On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect.
Before this date, there was a lot of uncertainty about the implications of the GDPR. Under the GDPR, enforcement agencies can impose substantial fines and penalties on non-compliant organizations — but in many ways, it was unclear what “non-compliant” even meant.
As this article is being written, the GDPR recently had its six-month birthday. Now that we’ve seen the GDPR being tested, and we’ve seen what the enforcement authorities are doing, what have we learned about the regulation? And what do organizations need to do to ensure compliance?
Who needs to comply
The GDPR applies to all organizations — no matter where they are headquartered — that collect and process personal data on European subjects. Whether or not your organization has a physical presence in the European Union, if it interacts with people in the EU then the GDPR still applies.
(And even if your organization has no interactions with EU residents, you should still pay attention to the GDPR, because other nations are creating new regulations based upon it. See “Coming to a Regulatory Authority Near You,” at the end of this article.)
Under the GDPR, organizations are expected to use state-of-the-art technologies and methodologies to ensure “privacy by design.” Starting from the early design and specification stages, data protection must be built into their applications, processes, and infrastructures.
This stringent privacy is meant for the individuals (known as “data subjects”) whose data is being collected and retained by organizations (the “data controllers”). The GDPR’s key objective is to give more power to the data subjects, regarding how their information is used, handled, and processed by the data controllers. The more sensitive the personal information is, the tougher the data protection requirements are.
Organizations that process personal data systematically, or on a large scale, or that is particularly sensitive, must appoint a qualified Data Protection Officer to oversee and document the measures being taken to meet the requirements.
In contrast with other data privacy legislation — including the EU directive that the GDPR replaces — the GDPR has clear and effective mechanisms for monitoring compliance and dealing with suspected infractions. Even more important, the penalties for proven non-compliance are substantial enough to act as a real deterrent.
If an organization is found to be non-compliant, the penalties that can be imposed are stiff: up to 4% of annual global turnover or €20 million, whichever is greater.
What you must do
The European Union maintains an extensive GDPR portal, with everything you could possibly want to know about the legislation and how it might affect your organization. Here are some practical steps distilled from it.
First: ensure that the basics are already covered
The GDPR requires diligence in protecting data from compromise. Presumably, this is something your organization takes seriously, even without the GDPR.
However, the GDPR emphasizes a few aspects that are often neglected.
- Anonymization: The GDPR calls for full anonymization of personal identifying information (PII). This is particularly important in sectors where a data breach can impinge on an individual’s rights, such as healthcare, banking, insurance, and HR. Note that pseudonymization is not sufficient, since pseudonymized data can be re-identified through other existing data. PII must be fully anonymized, so that to be identified back to a data subject, it would require new information.
- Internal storage and handling: In many organizations, it is common practice to create secondary data sets of private data such as dev/test copies of production databases, email archives, and mail-merge spreadsheets. Even when these secondary data sets are ephemeral, the same data protection measures must be applied to the source data, i.e., encryption, tokenization, strict access control, and more.
- Email: Tools and processes need to be in place to identify and quarantine outgoing email suspected of containing personal data, whether this occurs through malicious intent or carelessness.
- Web security: Obviously, your first line of defense against data breaches is to harden your web assets (sites and web apps), and always keep your defenses current and up-to-date. Post-GDPR, an organization which has an “Equifax incident” could be considered negligent and therefore liable to fines and penalties. (More on this later.)
Second: ensure the proper procedures are in place for data subjects
The GDPR has significantly extended an individual’s power to control his or her personal data. Conditions for consent have become much stricter, and withdrawal of consent must be as easy as giving it.
Data subjects now have the right to access their personal data. They have the right to know how their personal data is being processed, and for what purpose.
They also have the right to be forgotten. If a data subject withdraws consent, or if the data is no longer relevant to the original purpose for which it was collected and processed, the data subject can demand that the data controller stop all dissemination and processing as well as erase the personal data.
To be GDPR compliant, your organization must be ready to meet these requirements. When a data subject contacts you for one of the above reasons, you must be able to fulfill these obligations completely and quickly. If your organization doesn’t already have the appropriate procedures in place, now’s the time to set them up.
Third: prepare for the worst-case scenario
One of the most important aspects of the GDPR is found within this passage on the EU website:
“A data breach occurs when the data for which your company/organisation is responsible suffers a security incident resulting in a breach of confidentiality, availability or integrity. If that occurs, and it is likely that the breach poses a risk to an individual’s rights and freedoms, your company/organisation has to notify the supervisory authority without undue delay, and at the latest within 72 hours after having become aware of the breach.”
[Emphasis is in the original.]
So if your organization were to suffer a data breach: would you have the ability to immediately and correctly assess the incident’s scope and severity, and pass that information to your local compliance authority within 72 hours?
If not, then you are only one security incident away from violating the GDPR, with all the penalties and fines that can follow.
After an incident: How to avoid penalties and fines
Failure to protect data subjects’ personal information does not necessarily result in a fine. Enforcement authorities understand that breaches can happen even when the organization wasn’t necessarily negligent.
Therefore, if your organization gets breached, you must scrupulously follow the GDPR’s requirements. Doing so means that penalties and fines could be avoided.
For example, we have seen a data breach at a third-party data processor (a survey service provider) that affected the survey data gathered by its customers (the data controllers). Despite the data compromise, the company was not fined, for two reasons:
- The company showed that it had taken reasonable security measures. Even though these measures were (ultimately) ineffective, enforcement authorities did not believe that the company had been negligent.
- Once the breach was discovered, the company meticulously followed GDPR incident-rectification and notification guidelines.
