Protect Personal Data With GDPR Compliance
The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. This legislation aims to provide a single body of legislation regarding data privacy laws, enforcing the protection and rights of individuals.
Any organization dealing with the personal data of European data subjects is bound by the rules of GDPR, and is required to implement steps and technology solutions to ensure such data is properly handled and secured, including preventing data loss and reporting relevant data breaches to the appropriate authorities.
In this article:
- What is GDPR compliance?
- GDPR requirements
- Six considerations for GDPR compliance
- GDPR to be augmented by ePrivacy Regulation
- Learn more about GDPR Compliance
What is GDPR compliance?
GDPR is legislation implemented across the European Union, with the goal of protecting the personal data of EU data subjects. As such, it applies to any company doing business with an EU organization or individual. Organizations deemed to be non-compliant face sanctions which can include stiff fines, which, in a worst case scenario, can amount to 4% of the company’s annual revenue or €20 million — whichever is greater.
These regulations affect any company that processes or stores information about EU citizens within the EU states. Companies whose operations require them to manage the personal data of EU citizens must comply with the GDPR regardless of having a business presence within the EU or not.
GDPR’s main objectives are:
- Determine personal data privacy as a basic human right — A person should have the right to access, erase, correct or transfer their personal data.
- Enforce baseline requirements — This is to ensure that personal data is protected.
- Standardize the application of protection rules — applies universally across the EU and facilitates the legitimate flow of private data
GDPR protects the following privacy data:
- Personal identity information — name, address, ID numbers
- Web data — location, IP address, cookie data
- Health — including health summaries and diagnoses
- Biometric data — fingerprints, DNA, and gait or voice data
- Private communications
- Photos and videos
- Cultural, economic or social data
The GDPR came into place because of growing public concerns about privacy. Europe, in general, is more stringent about how companies use the personal data of its citizens. The first regulation applied there was the Data Protection Directive of 1995.
With the internet becoming an online business hub, the directive was no longer sufficient to address the many ways in which data is stored, collected and transferred today. According to the RSA Data Privacy & Security Report, 80 percent of customers said that losing banking and financial data is a top concern for them while 76 percent of the respondents cited security information and identity information loss as a concern.
To start adhering to GDPR compliance legislation, let’s begin with an overview of the law’s requirements. These consist of a few key terms:
- Data controller — The entity or individual that determines the purposes and means of processing personal data, for example, a company that collects personal data from employees or an internet service provider (ISP) requiring user payments
- Data processor — The entity or individual processing data for the data controller, such as a payroll company
- Data subject — The person whose data is processed by a data controller or a data processor, such as an employee of an organization
- Personal data — Any identifying information about a specific individual, even indirectly
Among the 99 articles of the legislation, some of the articles that regulate the processing and storage of personal data include:
- Article 5 — Fundamental principles about the processing of personal data
- Article 6 — Lawful bases of personal data processing
- Articles 12-22 — the rights of the data subject, including access, data portability and the right to be forgotten
- Article 25 — The data controller must implement measures that ensure that personal data cannot be connected to a data subject and only the minimum necessary personal data required for a given purpose can be processed.
- Article 32 — Data controllers and processors need to implement measures that allow the encryption of personal data, maintain continuous confidentiality, integrity, and resilience of processing systems and services. This includes providing availability following the recovery of a security incident. They need to also conduct tests to evaluate the response of organizational and technical measures.
- Article 33 — Mandatory notification of a personal data breach to the supervising authority within 72 hrs of becoming aware of a personal data breach
- Article 35 — Data controllers must conduct a Data Protection Impact Assessment (DPIA) when a new process is proposed. This assessment needs to include a description of the processing operation, its purpose and the necessity of the personal data, and the risks and how to mitigate them.
Six considerations for GDPR compliance
To reach GDPR compliance, there are several considerations to take.
1. Assess the personal data you hold
The first step to meeting GDPR compliance is assessing the personal data your organization manages. Your evaluation should include the following questions:
- Whether personal data is sensitive
- The origin, usage, and storage of the data
- The way the data is transported and modified
- How the data is secured
- How is the data is erased
It’s important to consider the journey the data makes through your organization. To secure data, you must conduct regular risk assessments and map the data, with input from across the organization, to include data shared by groups or verticals. Non-typical sources of personal data to be considered include: front desk sign-in sheets, biometric data, and closed-circuit camera footage.
