By now, nearly everyone knows about GDPR and how it completely changed the way the world views privacy rights.
Considered to be one of the world’s strongest data protection laws, GDPR is both comprehensive and wide-reaching. Since 2018, it has served as the global standard for data protection rules — and has inspired similar legislation, like the California Consumer Privacy Act.
But what is GDPR compliance?
Despite its popularity, there are misconceptions about compliance. Perhaps you understand the importance of GDPR but are unsure of how to adhere to its principles. Let’s take a closer look at parts of the GDPR and how they relate to your security strategy. But first, you need to understand the reason behind this law.
GDPR stands for the General Data Protection Regulation. It’s an EU law that took effect in May 2018. It governs privacy, data collection, and data protection within the European Union and the European Economic Area (EAA).
GDPR’s primary purpose is to protect private information and standardize data protection laws across the EU. But more than that, it protects the individual’s fundamental rights and freedom with the right to privacy clearly stated in Article 8 of the European Convention on Human Rights.
In other words, if your organization does business in the EU and EAA, you must follow the GDPR regulations. Failure to do so comes with stiff fines and penalties.
It goes without saying that GDPR compliance is good for customers, but it’s good for businesses as well. Its strict privacy regulations:
- Require organizations to strengthen their cybersecurity
- Promote better policies for handling and processing data
- Help strengthen the trust between customers and businesses
GDPR isn’t without challenges. The consequences of non-compliance with the GDPR are significant., and maintaining compliance isn’t easy due to its vague language and the dynamic nature of technology.
Following are some challenges organizations face when adhering to the privacy laws laid forth in the GDPR.
Lack of readiness
Organizations of all sizes struggle with becoming GDPR compliant. Sometimes it’s due to complacency or a lack of understanding. Other times, it’s because consolidating years of data and training employees to follow new data security laws is a long and complex process.
Many companies have addressed this challenge by hiring experts who specialize in helping companies with compliance-related challenges.
Managing external parties
GDPR requires external parties like vendors and contractors (“data processors”) follow the same legal compliance standards as you, the data controller. This also means your organization is responsible for ensuring all third parties you collaborate with follow protection measures that align with the GDPR because your organization could be held liable if an external party suffers a data breach.
If your organization uses third parties to process data, evaluate their processing activities to ensure they’re GDPR compliant. You need to know:
- How third parties manage and protect data
- Their protocol for reporting breaches
- Whether their company policies and cybersecurity strategy align with GDPR standards
Meeting your security obligations
While the GDPR doesn’t focus specifically on cybersecurity, the privacy law certainly influences it. Along with requiring protections like identity and access management (IDAM) and encryption, GDPR compliance requires organizations to have an incident response plan ready in the event of a cyberattack.
Meeting these obligations can be a challenge. Though there’s an abundance of tools to strengthen your security posture, that’s not enough to keep you protected.
Additionally, you need a security strategy that includes 24/7 monitoring to quickly detect and mitigate threats. And this requires hiring security experts with the skills to monitor and protect your IT systems.
Vague and ambiguous wording
One of the most frequently vocalized challenges of the GDPR is its ambiguity. Much of the GDPR is written to be vague and open-ended, providing little clarity on the roles and responsibilities of the data controller.
For example, the law states organizations only can process data when it’s “necessary,” but offer little guidance on what is and isn’t deemed necessary. Another example is the broad and confusing definition of personal data. The GDPR defines this as any information relating to an individual’s private, public, or professional life. Personal data can be anything from medical records and financial information to pictures and posts taken from social media.
GDPR Compliance Requirements
As one of the most comprehensive laws passed recently, the GDPR covers a wide range of security and privacy requirements. Following is a GDPR overview and some best practices for maintaining compliance.
Keep in mind this information is for educational purposes only. It is not intended to be legal advice. Always consult a lawyer who specializes in GDPR compliance to assist you with following compliance regulations for your specific circumstances.
Organizations that process personal data are required to follow these seven GDPR principles:
Lawfulness, fairness, and transparency
Data must be processed lawfully, fairly, and in a transparent manner
When collecting data, it must be for a specific and legitimate purpose and only used for the reason cited
Organizations must only collect as much personal data as needed for the purposes explicitly specified to the customer
Personal data must be accurate and kept up to date. Organizations must take all reasonable measures to correct inaccurate data
Organizations may only store personal data as long as necessary for their intended purpose
Integrity and confidentiality
Data must be processed securely, in a way that protects the confidentiality of personal information
The data controller is responsible for ensuring GDPR compliance
Unfortunately, much of the GDPR was written to be vague.
The reasoning behind this was technology constantly changes, which means the practices’ organizations take to protect data also must change. Because of this, understanding how to follow GDPR requirements can be challenging.
