By now, nearly everyone knows about GDPR and how it completely changed the way the world views privacy rights.
Considered to be one of the world’s strongest data protection laws, GDPR is both comprehensive and wide-reaching. Since 2018, it has served as the global standard for data protection rules –– and has inspired similar legislation, like the California Consumer Privacy Act.
But what is GDPR compliance, exactly?
Despite its popularity, there are still a few misconceptions about compliance. Perhaps you understand the importance of the GDPR, but you’re not completely sure how to adhere to its principles.
In this post, we’re going to take a closer look at parts of the GDPR and how they relate to your cybersecurity strategy. But first, let’s take a brief look at the reason behind this law.
GDPR stands for the General Data Protection Regulation. It’s an EU law that went into effect in May 2018. It governs privacy, data collection, and data protection within the European Union and the European Economic Area (EAA).
The primary purpose of the GDPR is to protect private information and standardize data protection laws across the EU. But more than that, it’s to protect the individual’s fundamental rights and freedom –– and the right to privacy is clearly stated in Article 8 of the European Convention on Human Rights.
In other words, if your organization does business in the EU and EAA, you must follow the GDPR regulations. Failure to do so comes with stiff fines and penalties.
Challenges of the GDPR
It goes without saying that GDPR compliance is good for customers, but it’s good for businesses as well. Its strict privacy regulations:
- Require organizations to strengthen their cybersecurity
- Promote better policies for handling and processing data
- Help strengthen the trust between customers and businesses
But the GDPR isn’t without challenges. The consequences of not complying with the GDPR are significant, and maintaining compliance isn’t easy due to its vague language and the dynamic nature of technology.
Below are some challenges organizations face when adhering to the privacy laws laid forth in the GDPR.
Lack of readiness
Organizations of all sizes have struggled with becoming GDPR compliant. Sometimes it’s due to complacency or a lack of understanding. Other times, it’s because consolidating years of data and training employees to follow new data security laws is a long and complex process.
Many companies have addressed this challenge by hiring experts who specialize in helping companies with compliance-related challenges.
Managing external parties
The GDPR requires external parties like vendors and contractors (who are referred to as “data processors”) to follow the same legal compliance standards as you, the data controller. This also means that your organization is responsible for ensuring all third-parties you collaborate with follow protection measures that align with the GDPR. Because your organization could be held liable if an external party suffers a data breach.
If your organization uses third-parties to process data, it’s important for you to evaluate their processing activities to ensure they’re GDPR compliant. You need to know:
- How third-parties manage and protect data
- Their protocol for reporting breaches
- Whether their company policies and cybersecurity strategy align with GDPR standards
Meeting your security obligations
While the GDPR doesn’t focus specifically on cybersecurity, the privacy law certainly influences it. Along with requiring protections like identity and access management (IDAM) and encryption, GDPR compliance requires organizations to have an incident response plan ready in the event of a cyberattack.
Meeting these obligations can be challenging for many organizations. Though there’s an abundance of tools on the market to strengthen the security posture of your company, that’s not enough to keep you protected. You also need a security strategy that includes around-the-clock monitoring, so you can quickly detect and mitigate the threats that breach your security. And this requires hiring security experts with the skills necessary to monitor and protect your IT systems.
Vague and ambiguous wording
One of the most frequently vocalized challenges of the GDPR is its ambiguity. Much of the GDPR is written to be vague and open-ended, providing little clarity on the roles and responsibilities of the data controller.
For example, the law states that organizations are only allowed to process data when it’s “necessary,” but offer little guidance on what is and isn’t deemed necessary. Another example is the broad and confusing definition of personal data. The GDPR defines this as any information relating to an individual’s private, public, or professional life. This means that personal data can be anything from medical records and financial information to pictures and posts taken from social media.
GDPR Compliance Requirements
As one of the most comprehensive pieces of legislation passed in the EU in recent times, the GDPR covers a wide range of security and privacy requirements. Below is a GDPR overview and some best practices for maintaining compliance.
Keep in mind that this information in this post is for educational purposes only. It is not intended to be legal advice. Always consult a lawyer who specializes in GDPR compliance and can assist you with following compliance regulations with your specific circumstances in mind.
Under the GDPR, organizations that process personal data are required to follow these seven principles:
- Lawfulness, fairness, and transparency: Data must be processed lawfully, fairly, and in a transparent manner
- Purpose limitation: Data has to be collected for a specific and legitimate purpose, and it should not be used for anything other than what it’s being collected for
- Data minimization: Organizations must only collect as much personal data as needed for the purposes explicitly specified to the customer
- Accuracy: Personal data must be accurate and kept up to date. Organizations are required to take all reasonable measures to ensure inaccurate data is corrected
- Storage limitation: Organizations may only store personal data as long as necessary for their intended purpose
- Integrity and confidentiality: Data must be processed securely, in a way that protects the confidentiality of personal information
- Accountability: The data controller is responsible for ensuring GDPR compliance
Unfortunately, much of the GDPR was written to be vague. The reasoning behind this was that technology is constantly changing, which means the practices organizations take to protect data must change alongside it. Because of this, understanding how to follow the GDPR requirements can be challenging.
