Information Security Today Home

New Books

Securing Cyber-Physical Systems by Al-Sakib Khan Pathan; ISBN 9781498700986
Global Information Warfare: The New Digital Battlefield, Second Edition by Andrew Jones and Gerald L. Kovacich; ISBN 9781498703253
Touchless Fingerprint Biometrics by Ruggero Donida Labati, Vincenzo Piuri, and Fabio Scotti; ISBN 9781498707619
Securing Systems: Applied Security Architecture and Threat Models by Brook S. E. Schoenfield; ISBN 9781482233971
Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare by Thomas A. Johnson; ISBN 9781482239225
Android Malware and Analysis by Ken Dunham, Shane Hartman, Manu Quintans, Jose Andre Morales, and Tim Strazzere; ISBN 9781482252194

What You Need to Know about the EU General Data Protection Regulation

By Andy Green, Technical Specialist at Varonis

You are back in the office after the long holiday break and busy catching up. Did you miss the story about the EU’s General Data Protection Regulation (GDPR) receiving final approval? Some are calling it a "milestone of the digital age."

The EU General Data Protection Regulation is now law. Here’s what you need to know.

With the final draft, a few ambiguities and loose ends were ironed out from the different versions provided by the EU Parliament and the Council.

I've put together a few key points that should resonate with Inside Out readers. Keep in mind the GDPR will take effect in the later part of 2017.

Fines

We have closure on the question of fines: the GDPR has a tiered fine structure. For example, a company can be fined up to 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach (Articles 31 and 32), or not conducting impact assessments (Article 33).

More serious infringements merit a 4% fine. This includes violation of basic principles related to data security (Article 5) and conditions for consumer consent (Article 7). These are essentially violations of the core Privacy by Design concepts of the law.

The EU GDPR rules apply to both controllers and processors; i.e., "the cloud." So, cloud providers are not off the hook when it comes to GDPR enforcement.

Data Protection Officer

It's official: you'll likely need a Data Protection Officer or DPO. You can read the fine print in Article 35.

If the core activities of your company involve "systematic monitoring of data subjects on a larger scale," or large-scale processing of "special categories" of data—racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation—then you’re required to have a DPO. In the US, the closest job title to this is a Chief Privacy Officer.

In any case, the job function of the DPO includes advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority or DPA.

Data Breach Notification

24 or 72 hours?

And the winner is ... 72.

Article 31 tells us that controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.

According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data—the EU’s term for PII—is considered a breach.

Note my emphasis on unauthorized.

Based on my understanding of the GDPR, this means that if an employee sees data that's not part of their job description, it could be considered a breach.

Of course, this is not a problem for your company because your IT department has done a thorough job reviewing file access lists and has implemented role-base access controls.

You can read more about what you have to provide to the data authority in our "What is the EU GDPR" post.

Bottom line: The GDRP notification is more than just saying you have had an incident. You'll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insider were doing.

Data processors have a little more wiggle room: they're supposed to notify the company they’re doing the work for "without undue delay."

Under what conditions does a company have to tell the subject about the breach? You can read the details in Article 32, but if a company has encrypted the data or taken some other security measures that render the data unreadable, then they won’t have to inform the subject.

For Countries Outside the EU

We’ve been raising the alarms on extra-territoriality for several months now. With the GDPR finalised, we can say with certainty the law applies to your company even if it merely markets goods or services in the EU zone.

In other words, if you don't have a formal presence in the EU zone but collect and store the personal data of EU citizens, the long arm of the GDPR can reach out to you. As many have been pointed out, the extra-territoriality requirement (Article 3) is especially relevant to ecommerce companies.

Social media forums, online apartment sharing, artisanal craft sites, or beers of the world clubs: you’ve been warned!

Other Resources

All the permutations of the GDPR and how it can applies is just too complex to cover in a few blog posts. Of course, your Data Privacy Officer or Chief Privacy Officer is the go-to person for advice, along with outside legal experts.

Related Reading

What Is the EU General Data Protection Regulation?

5 Things You Need to Know About the Proposed EU General Data Protection Regulation


 
Subscribe to
Information Security Today







Bookmark and Share


© Copyright 2016 Auerbach Publications