Tag Archives: dpr

Preparing for the EU General Data Protection Regulation

Preparing for the EU General Data Protection Regulation

When the trilogue discussions ended in December, the EU General Data Protection Regulation (GDPR) reached its final form. But in the never ending GDPR saga, there was always still one more hurdle to be completed. Last month, the EU Parliament approved the final text worked out in the discussions.

So now the clock starts ticking, and companies have two years to get their data centers in order. The GDPR will not be enforced until May 2018.

Technically, the GDPR has been in close to final form for almost a year, as the key stakeholders worked out some important details. So those companies who’ve been paying attention have had even more of a head start.

As a reminder, we’ve written a very comprehensive blog post on the new regulation. And if you want even more background details on the GDPR and how it has evolved from the existing Data Protection Directive (DPD), then by all means download our white paper.

What’s Important?

Out of all the many requirements and concepts in the GDPR, these six would make it to the top of my list in terms of their importance:

  • Breach notification – A new requirement not in the existing DPD is that companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects will also have to be notified but only if the data poses a “high risk to their rights and freedoms”.
  • Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies will have to first analyze the risks to their privacy. This is another new requirement in the regulation.
  • Privacy by Design Privacy by Design (PbD) has always played a part in EU data regulations. But the new law, its principles of minimizing data collection and retention and gaining consent from consumers when processing data are more explicitly formalized.
  • Extraterritoriality –  The new principle of extraterritoriality in the GDPR says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects — for example, through a web site—then all the requirements of GDPR are in effect. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
  • Right to Erasure and To Be Forgotten  There’s been a long standing requirement in the DPD allowing consumers to request that their data be deleted. The GDPR extends this right to include data published on the web. This is the still controversial right to stay out of the public view and “be forgotten”.
  • Fines – The GDPR has a tiered penalty structure that will take a large bite out of offender’s funds. More serious infringements can merit a fine of up to 4% of a company’s global  revenue. This can include violations of basic principles related to data security — especially PbD principles. A lesser fine of up to 2% of global revenue — still enormous — can be issued if company records are not in order or a supervising authority and data subjects are not notified after a breach. This makes breach notification oversights a serious and expensive offense.

This is a complex law, and the above list is not meant to be a complete run down of all the significant rules. In any case, most legal and compliance experts would agree that a sensible first step in getting into GDPR compliance is to do a complete data inventory – what data is stored, where it’s stored, who has access to it, and what are the current access rights.

Where have we heard this before?

Of course, we’ve been preaching data awareness for a while now at the Inside Out Security Blog. With the GDPR, though, it’s not a just great idea, but an important approach to help you avoid breaking this law.

Want to learn more about the GDPR?

Check out our free 6-part email course (and earn CPE credits!)

Sign me up

The EU General Data Protection Regulation Is Now Law. Here’s What You Nee...

The EU General Data Protection Regulation Is Now Law. Here’s What You Need to Know.

Updated: 6/2016

You are back in the office after the long holiday break and busy catching up. Did you miss the story about the EU’s General Data Protection Regulation (GDPR) receiving final approval?  Some are calling it a “milestone of the digital age”.

We’ve been following the GDPR on the blog over the last two years. If you want to catch up very quickly, read our omnibus post that’s a tasty distillation of our wisdom on this subject.

Or if you have some more time, check out our comprehensive GDPR white paper.

With the final draft, a few ambiguities and loose ends were ironed out from the different versions provided by the EU Parliament and the Council.

I’ve put together a few key points that should resonate with Inside Out readers. Keep in mind the GDPR will take effect in early 2018.

Fines

We have closure on the question of fines: the GDPR has a tiered fine structure.

For example, a company can be fined up to 2% of global revenue for not having their records in order (article 30), not notifying the supervising authority and data subject about a breach (articles 33, 34), or not conducting impact assessments (article 35).

More serious infringements merit up to a 4% fine. This includes violations of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — these are essentially violations of the core Privacy by Design concepts of the law.

