The new GDPR (General Data Protection Regulation) is nearly upon us and mentions security a number of times. What does this really mean for businesses? Ian takes a look.
Get the ship in order…
In 2017 Ian was heavily involved with designing a data-centric security assessment framework for GDPR. The framework defined the key areas to assess and carry out an effective self-audit. The results? A gap analysis identifying risks, issues and vulnerabilities that needed to be logged and recommendations for remediation.
If your haven’t taken any action yet, now is the time to start getting the ship in order. Before you consider new technologies such as tokenisation or encryption, make sure you review your existing security tool set. The completion of a gap analysis will help create a clear plan of action for remediation of vulnerabilities in your environment. The complexity and volume of work will differ vastly depending upon the type of organisation you work for but the principles remain the same. It’s also worth reviewing how many layers of security you have in place. Do you have a culture of defence in depth?
Article 32 – Security of processing
Let’s look in more detail at what the GDPR expectations are from a Security perspective. The first port of call is Article 32 ‘Security of processing’. The article is short and easy to read through, however it contains some key requirements and expectations. In particular the most pertinent is;
“the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”
There is a similar mention within Article 5 for the “use of appropriate technical or organisational measures” too. It also vital to understand that these requirements apply to both controllers & processors of personal data. Paragraph 1 contains four requirements that are determined by appropriateness, let’s examine each one:
(a) the pseudonymisation and encryption of personal data
If an organisation is processing large volumes of personal data or sensitive categories, then this is quite a game changer. Encryption-in-transit has long been an accepted standard over email (TLS) or for file transfers (SFTP). There now appears to be a clear expectation for organisations to encrypt data-at-rest. Performance and cost becomes a clear challenge here and this is where solutions creating partial depersonalisation or pseudonymisation come into play. This enables businesses to encrypt high risk data whilst seeing less of a performance hit.
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
The latter three requirements have been kept together as they go hand in hand. What would you do in a disaster scenario? Is personal data and the solutions needed to interpret the data being regularly backed up? Can it be restored in a timely manner? Is there a risk of data loss? Disaster recovery solutions like data replication & back up technologies are vital to businesses of all sizes. Do you have a DR plan? How do you test the capability and have you worked through a DR scenario or even carried out a real test? You’ll also need to consider the areas outside of IT that need to be involved and as a business decide who leads for such an incident? These are all key questions to assess and understand what your organisation needs to do and how IT and Security can support to make it happen.
Article 33 outlines the requirements for a Data Controller to notify the supervisory authority of a personal data breach. How will your organisation detect or investigate data breaches? Do you have the necessary tools and knowledge within your organisation to react or proactively manage them? This is where threat detection, threat prevention and monitoring tools will be critical. If you don’t have the required skills in-house, then invest in developing existing staff, recruit, or find a strategic partner you can work with. Good encryption and key management offer an excellent layer of defence. If a personal data breach occurs but the data has been encrypted, it is not reportable to the supervisory authority.
Article 35 defines the requirement of a data protection impact assessment (DPIA). Many organisations should already have a similar process in place. The previous name for the process under Data Protection is a PIA (privacy impact assessment). These should be built into the project life-cycle to risk assess and capture any high risk processing of personal data. The key things to identify within a DPIA are:
- The types of data being processed, in particular if any are of sensitive categories
- Volume(s) of data being processed
- Whether new technologies are being used
- Whether there will be any form of profiling or automated processing
What if you have existing high risk processing? This is a grey area, however the sensible approach would to be carry out a retrospective DPIA focusing on the highest risk processing first.
Article 39 lays out the requirements for a DPO (Data Protection Officer) and part of the remit must ensure staff have training and appropriate awareness of data protection, privacy and security of data. This is where your Security or IT department can provide key knowledge and understanding, in particular on cyber threats, best practice for protecting and securing data and so on. It’s not always conceived, but employees actually offer one of the largest threats to their organisations. Here is a great example of a phishing scam I received recently:
We are currently contacting all of our customers to ensure you are happy to receive our newsletters and updates going forward.
We are taking the new GDPR very seriously, so in order for you to be in control, please click the link below to manage your subscription:
[clicky link to some unsavoury URL]
The security & data protection specialists reading this will no doubt be laughing at the clear disregard of GDPR and PECR (Privacy and Electronic Communications Regulations) here. The real concern is the growing threat of distraction techniques like this to make an email seem genuine.
There are plenty of solutions and tools that can add a layer of defence for malicious web and email links, however staff also need to be trained and given guidance on how to deal with these types of threats. This is not an area a business should be skimping on. You could have the greatest and latest technologies but if your staff are not savvy then this is where security holes and data breaches can quickly come from.
can easily be seen as a concern for the business and DPO, but do they understand and know what security measures are in place? What remediation has been undertaken to improve your security stature? What on-going processes are in place to monitor gaps and threats in the future? These need to be documented and recorded appropriately by the business. It’s likely this will be housed in an excel spreadsheet, but do consider how IT can add value and support the business.
Joined up thinking!
A fully joined up and aligned GDPR programme is vital and cannot be left to just one business area to deal with. I’ve come across a number of peers who’ve reported GDPR being left to either IT or Legal to resolve. An approach like this will ultimately end in failure rather than effectively working towards compliance. GDPR is a business concern but requires the expertise from the likes of Legal, Security and IT teams. Ensure you have buy-in from the very top of the organisation too!
GDPR Nuggets and thanks for reading
I’ll be publishing some ‘nugget’ style updates over the coming months, please look out for them and share. Thank you for taking the time to read, I hope it has been of use to you. I’d be delighted to read any comments and thoughts. Finally, best wishes to everyone involved with a GDPR programme as the May deadline approaches!