The GDPR will come into effect on May 25th, 2018 and raises numerous questions among organizations that handle data in Europe. I gathered the questions and answers collected from the webinar I recently presented “GDPR – Focusing on the 4 Key Steps to Compliance“, hosted by Robert Bond, Director of Marketing at Hitachi Systems Security. Here are the key takeaways:
Q: A large number of the customers I’ve spoken with are wondering how their compliance efforts towards the GDPR match up with other organizations. From your perspective, how far along are the majority of businesses to GDPR compliance?
A: Within the European Union, this has been out there for a while. It seems that companies in North America and the rest of the world are only realizing how serious this is.
Most companies are scrambling now to establish if they are compliant. In our experience so far, companies are not far along at all and most frankly are beginning to panic. If a disciplined approach is taken you can get
“From here to there”. If you look at it from a Change Management perspective, from an Awareness, a Desire, a Knowledge, an Ability and a Reinforcement, you can get from where you are today to how to get there.
Q: How do companies deal with backing up their data with the GDPR’s new so-called “right to be forgotten?”
A: Great question. The question should also be extended to archiving data as well. The key point is that backups and archives are different.
Backups exist in case information is accidentally destroyed. Backups should cover all information, but each one only needs to be kept for a short time. Since they are only needed when something goes wrong, access to them can be tightly limited. The legal basis for processing is likely to be the organization’s (and its data subjects’) legitimate interest in recovering from accidents. If you’ve got backup data, you may have a legitimate interest to keep that data for backup purposes. If the data is restored and there has already been a request to delete that data, you will still be responsible to do it. But it is a grey area at the moment because backup should be held with all the information in the backup.
Archives, by contrast, involve long-term storage of the organization’s history. The legal basis for archives may well be that they are a legal obligation or else the legitimate interest in retaining an organizational memory. Either is yet to be proven in a court of law.
Where personal data are being processed based on legitimate interests, the individual is entitled to raise an objection, under Article 21 (right to object), requiring the organization to check that its interest in the processing is not overridden by the resulting risk to that individual’s rights and freedoms.
There are rules around banking information for example. What happens when you have to keep the data for 7 years but you received a request from an individual to delete their data? That legal request will circumvent that right to object. If you have a legal requirement to keep the data for 7 years for banks or for HIPAA or PCI reasons, you do have a legitimate reason to keep that data but if you do not have a legitimate reason to keep that data and you restore a backup or take out an archive you will have to delete the data when you recover it.
Q: What have been the biggest challenge for customers to become compliant with GDPR thus far? Have you run across any systems that just will have to have exceptions built in until they could need to be redeveloped or migrated?
A: The biggest challenge for a lot of people has been about how does GDPR really affect them, going back to that 4 steps process:
For that, you should be looking at Article 30 which is the “records of processing activities”. This points to the need for organizations to map data flows for sensitive personal data and identity data, similar to what we do for HIPAA (ePHI), PCI and CDE. Many of our clients may reach for Visio, PowerPoint, Excel, Word to do this mapping and larger organizations may have enterprise tools to do this such as OneTrust, ARIS or may be under the guise of DLP tools which specialize in labelling/ classifying and mapping data such as Spirion.
Regarding the systems that may be redeveloped or migrated I didn’t come across any systems that couldn’t because GDPR is more about the policies and procedures that are in place to report breaches for example. Systems will be using typical controls that they would or should already have in place for any other protections from a technical perspective so your systems should have controls around ISO or NIST anyway.
Q: Organizations are using cloud solutions and services like AWS more and more, and we expect that to increase over time. With regards to the GDPR, what are the organizations responsibilities for working with their cloud partners to make sure that their cloud partners are complying with the GDPR rules themselves?
A: The GDPR rules extend right out your supply chain.
It seems business are assuming that by storing their data in the cloud it is, by default, compliant. This is not the case, and this ‘out-of-sight, out-of-mind’ mentality has contributed to many data breaches around the world. Storing data in the cloud without properly considering security is the same as locking your front door but leaving the garage open. It doesn’t work. Your enterprise network may be secure, but it means nothing if the cloud isn’t as well.
The following security protocols must be included in any cloud cyber security strategy:
Q: What are your thoughts on the seriousness of the regulation? Are auditors going to be immediately penalizing organizations if they do not comply with the GDPR?
A: Factors to be considered are by reference to each individual case and it will take account of (amongst other things) the nature, gravity and duration of the infringement, any mitigating actions taken and whether there is any history of previous infringements. Member states will have discretion to designate breaches of specific aspects of the GDPR as criminal offences.
The DPA’s (Data Protection Authorities) that administer enforcement notices and ultimately penalties, I believe there will be a ramp up of enforcement policies and fines over time.
If you compare it to what happened with HIPAA for example, there were warnings given beforehand.
Given the fact that we now know more about privacy and controls, there may be a short runway into an era of more assertive enforcement.
Q: The legislation is now demanding organizations to notify customers within 72 hours of first having become aware of the breach – looking at the responses of Equifax, Yahoo and so many others, it took them months to notify some of their consumers. How are organization going to do this?
A: Dwell time, the time that a botnet is within your system, can be the biggest issue here. Bot nets can be in a system acting as a legitimate user for a long time exfiltrating data slowly from the network and systems. Once the breach has been identified, you do have 72 hours to report. As mentioned earlier, you do have the opportunity to “ramp up” the response. This means that you need to notify that a breach has happened and that your incident response team is investigating.
Q: How will the data portability piece of the legislation impact organizations?
A: This is the perfect reason why most organizations need to minimize the amount of data kept over time. This minimalist approach in “Privacy by design” or “Privacy by default” will ensure that the data required to keep on the data subject would be negligible and therefore sharing that or reporting that to someone else should be more straightforward. It comes down to discipline.
Interested in knowing more about the GDPR? Access the webinar on the key steps to reach compliance by clicking here or below.