Meeting GDPR’s Lawful and Transparency Requirements
The GDPR prohibits organizations from processing data without justification. GDPR Article 6 stipulates that “data controllers” can lawfully process data if the “data subject” gives explicit consent to use their personal data for one or more specific purposes.
In addition, data processing is considered lawful for one of the following scenarios:
- To ensure the performance of a contract between the data subject and the data controller
- If the data controller must process data to comply with a legal obligation
- To protect the vital interests of the data subject or another person
- To carry out a task in the interest of the public or if an official authority has been vested in the data controller
- To protect the legitimate interests of the controller or third party, without violating the rights and freedoms of the data subject
If your justification for collecting data is consent, you’ll need to make sure people have the ability to revoke that consent anytime they want.
If your organization has 250 or more employees or conducts high-risk data processing, you must maintain an up-to-date list of your processing activities as laid out by GDPR Article 30. These records include, but are not limited to:
- Name and contact information of all data controllers
- Reason why you processed the data
- Description of the data subjects categories and categories of personal data collected
- All recipients who received or will receive the data collected, including international recipients
- Time limits for erasing the collected data, when possible
- Description of the security measures protecting the data
Organizations required to keep these records must hand over those records to regulators upon request. Organizations under 250 employees should follow the same guidelines, as it can help them maintain GDPR compliance.
Meeting GDPR’s Data Security Requirements
GDPR Article 32 is a very important section for IT security and cybersecurity professionals. This section lays out the steps organizations should follow to secure private data. These steps include:
- Pseudonymizing personal data and protecting it with encryption
- Making data readily available upon request
- Ensuring provisions are in place to prevent data from being accessed or tampered with by unauthorized persons — whether accidentally or deliberately
- Implementing emergency measures (such as offsite backup) to quickly restore access to personal data in the event of an incident
- Implementing a process for regularly testing and evaluating your organization’s data security measures
This means your organization is responsible for private data protection and keeping it out of the hands of unauthorized parties. Yes, it’s a significant responsibility, and one requiring fundamental changes in how you think about private data. Both data protection and how you collect and manage it must be a priority.
- Limit the data collected from users to only what you need
- Delete data once you have no more use for it
Data protection needs to become an integral part of your organization’s culture. Everyone from C-level executives to employees must be on board for data protection.
Create an internal security policy
Remember, GDPR compliance is about data protection and privacy — cybersecurity is only a portion of that. A robust security strategy is an important part of maintaining compliance. But you also need to protect yourself from internal threats.
When we speak of internal threats, it’s not just malicious insiders who deliberately steal private information. It’s also employees who mishandle data and/or practice poor security hygiene. That’s why you need to create a policy that ensures everyone within your organization knows how to protect and manage data.
Educate your employees on topics like:
- Email security
- Using strong passwords and multi-factor authentication
- Encrypting devices, and other good practices for internal security
Consider giving extra training to employees who handle personal data to lessen human error that leave you open to threats.
Conduct impact assessments
GDPR Article 35 requires organizations to conduct a data protection impact assessment (DPIA) when processing data in a way that could “result in a high risk” to the freedom and rights of the person.
Unfortunately, GDPR does not define high-risk data. However, many organizations use the guidelines laid forth by the European Data Protection Board on DPIA to determine what is high-risk data. This data includes, but is not limited to:
- Innovative technology
- Decisions surrounding credit checks, mortgage applications, and other screening processes related to products, services, opportunities, or benefits
- Large-scale data profiling
- Biometric data
- Personal data pulled from multiple sources
- Personal data not obtained from the subject, when the data controller has difficulty proving (or cannot prove) compliance with Article 14
- Tracking data that looks at an individual’s geolocation and behavior
There’s nothing new about DPIAs. It’s essentially a business impact analysis (BIA) under a different name. While GDPR compliance only requires companies processing high-risk data to perform these assessments, it’s a good idea for everyone to do it as a way to minimize risk.
Article 35 sets some guidelines for performing a DPIA. These guidelines include:
- Consulting with a data protection officer
- Providing a description of processing operations, including the interests pursued by the data controller
- An assessment of the necessity of the data being collected
- An assessment of the risks to the freedom and rights of the data subject
- Safeguards and security measures put in place to minimize risks and protect the data subject
Understanding the GDPR Notification Requirements
The GDPR requires organizations to notify the authorities within 72 hours of experiencing a data breach. While this seems like a straightforward process, there are a few things to take note of. Here’s what you need to know.
GDPR meaning of a data breach
Defining a data breach is pretty cut and dry –– sensitive and/or private data has been compromised by an external threat. Data commonly accessed in data breaches include:
- Email addresses and passwords
- Social security numbers
- Financial information, like credit card numbers and banking details
GDPR expands the aforementioned definition of a data breach to include the scenario mentioned above, in addition to a broader range of accidental and deliberate circumstances.
