portability requires IT teams to provide to the subject, or transfer to another controller on request of the subject, all personal data in a structured, commonly used and machine-readable format. The right to be forgotten requires the organization to eradicate all stored information upon a subject’s request.
The GDPR will have a big impact on organizations, most have a large gap to close on the identification, access control, and tracking of personal information data flows within the organization and its boundaries. Protecting any personal information from falling in the wrong hands, from leaking outside of the company through shadow IT, email, data carriers, or others. A big concern will also be erasing all this private information upon request by the subject. Backups especially, consider more traditional off-site backup systems using portable storage – how does one make sure that every bit of personal information that was ever stored is erased from all backup tapes for example?
The GDPR introduces punitive measures for organizations that suffer a breach or cannot demonstrate compliance to the regulation. Supervisory authorities also have investigative and corrective powers to undertake on-site data protection audits and issue public warnings, reprimands, and orders to carry out specific remediation activities. The right to have control over its private data also gives power to the individual to raise claims when the organization is not able to comply with his request within the set time frame.
Notwithstanding its challenges, the GDPR is a necessity to get back on top in the fight against cyber-crime. The sheer number of records breached each year is growing and the prices for personal records on the Darknet only motivate hackers to play the game and hunt for our private data and personally identifiable information. If the GDPR is able to level up, even if only by a small amount, it will be a big step in the war against cyber-crime.
9. Michael Fimin, the accomplished expert in information security, CEO and co-founder of Netwrix, a provider of a visibility and governance platform that enables control over changes, configurations, and access in hybrid cloud IT environments to protect data regardless of its location.
GDPR standard requires all companies that host and process personal data of EU citizens to comply with the regulation, which means that thousands of enterprises worldwide will have to revise their security programs according to the new protective measures (e.g., the right to be forgotten and the need for explicit agreement to collect personal data). Here is a couple of initiatives that will help IT pros prepare for GDPR and avoid huge fines for non-compliance:
- Dedicated data security officer. According to the 2017 Netwrix IT Risks Report, lack of dedicated IT staff is one of the reasons why organizations are vulnerable to security and compliance risks. Organizations need to hire knowledgeable IT security and privacy officers who would be responsible for overseeing company’s security practices and ensuring that the company is ready to meet auditors’ requests.
- Strong data privacy program. You need to develop a program that will require an organization to collect and retain personal information only to the extent necessary (e.g., adhering as closely as possible to the European Union’s “purpose limitation” requirements).
- Legal support. In order to comply with GDPR “accountability” requirements, you will need to document and explain your legal basis for processing data and data retention periods.
- Visibility into critical data. Awareness of what’s going on in your critical systems, what data you hold and who you share it with is essential for ensuring proper safeguards and mitigating security risks. Also, you need to review contracts with third parties that process or maintain collected information.
- Data breach response plan. Organizations have to ensure that there are updated and tested data breach response policies and programs to ensure timely notification to auditors and customers in case of a breach. Data breaches must be detected, reported and investigated according to the new requirements.