To be compliant, an organization needs to complete this risk assessment every time there is a change to the data, with annual reviews.
2. Assess the technology you use and address technological issues
Start by reviewing the technologies, including hardware, software, and networks used to obtain, manipulate, process, and transport personal data so you can visualize your data’s journey.
There are several technological challenges you should address, such as:
- Enabling two-factor authentication (2FA) or multifactor authentication (MFA)
- Enabling end-to-end encryption and strong password encryption
- Having a system for access controls, capturing, and tracking user activities
- Conducting regular vulnerability scans and penetration testing of the network, web applications, and services
To maintain compliance, the organization can complete this assessment every time there is a change to the organization’s technology, with annual reviews.
3. Document data-related business processes
Your organization needs documented business processes related to the manipulation of personal data. These processes need to be tested regularly to ensure they are optimized and in line with GDPR compliance.
Some of these data-related business processes include:
- Incident response plan (IRP)
- Business continuity and disaster recovery (BCDR) plan
- Data privacy addendum (DPA)
It is especially important to test the incident response plan regularly to be prepared in the event of a data breach. This will position your organization to respond quickly and minimize data loss as much as possible, which is a critical business process when handling confidential and sensitive data. An organization must complete testing and documentation updates when a process change occurs to maintain compliance.
4. Appoint a data protection officer
The GDPR requires some organizations to appoint a data protection officer (DPO). There is an option to use a consultant DPO, as the GDPR allows DPOs to work for several organizations. Further information on whether an organization requires a DPO is available here.
5. Create and maintain a data protection plan
Although most organizations have such a plan, they need to review and update it to ensure GDPR compliance. The protection includes mobile devices, as most employees install personal apps on smartphones and tablets, especially if the company has a bring your own device (BYOD) policy. Review and update the policy periodically.
6. Educate and train your employees
The GDPR requires employees to complete a privacy awareness training, which includes reviewing the regulation and understanding the impacts on their day-to-day job. Training should be consistent and periodic to create a lasting security mindset in your employees.
GDPR to be augmented by ePrivacy Regulation
The General Data Protection Regulation has expanded the protection of personal data. However, there is still room for improvement, some of which will be addressed by the added transparency for use of big data with the upcoming ePrivacy Regulation. According to the National Law Review, in addition to GDPR, the ePrivacy Regulation will “create a comprehensive set of rules for electronic communications and protect the privacy of end users, the confidentiality of their communications, and the integrity of their devices.” This regulation wil cover “not only personal data but also metadata and confidentiality requirements, and will apply to instant messaging apps, Voice over Internet Protocol (VoIP) platforms, and machine-to-machine communication.”
The information provided in this article is a high-level view to help you gain a better understanding of the GDPR and we recommend you take a look at the official resources used for this guide to learn more. Clarifications to the GDPR are ongoing, so please ensure you contact a qualified legal representative to get the most recent advice. The European Data Protection Board (EDPB) website contains up to date guidelines for individuals, controllers and processors.
Oversight and Timely Notification: In addition to acting as a central point of intelligence in the customer’s security ecosystem, Exabeam provides forensics and accurate reporting for better compliance reporting.
Learn more about GDPR Compliance
Download our white paper, “Adhering to GDPR Security Controls with Exabeam” to learn how Exabeam helps organizations meet both technological and operational requirements including:
- External Threat Reduction: Exabeam works alongside existing security solutions, using machine learning and behavioral analytics to identify unusual activity that may be indicative of a hacker’s attempt to find and access data.
- Internal Threat Reduction: Exabeam works alongside identity and access management solutions to prevent security incidents resulting from the accidental or malicious abuse of allocated permissions. By flagging activity that falls outside the norm for a given user, Exabeam helps to detect potential data theft.
36 InfoSec Resources You Might Have Missed in October
Understanding UEBA: From Raw Events to Scored Events
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!