The European General Data Protection Regulation, better known as GDPR, will take effect on May 25, 2018. When it does, every business, organization, or government agency that collects information on European Union (EU) citizens (in other words, just about everyone) will be forced to radically change how it manages customer data and security. If you don’t, the cost of noncompliance is significant: fines can reach up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
But according to a study by business analytics firm SAS, nearly half of all companies say they are not yet fully aware of the impact GDPR will have on their business nor do they have the process and people in place to comply. What’s worse, of those who do have a process in place, one-third fear that it still won’t result in compliance.
This compliance gap is based on many factors, most notably the confusion arising from GDPR allowing each EU member country to enforce the regulation as they see fit. That means there could be up to 28 different interpretations. Furthermore, some are questioning whether regulating bodies will even have the staff to enforce the regulations, potentially leading to “arbitrary” enforcement.
Are you ready for GDPR?
GDPR is intended to update the EU’s current, 1990s era regulations, and to create a common standard across EU countries. At its core, the regulation aims to protect the data of EU citizens and empower them with rights concerning the privacy of their data. It’s being billed as “an evolution, not a revolution” by its creators, which implies that it’s not as harsh as it might sound. But it does bring with it significant changes in how organizations are expected to manage and secure customer data.
First, it’s important to understand what’s covered by GDPR. If you hold any personal data (photos, social media posts, IP addresses, location data, etc.) on any European Union citizen (that’s 512 million people, about 13 percent of the global population of internet users), you’re covered by this regulation.
Second, GDPR applies to your organization no matter where it resides. So if there’s a chance someone from the EU visited your website, you’re bound by GDPR, even if you’re located outside of the EU.
Third, much of the focus is on two areas: data portability (if I ask for my data, you must give me my data) and the right to be forgotten (if I ask you to delete my data, you must delete my data). Those requirements may force major architectural, engineering, and process changes in order to comply with requests from any number of individual citizens.
Finally, and most relevant for CISOs and security teams, there are a couple of key points buried in the language that directly cover security, testing, and data breaches that are designed to ensure better data protection and management by the organizations holding data. In other words, if you’re collecting the data, GDPR expects you to be taking steps to protect said data.
GDPR’s Impact on Security
Here are three key provisions in GDPR related to security and vulnerability testing:
Article 32, 1.d. — Organizations shall implement measures to ensure “...a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Article 32, 2. — “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Article 33, 1. — “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.”
Essentially, security teams must regularly assess their security, pay particular attention to avenues for unauthorized access to personal data, and, if a breach is discovered (not a bug, but a breach), EU authorities must be notified within 3 days.
If you fail to comply with any of these provisions, the fine can be up to €20M ($23.5M) or 4 percent of annual sales, whichever is higher.
GDPR and Hacker-Powered Security
GDPR is daunting, to be sure. You have mere months to get new code out the door so you can comply with data portability regulations. At the same time, you need to be sure you’re testing the code before and after it’s live so you’re not releasing new bugs into production. You’re also required to regularly test your security and assess the potential for unauthorized access to customer data. And you still have to worry about your existing bugs, whether they impact customer data or not.
Here’s how hacker-powered security can help.
Continuous security coverage
Hacker-powered security gives you a continuous blanketing of expert, white-hat hackers to test your code, search for vulnerabilities, and report them back to you. They’re looking at old code, new code, and any code you’d like them to look at, and they’re looking constantly.
You must disclose breaches, but not bugs
Remember, too, that you have just 3 days to disclose any data breach. You’ll rarely be able to fix a bug in that short timeframe, so the best you can do is find bugs on your own terms and via a process you control. When you find a bug yourself, there’s no need to disclose it.
Hackers must know how to alert you to bugs
Before friendly hackers can tell you what they’ve found, they need to know how to tell you. That’s why a vulnerability disclosure policy (VDP) is table stakes in this game. Every organization should have a VDP that’s easy to find and easy to follow. Unfortunately, research shows that 94 percent of big companies don’t have obvious VDPs.
3 Things You Should Do Today
No matter how you’re preparing for GDPR, here are a few things you should do immediately.
Publish a VDP: Hopefully the specter of GDPR pushes more organizations to publish a VDP, and soon. It’s a fairly simple exercise: here’s a free guide on how to follow best-practices and see General Motors VDP as an example of how a best-in-class VDP is presented.
Designate a Data Protection Officer: Depending upon the type and amount of data you’re processing, GDPR’s Article 37 might require that you designate a Data Protection Officer (DPO). If it applies to you, start searching for your DPO.
Escalate Security: If you have yet to make security a C-level issue at your place of work, this is your chance. GDPR is just one more reason to elevate your entire security strategy to the boardroom, and there’s no better attention grabber than a recognized, new compliance requirement that could potentially cost you 4 percent of your revenue.
Need more help or advice? Contact our security experts today.