Meeting the Lawful and Transparency Requirements
The GDPR prohibits organizations from processing data without justification. Article 6 stipulates that “data controllers” can lawfully process data if the “data subject” gives explicit consent to use their personal data for one or more specific purposes.
Data processing is also considered lawful for one of the following scenarios:
- To ensure the performance of a contract between the data subject and the data controller
- If the data controller must process data to comply with a legal obligation
- To protect the vital interests of the data subject or another person
- To carry out a task in the interest of the public or if an official authority has been vested in the data controller
- To protect the legitimate interests of the controller or third party, without violating the rights and freedoms of the data subject
If your justification for collecting data is consent, you’ll need to make sure people have the ability to revoke that consent anytime they want.
If your organization has 250 or more employees or conducts high-risk data processing, you are required to maintain an up-to-date list of your processing activities as laid out by Article 30. These records include, but are not limited to the:
- Name and contact information of all data controllers
- Reason why you’re processing the data
- Description of the data subjects categories and categories of personal data collected
- All recipients who have (or will) received the data collected, including international recipients
- Time limits for erasing the collected data, when possible
- Description of the security measures used to protect the data
Organizations required to keep these records are also required to hand over those records to regulators upon request.
Organizations under 250 employees are also encouraged to follow the same guidelines, as it can help them maintain GDPR compliance.
Meeting the Data Security Requirements
Article 32 of the GDPR is a very important section for IT security and cybersecurity professionals. This section lays out the steps organizations should follow to secure private data. These steps include:
- Pseudonymizing personal data and protecting it with encryption
- Making data readily available upon request
- Ensuring provisions are in place to prevent data from being accessed or tampered with by unauthorized persons –– whether accidentally or deliberately
- Implementing emergency measures (such as offsite backup) to quickly restore access to personal data in the event of an incident
- Implementing a process for regularly testing and evaluating your organization’s data security measures
This means your organization is responsible for keeping private data protected and out of the hands of unauthorized parties. It’s a big responsibility, and it requires you to fundamentally change the way you think about private data. Not only should data protection be at the forefront of your mind, you should also reconsider how you collect and manage data.
- Limit the data collected from users to only what you need
- Delete data once you have no more use for it
Data protection needs to become an integral part of your organization’s culture, and something that’s stressed to everyone from C-level executives to employees.
Create an internal security policy
Remember, GDPR compliance is about data protection and privacy –– cybersecurity is only a portion of that. Having a robust cybersecurity strategy is an important part of maintaining compliance, but you also need to protect yourself from internal threats.
When we speak of internal threats, we’re not just talking about malicious insiders who’re deliberately stealing private information. We’re also talking about well-meaning employees who mishandle data and/or practice poor security hygiene, leaving your systems vulnerable to attacks. That’s why you need to create a policy that ensures everyone within your organization knows how to protect and manage data.
Educate your employees on topics like:
- Email security
- Using strong passwords and two-factor authentication
- Encrypting devices, and other good practices for internal security
Also, consider giving extra training to any employees that handle personal data, so they’re less likely to make mistakes that leave you open to threats.
Conduct impact assessments
Article 35 requires organizations to conduct a data protection impact assessment (DPIA) when processing data in a way that could “result in a high risk” to the freedom and rights of the person.
Unfortunately, the GDPR doesn’t offer a definition of high-risk data. Many organizations use the guidelines laid forth by the European Data Protection Board on DPIA to determine what is high-risk data. This data includes, but is not limited to:
- Innovative technology
- Decisions surrounding credit checks, mortgage applications, and other screening processes related to products, services, opportunities, or benefits
- Large-scale data profiling
- Biometric data
- Personal data pulled from multiple sources
- Personal data not obtained from the subject, when the data controller has difficulty proving (or cannot prove) compliance with Article 14
- Tracking data that looks at an individual’s geolocation and behavior
There’s nothing new about DPIAs. It’s essentially a business impact analysis (BIA) under a different name. While GDPR compliance only requires companies processing high-risk data to perform these assessments, it’s a good idea for everyone to do it as a way to minimize risk.
Article 35 sets some guidelines for performing a DPIA. These guidelines include:
- Consulting with a data protection officer
- Providing a description of processing operations, including the interests pursued by the data controller
- An assessment of the necessity of the data being collected
- An assessment of the risks to the freedom and rights of the data subject
- Safeguards and security measures put in place to minimize risks and protect the data subject
Understanding the GDPR Notification Requirements
The GDPR requires organizations to notify the authorities within 72 hours of experiencing a data breach. While this seems like a pretty straightforward process, there are a few things you should understand. Here’s what you need to know.
