THE EU GDPR: what does it mean for application security?

With four out of every five businesses using 10 or more business applications, securing those applications should be paramount in the run up to March 2018.

There continues to be a certain malaise among many organisations about getting ready for the GDPR, and it's incredibly surprising given the huge penalties for breaches coming into force next year. Judging by the breadth of media reports, organisations freely admit that they are not ready for the EU GDPR. At the same time, these organisations are increasingly using mobile applications so securing those applications should be high on the list of al organisations looking to avoid data breaches.

Recent research

Accordingly to the DMA (Direct Marketing Association), over a quarter of marketers believe their businesses are not prepared for the EU GDPR with a further 32 per cent believing they won't be compliant in time. Meanwhile, according to a recent report from MobileIron, 80 per cent of organisations are using 10 or more mobile business apps. In light of this research, it's clear that both organisations need to familiarise and prepare themselves for the GDPR within the next year and that organisations deploying mobile apps will, or certainly should, become more stringent about ensuring their security, leaving no place to hide for those in the software development industry. They must understand what's different about this new regulation and what they need to change, and change it as quickly as possible.

The EU GDPR in a nutshell

The European General Data Protection Regulation (EU GDPR) is an update to the Data Protection Directive of 1995 and comes into effect on March 25th 2018. The new regulation applies to any organisation that holds or processes the personal information of any European citizen, regardless of where the organisation itself is based, or where the data processing takes place. In addition, the new regulations widened the scope of what was meant by 'personal information' to include anything that could identify a European citizen including IP addresses or cookies.

In case of a breach

The regulation states, among other aspects, that if an organisation suffers a data breach, it is liable to be fined up to 4 per cent of its global annual revenue. Organisations who discover they have been breached need to report it within 72 hours to their national data protection authority; the ICO in the UK. In some cases, were the breach is serious enough, the organisation is required to tell its customers. This is not just for organisations that own customer data, it also applies to companies that process or otherwise deal with data, like Amazon Web Services.  Lastly, organisations need to keep an internal breach register listing any incidents that could compromise personal information, what remediation steps were taken and what the result was.

The introduction of the Data Protection Officer (DPO)

One of the big changes from the original DP Directive is that organisations need to appoint a data protection officer  whose role it is to ensure that the organisation complies with all the aspects of the new GDPR. This person should be a separate person to the CISO; they should have responsibility for implementing all policies and procedures around data processing as well as any outsourcing of data processing, and they should report directly to management.

The GDPR and application security   

Articles 25,32,33,34 and 35 are the most relevant when it comes to expectations of the EU GDPR around securing the flow of data through applications and they focus on assessing, preventing and monitoring.

  • The gap analysis
    The first thing organisations need to do to comply with the GDPR is around assessment. The regulation dictates that an organisation should perform a gap analysis between how their current processes and systems handle data and what would need to be changed in order to meet the new requirements.
  • Security by design
    This is one of the core aspects of the new GDPR. The expectation is that data security and privacy should be built into the application or system from the outset; the idea being that the consumer is being put first and it is clear and easy for them and they are able to opt in rather than opt out. For application security, this means that security and privacy need to be thought about in the planning stages of the Software Development Life Cycle (SDLC). Unfortunately, this is not currently the case with many organisations so this will be a large task for the industry.
  • Risk and security
    As part of the EU GDPR, organisations are required to “ensure a level of security appropriate to the risk,". This includes encrypting personal data but also the pseudonymisation of personal data in order to mask the most identifying fields within data records. Organisations should also have the ability to restore the availability of personal data in a timely manner in the case of a breach or even just a technical incident. Organisations are also required to ensure the tenets of infosecurity, namely the confidentiality, integrity and availability of data processing systems and services. Organisations are also expected to set up a process for regularly assessing and testing security practices.
  • The principle of least privilege
    To adhere to the new EU GDPR, organisations also need to practice the principle of least privilege, meaning that they need to set up their systems and processes with the idea that only those who need access to certain data are allowed to have it, otherwise, it should be totally secured from other internal people within the business. Organisations are also required to regularly 'clean house' and remove any data that it no longer requires to keep. And although organisations do not have to create centralised application and data repositories, it is suggested within the new regulation as a way to better maintain control over the personal information of consumers.

The cost of non-compliance

Organisations will no doubt differ in terms of how much they need to change within their set ups in order to adhere to the new regulation but every organisation that touches the personal information of European citizens needs to become fully compliant before March 25th 2018. Organisations who are not compliant by then, and suffer a breach, risk a fine  of up to 4 per cent of their global annual revenue or €20 million, whichever is larger. In addition to the potentially huge fine, organisations will also need to deal with the public fallout from a breach and likely the loss of trust from customers directly translating to the loss of those customers as well the loss of new potential customers who will simply choose an organisation with a better reputation. The sooner organisations can become compliant, the better. While March 25th next year is the deadline, organisations need to start work now to be ready in time. To secure applications, this means a sea-change in the attitude of the software development industry.  

Amit Ashbel, cyber security evangelist, Checkmarx
Image source: Shutterstock/Wright Studio