The law broadly defines a data breach as a cybersecurity incident that affects the integrity, confidentiality, or availability of personal data. Meaning data breaches aren’t simply cybersecurity incidents where private data is lost.
Here are some examples of personal data breaches, as defined by the GDPR:
- When data is accessed by an unauthorized party
- Accidental and deliberate actions (and inactions) by a data controller or data processor
- Sending personal data to the wrong recipient
- Personal data altered without permission
- When computing devices that contain personal data are lost or stolen
- Any personal data that becomes unavailable
Even though the WannaCry ransomware attack of 2017 didn’t result in stolen data, it’s a GDPR personal data breach. The reason for this is the ransomware attack used encryption to make personal data inaccessible to organizations.
In other words, any incident involving personal data that could risk the rights and freedoms of a person should be treated like a data breach under the GDPR requirements. And it should be reported to the relevant authorities within 72 hours.
A key point to note is GDPR will not save you from a ransomware attack — it’s a mechanism to reduce risk and protect data. Data residency and GDPR are linked, but they aren’t the same thing. Applying principles to data residency is important regardless of where your data resides. Furthermore, know where your most important data is and how to secure it; a blanket approach cannot always be achieved.
[Related Reading: What Is Ransomware?]
Who do you report to
Now that you know what a data breach is, who do you notify?
There isn’t a straightforward answer for this, either. While you can find a list of official National Data Protection Authorities on the European Union website, the law doesn’t specify which public authority you should notify if your organization isn’t based in the EU.
If your organization is based in an English-speaking country outside of the EU, consider reporting your data breach to the Office of the Data Protection Commissioner in Ireland.
You can find more information about reporting in GDPR Article 33. Following are some points to keep in mind in the event of a data breach:
- Data processors are required to notify data controllers without undue delay
- Data controllers are required to notify the authorities within 72 hours
What’s more, GDPR Article 34 requires data controllers to notify individuals in event of a high-risk breach. This is only required if:
- The private data isn’t unintelligible to the unauthorized party (not anonymized, encrypted, etc.)
- The controller hasn’t taken measures to prevent the compromised data from becoming a risk to the individuals affected
- Public notifications wouldn’t be effective
What to include in your report
Article 33 outlines the information your organization should include in their incident report.
- Description of the data compromised. If possible, include categories, approximate number of data subjects, and approximate number of personal data records
- The name and information of the data protection officer who can be contacted for additional information
- Description of the likely consequences of the breach
- Description of measures proposed or taken to address the breach and mitigate its effects
If you’re unable to provide all this information at once, you can report it in phases without undue further delay.
Strengthening GDPR Compliance with Cybersecurity
British Airways initially faced fines of $238 million for a 2018 data breach that compromised 430,000 customers personal data. While their final fine was $28 million to account for the economic impact of COVID-19, one thing is certain –– the penalty for noncompliance is strict.
That’s why Swedish clothing retailer H&M received a fine of more than approximately $41 million for violating the GDPR.
Clearly, the need for GDPR compliance and good cybersecurity is more important than ever. But if it’s impossible to prevent 100% of attacks, how do you protect your organization from data breaches that could turn into compliance nightmares?
Your response time is important. The quicker you respond to a data breach, the easier it is to mitigate the damage. Unfortunately, IBM found the average time it takes for an organization to identify and contain a breach is 277 days.
You don’t want to be an organization that takes months to contain a data breach. It will cost your company a lot of money in penalties, fines, and lost sales. That’s why you should protect your data with a managed detection and response (MDR) solution that gives you 24/7 monitoring.
A good MDR provider will notify you of potential breaches or suspicious activity within minutes. This means you can investigate and address the incident, minimizing the severity of the impact or possibly avoiding damage altogether.
Get GDPR Security Capabilities with Fortra’s Alert Logic
Fortra’s Alert Logic’s MDR solution will help you strengthen your security posture to GDPR-compliance levels. Alert Logic provides:
- 24/7 monitoring and response by security professionals for your on-premises and cloud environments
- Assessment, detection, and alerting capabilities designed to ensure you maintain necessary security measures
- Intrusion Detection Systems (IDS) that identify potential threats, like brute force attacks, command and control exploits, and privilege escalations
- Automated log management, web application monitoring, and other security tools to minimize threats and reduce your response time
Suffering a data breach can be catastrophic. Even if you can pay the fines and penalties, the damage to your reputation may be beyond repair. It’s a situation you and your customers never want to be in.
Request an MDR demo today and see why many organizations entrust Alert Logic with their security and GDPR compliance needs.