The EU GDPR rules apply to both data controllers and processors, that is “the cloud”.  (Refer to our white paper to learn more about this law’s data security terminology.) Therefore huge cloud providers are not off the hook when it comes to GDPR enforcement.

Data Protection Officer

It’s official: you’ll likely need a Data Protection Officer or DPO. You can read the fine print in article 37.

If the core activities of your company involve “systematic monitoring of data subjects on a larger scale”, or large-scale processing of “special categories” of data — racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric data, health or sex life, or sexual orientation — then you’re required to have a DPO.

In the US, the closest job title to this is a Chief Privacy Officer.

In any case, the job function of the DPO includes advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority or DPA.

Data Breach Notification

24 or 72 hours?

And the winner is … 72.

Article 33 tells us that controllers are required to notify the appropriate supervisory authority of a personal data breach within 72 hours (at the latest) on learning about the exposure if it results in risk to the consumer. But even if the exposure is not serious, the company still has to keep the records internally.

According to the GDPR, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data – the EU’s term for PII — is considered a breach.

Note my emphasis on unauthorized.

Based on my understanding of the GDPR, this means that if an employee sees data that’s not part of their job description, it could be considered a breach.

Of course, this is not a problem for your company, because your IT department has done a thorough job reviewing file access lists and has implemented role-base access controls.

You can read more about what you have to provide to the data authority in our “What is the EU GDPR” post.

Bottom line: The GDRP notification is more than just saying you have had an incident.  You’ll have to include categories of data, records touched, and approximate number of data subjects affected. And this means you’ll need some detailed intelligence on what the hackers and insiders were doing.

Data processors have a little more wiggle room: they’re supposed to notify the company they’re doing the work for — the controller — “without undue delay”.

Under what conditions does a company have to tell the subject about the breach?

You can read the details in article 34, but if a company has encrypted the data or taken some other security measures that render the data unreadable, then they won’t have to inform the subject.

For Countries Outside the EU

We’ve been raising the alarms on extra-territoriality for several months now.

With the GDPR finalized, we can say with certainty the law applies to your company even if it merely markets goods or services in the EU zone.

In other words, if you don’t have a formal presence in the EU zone but collect and store the personal data of someone in the EU (not just citizens!), the long arm of the GDPR can reach out to you.

As many have pointed out, the extra-territoriality requirement (article 3) is especially relevant to ecommerce companies.

Social media forums, online apartment sharing services, artisanal craft sites, or beers of the world clubs: you’ve been warned!

Other Resources

All the permutations of the GDPR and how it can applies is just too complex to cover in a few blog posts.  Of course, your Data Privacy Officer is the go-to person for advice, along with outside legal experts.

Speaking of law firms and attorneys, they are understandably all over this.

Thankfully, they do offer some very practical and free information on their public-facing sites. Here are my own favorite legal advisors:

Varonis has data governance and data protection solutions that will help keep you in GDPR compliance. Learn  more today!

 

Want to learn more about the GDPR?

Check out our free 6-part email course (and earn CPE credits!)

Sign me up

What is the EU General Data Protection Regulation?

What is the EU General Data Protection Regulation?

Table of Contents

Note: This post now reflects the final version of the EU GDPR.

Overview

It’s been a long time coming, but the new EU data security and privacy law, known as the General Data Protection Regulation (GDPR), is close to being finalized. We’ve been tracking the GDPR through all its ups and downs over the last two years, as it progressed through the EU legislative process.

The negotiating parties — the EU Council,  Parliament, and Commission — finalized the GDPR text in December 2015, and officially approved the law in April 2016.

That means the GDPR will go into effect in May 2018.

Keep calm, there’s nothing to panic over just yet.

The new GDPR can be seen as an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). If your company is new to the EU market, then the GDPR might be a challenge. However, any company that follows IT best practices or industry standards (PCI DSS, SANS Top 20, ISO 27001, etc.) shouldn’t find the GDPR too burdensome.

One way to describe the GDPR is that it simply legislates a lot of common sense data security ideas, especially from the Privacy by Design school of thought: minimize collection of personal data, delete personal data that’s no longer necessary, restrict access, and secure data through its entire lifecycle.

