GDPR is Almost Here – Is Your Business Ready?
May 8, 2018
On May 25, 2018, the European Union (EU) is set to enforce one of the most noteworthy privacy regulations in the cybersecurity industry — the General Data Protection Regulation (GDPR). The enforcement will change how organizations, based not only in the EU, but around the world, conduct their data collection practices.
As we noted in our 2018 Cybersecurity Conversations For The C-Suite report, GDPR applies to anyone, business or individual, that collects, stores, transfers, or processes personal data on natural persons that resides within the EU or is an EU citizen. Simply put, if your business consumes the data of any natural person within the EU, you must be GDPR-compliant.
GDPR is not about protecting the data of EU citizens throughout the world, but data collected in Europe. For example, the records of a European who enters the hospital in Canada are subject to Canadian law, however, the records of a Canadian’s hospital visit in Europe are subject to the protections of GDPR.
“You could be a company with offices in Europe that’s sharing internal data, or you take data from a client based in Europe, or you could just have a customer who’s there,” Ira Goldstein, SVP of Technical Operations, states. After all, there are no borders where the Internet is concerned.
Charles Karstadt, Herjavec Group’s Privacy Officer, advises that although there are six key GDPR requirements that organizations need to abide with, there are three “umbrellas” that these requirements can fall under: privacy notification, data protection, and proper GDPR controls.
According to Karstadt, “Organizations need to start by understanding what their responsibilities are under GDPR." The key focus is on the transparency of processing data. This will ensure that the data subject understands how and why their data is being collectedand processed, and that they provide informed and explicit consent for the use of that data. If you handle personal data, you’re obligated to ensure that the appropriate business and technical controls are in place to monitor and protect that data.
GDPR was created so that the data subject rights are understood and applied where appropriate. While not fully universal in all circumstances, these rights include the right to understand what data is collected, how the data is processed, to ensure the data is correct, the right to withdraw consent for processing, and the right to be forgotten.
Therefore, consumers and employees must have knowledge of the data that is collected and stored by any organization. The importance of privacy notifications forms the backbone of GDPR, so it’s important to note that this applies to a company’s web applications and internal environments.
What does this mean for your organization?
Internal compliance usually refers to the personal data that organizations have on their own employees. In many cases, organizations should work with their Human Resources (HR) department to provide every employee with a notice on what information they have on file and how that data being used. For example, the Finance department has access to an employee’s National Identification Number as that information is needed for payroll purposes.
Although employees have the right to ask their company not to have certain information on file, organizations also have the ability to opt out if the request is deemed unreasonable. It is also important for organizations, and employees, to note that local laws override GDPR.
In order to fully protect the data of your employees as well as your customers, businesses should look into applying the Principle of Least Privilege for limited access control. This reduces the potential attack surface by promoting minimal user profile privileges and reducing computer system authorities to the least authority required. However, there is one step before protecting the data that is even more crucial.
“Businesses need to know what data they have and where it’s located. You cannot protect what you don’t know about,” Charles Karstadt states. “I recommend performing a comprehensive audit of your environment to identification data and where your data is located. Once you have this information, apply the Principle of Least Privilege so that only the persons who absolutely must access this information in order to fulfill their job requirements can access it.”
There are additional steps businesses can take to better protect the data they have, such as:
- Ensure that corporate policies enunciate your organization’s privacy requirements.
- Utilize “Privacy by Design”. Just like security, privacy should be a key requirement throughout the lifecycle of all applications.
- Have an incident response plan in place as well as a disaster recovery plan. Identify all policies clearly on steps to be taken for all elements of data handling and communicate these measures to all those in charge of incident response.
- Ensure that you are notifying the proper authorities within 72 hours (from the point of awareness) as per GDPR requirements.
- Prepare a business continuity plan so that all personnel and assets are protected when a cyber attack occurs and business operations don’t cease
“Most importantly, businesses need to know what it means to be breached — so any cyber event that touches personal data collected and stored in any way constitutes as a potential cyber attack,” Karstadt says.
Establishing Proper GDPR Controls
Once your business has begun its journey to compliance, it’s important to ensure that your employees are also aware of the GDPR policies put in place. All personnel should have the appropriate level of GDPR privacy training for their role and position within the organization. Once this training is conducted, we recommend testing the GDPR controls you’ve set in place. So, what can this entail?
- Conduct regular reviews of training manuals and procedures.
- Ensure that your security and privacy policies meet GDPR requirements and that they are fully tested and evaluated.
- Perform regular security testing of your internal and external environments, such as a Network Security Assessment and Gap Analysis to evaluate the effectiveness of the controls you currently have in place — especially when it comes to storing, processing, or transmitting data.
- Ensure that your internal IT security team is sufficient to protect the necessary data and have the required knowledge and tools to do so. Invest in a Security Information and Event Management (SIEM) or a Managed Security Services (MSS) team to streamline alerts for you.
The harsh reality of complying with GDPR is that if your business hasn’t started taking the necessary steps towards compliance, it is unlikely that you will be able to get there in less than a month. Your organization can however, show initiative towards getting on track to compliance. Like all compliance frameworks, GDPR is not a milestone, but a continuous process.
“If an audit occurs, you must be able to demonstrate that you are in the spirit of the regulation,” Karstadt says.
To learn more about the General Data Protection Regulation requirements, please click here.