It’s a year until the biggest shakeup to Europe’s privacy laws in nearly a generation takes effect. The European General Data Protection Regulation (GDPR) will bring sweeping new rules into force, including new consumer rights over how personal data is used, and mandatory 72-hour data breach notifications. Yet there’s still confusion over which companies and what types of data are covered by the law. With firms currently complying with less than 40% of GDPR principles on average, time is running out.
That’s why Centrify is running a new monthly blog series designed to raise awareness about the GDPR, as the clock counts down to 25 May 2018. It’s not intended as a comprehensive checklist but will hopefully get more organisations thinking and acting. With potential fines of up to four percent of global annual turnover to be levied for serious transgressions, the stakes are high.
First up: exactly what is the scope of the new legislation?
The first thing to note is the wider scope of the GDPR compared to the current directive, which UK organisations know as the Data Protection Act. The new GDPR firstly applies to all organisations based in the European Union. That means all those with major subsidiaries or headquarters in the EU, but also could include those who merely have a few sales staff operating in the region. For those not “established” in the EU, the law will still apply as long as they process the personal data of EU citizens and residents. These firms will have to designate a representative inside the EU to handle such matters.
As we’ll discuss in a later blog, all UK firms are covered by the GDPR, even post-Brexit.
The GDPR will also apply not just to data controllers (as per the Data Protection Act) but also to the data processors which usually work on behalf of the controller. The Information Commissioner’s Office (ICO) provides a clear example of the difference: if a local authority stores data on its citizens with a third party cloud provider rather than on its own in-house servers, the cloud company is the data processor and the local authority is the data controller.
So What Constitutes Personal Data?
The sweep of data covered by the GDPR is also greater than anything that has gone before. Personal data refers to “any information relating to an identified or identifiable natural person" -- where “identifiable” means anyone that can by identified by “all means reasonably likely to be used.” The breadth of personal data applicable to the GDPR is so wide that organisations are urged to minimise their risk exposure by wiping any customer data they don’t need, and either anonymising or pseudonymising the remainder where possible.
While regulators will surely allow for a bedding in period after 25 May 2018, their patience won’t last forever and there could be big public cases pending to show they mean business. The bottom line is: comply or face fines.
The legislation, as we’ve discussed, covers a huge number of areas. But one in particular stands out: the mandating of data breach notifications within 72-hours. This means firms will have to get better not only at visibility into systems to spot breaches early on in the kill chain, but also at preventing them in the first place. After all, no organisation wants the bad publicity, fines and reputational damage that inevitably result from a breach.
How to Comply
The question is: how to comply? The GDPR is not explicit on what controls are needed to mitigate risk in this area -- in fact, that may well be a deliberate move designed to future-proof the law as new technologies come and go, and ensure organisations don’t resort to a tick-box approach to compliance.
However, it does state that data should be processed in a way that “ensures appropriate security of the personal data, using appropriate technical and organisational measures,” taking into account “the state of the art and the costs of implementation.” Staying up-to-date with the latest technology advances and following best practice security advice are therefore key to avoiding a damaging breach. Or at least if you are breached they’ll help you to avoid follow-on fines for negligence.
So many of these breaches come about because organisations are still reliant on password-based authentication systems. Poor password management makes the attackers’ job so easy, allowing them to crack or hack privileged accounts and gain access to your organisation’s most sensitive data.
That’s why we’d always recommend risk-based multi-factor authentication (MFA), which can decide if a log-in attempt is risky or not and ask for more info from the user if necessary. Combine this with a “least privilege” approach -- ensuring staff have no more access to systems, commands and functions than they strictly need -- and you’ll be off to a great start with GDPR compliance.
Next month we’ll be taking a look at data classification: why GDPR compliance should start with knowing what you’re processing, where it’s stored, and how it’s used.
Learn more about MFA and how it can help keep your organization secure here.