Action step: Map out the internal procedures to follow if a breach occurs, and make sure the appropriate people within your organization understand them. Don’t just leave this up to the IT team: multiple departments must work together at the C-suite level to manage these risks effectively
And do it now. If a breach does occur, you won’t have time to do it then.
How to avoid penalties and fines from other causes
Even if your organization is never breached, you must closely follow the GDPR’s rules. Non-compliant behavior can result in a fine, even if no PII is compromised.
For example, the Data Protection Commissioner of Ireland caught LinkedIn using 18 million email addresses without permission, in order to run targeted ads on Facebook. LinkedIn avoided a fine only because it halted this behavior before the GDPR came fully into effect on May 25.
The timing was less favorable for a Canadian company involved in the Facebook-Cambridge Analytica debacle, which was also caught using personal data for purposes for which they did not have the subjects’ consent. This company has been notified of an impending GDPR fine.
How to avoid non-regulatory penalties
Buried deep within the GDPR is this sentence:
“Any person who has suffered material or non-material damage as a result of an infringement of this regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
Note the word “non-material.” If a breach occurs and your organization is determined to be non-compliant, a data subject can claim compensation from your organization, even if no actual financial damages were suffered.
Therefore, non-compliance can result in both a regulatory penalty (enacted by the regulation’s enforcement authorities) and this non-regulatory penalty (demanded by the victims of the non-compliant activity).
We’re already seeing this occur. A few months ago, British Airways became the target of a $650 million class-action lawsuit, after it announced a breach of data from 380,000 payment-card transactions.
Two important points about this breach:
- British Airways fulfilled all its notification obligations under GDPR.
- The airline immediately offered to reimburse all financial losses incurred by the data subjects as a result of the breach.
Therefore, there is no GDPR liability under the notification requirements, and the victims have no financial damages to claim.
Nevertheless, as this article is being written, the airline is still facing:
- A possible fine from enforcement authorities…
- And the separate class-action lawsuit, based on the “non-material” language in the GDPR.
Both items hinge on a key question: according to the standards of the GDPR, was British Airways negligent? Did the airline provide insufficient security for the data subjects’ information?
If so, then both the lawsuit and an additional fine can apply. If not, then neither will.
The most important thing to remember about the GDPR
The regulations do not provide explicit technological measures for protecting personal data and keeping it private. They do, however, expect companies to seek out and apply state-of-the-art solutions that will ensure security-by-design.
We saw earlier that failure to adhere to GDPR standards for breach notification can result in large penalties. But we also saw that even if an organization meets these standards, a perceived negligence in security can still result in (potentially) ruinous financial damages.
Thus, a robust security posture is essential.
The easiest and most obvious route for hackers to compromise your data is via the web. This raises the question: How good is your web security solution? (Your WAF etc.)
From now on, if you get breached, you can expect a strong backlash from the victims. (In the United Kingdom alone, during the first six months that the GDPR has been in effect, the Information Commissioner’s Office received over 8,000 complaints from the public about data and privacy violations.)
Moreover, it’s safe to assume that at least some of the victims will think about suing you.
(In fact, if the breach is prominent enough, there will be lawyers who will make sure that the victims will sue.)
In this situation, your web security solution must be beyond question. Mere claims about its GDPR compliance are not enough. The victims’ lawyers will try to prove your negligence by showing that your security measures were inadequate.
They will probably ask you questions such as:
- Why do you use a WAF which relies on legacy techniques like signature recognition, and therefore can’t defend against zero-day exploits?
- Why do you use a security solution which relies on outdated bot-detection methods like agent detection and rate limiting, when modern malicious bots can evade these methods?
- Why do you use a security solution which doesn’t use machine learning? Why don’t you use a solution that can detect and adapt to new attack patterns as they arise?
- Why do you use a security solution which can’t enforce API schemas… or support JSON payloads… or have full protection against session manipulation (even CSRF attacks)… and so on.
Thanks to the GDPR and other similar regulations that are coming (see below for more on this), robust web security has never been more important.
Here at Reblaze, we offer an all-in-one web security solution that is based on a no-compromise approach to security. Our customers receive ‘peace-of-mind protection’ for their sites and web apps, from a fully managed, always up-to-date platform.
Reblaze has many advantages compared to other security solutions. It incorporates multiple next-generation technologies such as multivariate threat detection, behavioral analysis, machine learning, and more, providing accurate, adaptive protection.
If you’d like to learn more about Reblaze, or get a demo, just send us an email.
Postscript: Coming Soon to a Regulatory Authority Near You
The GDPR has created sizable waves in the world of data security and privacy. Inspired by the EU’s legislation, other governments are starting to create new privacy regulations of their own.
In the United States
Although the concept of data ownership in the US market is quite different from the GDPR paradigm, many government officials here are seeking similar privacy rights here:
- The State of Delaware passed a data breach notification law that makes it mandatory to notify individuals of a data breach unless the organization can prove that the breach will not have a negative impact.
- In June 2018, the Governor of California signed into law the California Consumer Privacy Act, which significantly strengthens individuals’ rights to know about and control the personal information being collected about them.
- At the federal level, Senator Edward Markey introduced the Cyber Shield Act, a bill that is still making its way through the legislative process. If passed, it will impose security-by-design requirements and security quality rating labels on American businesses.
The Canadian government is also actively examining the advisability of introducing privacy-by-design into its current Personal Information Protection and Electronic Documents Act.
Even if you aren’t currently affected by the GDPR, you should prepare for it anyway. Similar regulations will probably be in place soon in your area.