DPD 2.0

The current EU Data Protection Directive has been around since 1995, but as technology marched on some of its shortcomings became more apparent. The Internet, the cloud, and big data were just a few of the factors that forced the EU to reconsider its existing approach to its data security law.

One of the main problems with the Directive is that allowed member countries to write their own legislation using the Directive as a template —“transposing” in EU bureaucrat-ese — and then enforce the rules separately. With the aforementioned technology disruptions, member countries had different interpretations as to what constitutes personal identifiers (MAC addresses? biometric?) or who’s responsible when data is the cloud (the company or the service provider).

Realizing the old data security law had to be revamped, the EU Commission in 2012 started the process of creating new legislation. Their primary goal was a single law — “harmonization”, as it’s called — covering all EU countries and a “one-stop” shop approach to enforcement through a single data authority.

The GDPR is not a complete rewrite of the DPD. Instead it enhances the existing DPD. Interestingly the current DPD also had as its goal back in the 1990s a single law to replace individual national laws.

The GDPR looks like it will finally realize that dream — or come a lot closer.

So it’s probably better to view the new law as DPD 2.0. However, it adds a few important changes. Most significantly, there’s a breach notification requirement that would force companies to notify the data authorities and consumers when there’s been a data exposure. There’s really nothing like that here in the US.

Another change is that the penalties for non-compliance will be significant: either 2% (in the Council’s version) or 5% (in the Parliaments) of global revenue.  One could argue that the GPDR is really focusing on multi-nationals, particularly US ones, which earn most of their revenue outside of the EU.

GDPR Vocabulary

The GDPR is a huge document — over 100 PDF pages of legal language. However for IT and security folks who will have to implement some of the rules, the key parts are in just a few of the Regulation’s articles.

But before we dive into the GDPR, let’s get some basic vocabulary out of the way.

In the GDPR, personal data means any information “relating to data subject”. A data subject is “an identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used” by someone.

This somewhat convoluted definition is actually the language of the original DPD. As with the old rule, the GDPR encompasses obvious identifiers such as phone numbers, addresses, and account numbers as well as new Internet-era identifiers, such as email, biometric — anything that relates to the person.

The GPDR also accounts for what’s known as quasi-identifiers, which we’ve written about before in this blog. These are multiple data fields — typical geo and date — that through a little bit of processing and external reference sources one can use to indirectly zero in on the individual.

In any case, personal data is what you are supposed to protect! Data that has been anonymized is not covered by the GPDR or for that matter in the current DPD.

The GDPR also continues with the DPD’s terminology of data controller and data processor, which are used throughout the law.

A data controller is anyone who determines the “purposes and means of processing of the personal data.” It’s another way of saying the controller is the company or organization that makes all the decisions about initially accepting data from the data subject.

A data processor is then anyone who processes data for the controller. The GDPR specifically includes storage as a processing function, so that takes into account, say, cloud-based virtual storage.

Putting all this together, the GDPR places rules on protecting personal data as its collected by data controllers and passed to data processors. One shortcoming of the DPD was that it left some loopholes for data processors — i.e., cloud providers — that the GDPR now effectively closes off.

Articulating the Articles

Now let’s get into some of GDPR’s legal-ese.

The new law puts in place more specific obligations on data processors and therefore the cloud. This is described in articles 28 (processor) and article 33 (security of processing)—for wonks, this parallels the DPD’s article 17 — and effectively says that the cloud provider must protect the security of data given to it by the data controller.

The GDPR adds the ability for someone to directly sue a processor for damages — in the DPD, it was only the data controller that could be held liable.

Article 5 (principles related to personal data processing) essentially echoes the DPD’s minimization requirements: personal data must be “adequate, relevant, and not excessive in relation to the purposes for which they are processed …” But it also says the data controller is ultimately responsible for the security and processing of the data.

Article 25 (data protection by design and by default) further enshrines Privacy by Design ideas. The article is more explicit about data retention limits and minimization in that you have to set limits on data (duration, access) by default, and it gives the EU Commission the power to lay down more specific technical regulations at a later time.