The GDPR meaning of a data breach
The definition of a data breach is pretty cut and dry –– sensitive and/or private data has been compromised by an external threat. Data commonly accessed in data breaches include:
- Email addresses and passwords
- Social security numbers
- Financial information, like credit card numbers and banking details
But the GDPR expands the definition of a data breach to include the scenario mentioned above, in addition to a broader range of accidental and deliberate circumstances.
The law broadly defines a data breach as a cybersecurity incident that has affected the integrity, confidentiality, or availability of personal data. Meaning data breaches aren’t simply cybersecurity incidents where private data is lost.
Here are some examples of personal data breaches, as defined by the GDPR:
- When data is accessed by an unauthorized party
- Accidental and deliberate actions (and inactions) by a data controller or data processor
- Sending personal data to the wrong recipient
- Personal data that was altered without permission
- When computing devices that contain personal data are lost or stolen
- Any personal data that becomes unavailable
Even though the WannaCry ransomware attack of 2017 didn’t result in stolen data, it’s classified as a personal data breach under the GDPR. The reason for this is because the ransomware attack used encryption to make personal data inaccessible to organizations.
In other words, any incident that involves personal data and could risk the rights and freedoms of a person should be treated like a data breach under the GDPR requirements –– and should be reported to the relevant authorities within 72 hours.
Now, a key point to note is that GDPR is not going to save you from a ransomware attack –– it’s a mechanism to reduce risk and protect data. Data residency and GDPR are linked, but they aren’t necessarily the same thing. Applying principles to data residency is important regardless of where your data resides, and further, know where your most important data is and how best to secure it, as a blanket approach cannot always be achieved.
[Related Reading: What Is Ransomware?]
Who do you report to?
Now that you know what a data breach is, who do you notify?
There isn’t a straightforward answer for this, either. While you can find a list of official National Data Protection Authorities on the European Union website, the law doesn’t specify which public authority you should notify if your organization isn’t based in the EU.
If your organization is based in an English-speaking country outside of the EU, consider reporting your data breach to the Office of the Data Protection Commissioner in Ireland.
You can find more information about reporting in Article 33. Below are some points to keep in mind in the event of a data breach:
- Data processors are required to notify data controllers without undue delay
- Data controllers are required to notify the authorities within 72 hours
What’s more, Article 34 requires data controllers to notify individuals in event of a high-risk breach. This is only required if:
- The private data isn’t unintelligible to the unauthorized party (wasn’t anonymized, encrypted, etc.)
- The controller hasn’t taken measures to prevent the compromised data from becoming a risk to the individuals affected
- Public notifications wouldn’t be effective
What to include in your report?
Article 33 outlines the information your organization should include in their incident report.
- Description of the data compromised. If possible, include categories, approximate number of data subjects, and approximate number of personal data records
- The name and information of the data protection officer who can be contacted for additional information
- Description of the likely consequences of the breach
- Description of measures proposed or taken to address the breach and mitigate its effects
If you’re unable to provide all this information at once, you can report it in phases without undue further delay.
Strengthening GDPR Compliance with Cybersecurity
British Airways was initially fined a whopping $238 million for a 2018 data breach that compromised the personal data of 430,000 customers. While their fine was ultimately reduced to $28 million to account for the economic impact of COVID-19, one thing is for certain –– the penalty for noncompliance is strict.
That’s why last year, Swedish clothing retailer, H&M, was fined more than €35 million (approximately $41 million) for violating the GDPR.
As you can see, the need for GDPR compliance and good cybersecurity is more important than ever. But if it’s impossible to prevent 100% of attacks, how do you protect your organization from data breaches that could turn into compliance nightmares?
Your response time is important. The quicker you respond to a data breach, the easier it is to mitigate the damage. Unfortunately, IBM found that the average time it takes for an organization to identify and contain a breach is 280 days.
You don’t want to be one of the organizations that takes months to contain a data breach. It will cost your company a lot of money in penalties, fines, and lost sales. That’s why you should keep your sensitive data protected with an effective Managed Detection and Response (MDR) solution that provides you with around-the-clock monitoring.
A good MDR provider will notify you of potential breaches or suspicious activity within minutes. This means you can investigate and address the incident, minimizing the severity of the impact or possibly avoiding damage altogether.
Get GDPR Security Capabilities with Alert Logic
Alert Logic’s innovative MDR solution will help you strengthen your cybersecurity posture to GDPR-compliance levels. Alert Logic provides:
- 24/7 monitoring and response by cybersecurity professionals for your on-premises and cloud environments
- Assessment, detection, and alerting capabilities designed to ensure you maintain necessary security measures like encryption and access controls
- Intrusion Detection Systems (IDS) that identify potential threats, like brute force attacks, command and control exploits, and privilege escalations
- Automated log management, web application monitoring, and other security tools to minimize threats and rapidly reduce your response time
Suffering a data breach can be catastrophic. Even if you can afford to pay the fines and penalties, you could damage your reputation beyond repair. It’s a situation you and your customers never want to be in.
Request an MDR Demo today and see why many organizations trust Alert Logic with GDPR compliance and their cybersecurity needs.