With the enforcement of the new EU General Data Protection Regulation (GDPR) fast approaching, organizations need to assess and re-assess their security culture, processes and tools to meet compliance requirements. The outcome of this process is sure to better safeguard the privacy rights of individuals and to enhance security hygiene and culture for organizations that store or process personal data.
To mitigate data exfiltration exploits ahead of the upcoming May 25 GDPR deadline, companies should play close attention to the places where personal data is collected, held, and used.
Ensuring GDPR compliance can be an overwhelming task. GDPR is giving Information Security Governance teams a reason to review existing controls, implement new systems and safeguards, and reprioritize risks based around data exfiltration vectors. With proper preparation, GDPR will reduce the amount of data available for exfiltration and create controls that will detect and prevent these attempts.
While the level of complexity varies across organizations, all companies should begin their compliance journeys by considering the following GDPR security requirements:
- Article 5, “Principles relating to personal data processing,” requires organizations to adopt technology and processes that help establish data confidentiality, including the prevention of unauthorized processing.
- Article 24, “Responsibility of the controller,” ensures companies monitor and demonstrate GDPR compliance via technology and processes to provide total visibility, detection, and prediction of user-based risks.
- Article 25, “Data protection by design and by default,” gives the controller a directive to implement appropriate technical and organizational measures for ensuring that, by default, only personal data that is necessary is processed.
- Article 32, “Security of processing,” which requires organizations collecting data to take proper steps to anonymize and encrypt personal information; to take a security first approach by applying CIA (Confidentiality, Integrity, and Availability) concepts to data processing, and ultimately to create standards for accountability around data retrieval and processing.
- Articles 33/34, “Notification of a personal data breach to the supervisory authority,” organizations should notify data owners and controllers of a data breach that may involve user data. A procedure and documented process must be created to maintain swift notification channels in the event of a breach.
- Article 35, “Data protection impact assessment,” the organization must evaluate new and existing technologies for effective data processing strategies that take into account impact to user data privacy.
- Article 39, “Tasks of the Data Protection Officer (DPO),” requires organizations to appoint one point-person to both monitor and demonstrate GDPR through technology and processes, and also conduct internal awareness through staff trainings.
Protecting Against Insiders
While organizations’ GDPR-related efforts are often focused on protecting data from outside parties, insiders like employees, vendors, and contractors also pose massive risks. An insider threat is an attack vector similar to phishing, malware, or external exploitation, and it should be taken into consideration in any risk-mitigation strategy. When it comes to insider threats, the most relevant GDPR requirements are around the processing, access, and legitimate use of the data. Thus, if followed, the new regulation will create and enforce a set of procedures that will mitigate the risk of insider threats alongside any other malicious action that can impact an organization.
As the primary stakeholders in the organization, the governing boards and senior management should make sure an organization meets GDPR compliance. GDPR, as with any other business risk and consideration, should be assessed and reviewed under existing risk mitigation and business impact plans. It is the responsibility of senior management teams to apply due care, due diligence, and immediacy to ensure that resources are effectively applied to accomplish GDPR compliance.
New regulations should be worked into existing security awareness and training strategies. Onboarding processes should be amended to include policies and procedures that are affected by GDPR. The most important change to privacy and disclosure policies is the “right to be forgotten” and ability for the employee to lodge a “subject access request”.
Trainings and education should be relevant to individual business units and tailored to meet the expectations of operations managers in an effective and clear way. Studies have shown that computer-based trainings and rewards based presentations have the highest effect on retention and acceptance.
Where to Begin?
To initiate compliance efforts, organizations should consider addressing the following key GDPR components:
Appoint a data protection officer: Under GDPR, any public authority, other than a judicial court, or organization whose core activities include processing personally identifiable data (PII) and systematic monitoring of individuals, must appoint a data protection officer (DPO). The DPO will be responsible for overseeing and advising compliance efforts, training staff, and processing personal data requests.
Identify everywhere that personal data is collected, stored, and used: To meet the regulations, organizations will need to deploy specific measures that address how personal data is stored and processed by the company. Given this, it’s crucial that organizations understand all areas where company interacts with personal information.
Implement the prescribed security, privacy, IT, and administrative policies and measures necessary for proper handling of personal data: Organizations may need to establish, assess, and reassess efforts to meet some of the required policies and measures required by the GDPR, including pseudonymisation, encryption, documentation, and those designed to ensure the integrity, confidentiality, availability, resilience, assessment and post-incident-recovery of processing systems and services.
Deploy the mandated measures to inform, protect, and serve the individuals whose personal data the company holds: GDPR requires that organizations send notifications at the time of data collection, receive consent, and process “to be forgotten” requests.
Prepare procedures related to possible data breaches. In order to accurately resolve issues and protect personal data, companies must have well-designed policies in place should a data breach occur. This should encompass the ability to identify and report incidents, as well as alerting those who have been affected.
Educate employees on GDPR and how it will impact their roles: Internal parties can be some of the biggest risks to an organization and its data. To reduce security-related incidents, it’s important that employees understand the aspects of GDPR that they need to follow and implement into their everyday processes.
It’s still too early to quantify the residual impact of GDPR, however with a penalty of up to four percent of annual revenue for non-compliance or negligence, companies have a high incentive to optimize their data handling procedures. To bolster security efforts and ensure compliance, companies should begin their processes now – if they haven’t already – by assessing the mandatory regulations and establishing actionable strategic plans leading up to the May deadline.
Mayank Choudhary, MC, VP of Products at ObserveIT
Image Credit: Maksim Kabakou / Shutterstock