More Articles: The New Stuff

There are a few new requirements that directly impact IT. Again if you’re following common-sense best practices, none of the following should be too much of a burden. Although the DPIAs (see below) is as an extra bureaucratic layer that will likely cause some head scratching (and cursing) — the details will probably have to be worked out by the regulators.

Article 30 (records of processing activities ) adds new requirements for data controllers and processors to document their operations. There are now rules for categorizing the types of data collected by controllers, recording the recipients for whom the data is disclosed, and specifying an indication of the time limits before the personal data is erased.

Article 35 calls for data protection impact assessments (DPIAs) before the controller initiates new services or products involving the data subject’s health, economic situation, location, and personal preferences — and more specifically data related to race, sex life, and  infectious diseases. The DPIAs are meant to protect the data subject’s privacy by, among other restrictions, forcing the controller to describe what security measures will be put in place.

The new breach notification rule probably has received the most attention in the media. Prior to the GDPR, only telecom and ISP service providers had to report breaches within 24 hours under the e-Privacy Directive.

Modeled on this earlier Directive, the GDPR’s article 33 says that controllers must tell the supervisory authority the nature of the breach, categories of data and number of data subjects affected, and measures taken to mitigate the breach.

Article 34 adds that data subjects must also be told about the breach but only if the breach results in a high risk to their “rights and freedoms”. If a company has encrypted the data or taken some other security measures that render the data unreadable, then they won’t have to inform the subject.

Article 17 (right to erasure and “to be forgotten”) has strengthened the DPD’s existing rules on deletion and then adds the controversial right to be forgotten. There’s now language that would force the controller to take reasonable steps to inform third-parties of a request to have information deleted.

This means that in the case of a social media service that publishes personal data of a subscriber to the Web, they would have to remove not only the initial information, but also contact other web sites that may have copied the information. This would not be an easy process!

Finally, a requirement that has received less attention but has important implications is the new principle of extraterritoriality described in Article 3. It says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects—for example, through a web site—then all the requirements of GDPR are in effect.

This is a very controversial idea, especially in terms of how it would be enforced.

Focus Your GDPR Compliance

Going into the final negotiations that began in 2015, there were still differences between the parties – the EU Council, Parliament, and Commission—on some key issues. These included the GDPR fine structure, data privacy officers (DPO), and breach notification reporting. We’ve already mentioned the breach rules, so let’s cover the other two.

The GDPR has a tiered fine structure. Article 83 (General conditions for imposing administrative fines) says that  company can be fined up to 2% of global revenue for not having their records in order (article 30), not notifying the supervising authority and data subject about a breach (articles 33, 34), or not conducting impact assessments (article 35).

More serious infringements merit up to a 4% fine. This includes violation of basic principles related to data security (article 5) and conditions for consumer consent (article 7) — these are essentially violations of the core Privacy by Design concepts of the law.

Since the EU GDPR rules apply to both data controllers and processors, that is “the cloud”, the huge cloud providers are not off the hook when it comes to GDPR fines.

Coming into the negotiations, there were also differences over whether companies had to appoint a data protection officer who would be responsible for advising on and monitoring GDPR compliance, as well as representing the company when contacting the supervising authority. With the final GDPR, many companies will likely need a data protection officer or DPO (article 37).

For companies new to the EU market and any company, but particularly US, caught in the extraterritoriality net, the GDPR will come as something of a shock. This is especially true for web-based services that are not regulated under existing US financial or medical data security laws.

While you now have two years to get into GDPR compliance, we’ve come up with four areas where we think you should begin focusing your attention and resources:

  • Data classification – Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data.
  • Metadata – With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future
  • Governance – With data security by design and default the law, companies should focus on data governance basics. For unstructured data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls.
  • Monitoring –The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal, and promptly report an exposure to the local data authority.  Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues.

Varonis can help! Click here to see how Varonis solutions will keep your unstructured data in compliance with the GDPR.

Wonk Alert: Need more EU Data Protection Regulation knowledge? Our white paper goes into even more detail!