The General Data Protection Regulation (GDPR), set to take effect in May of this year, is a hot topic in data security circles. Part one of this two-part blog article looks at the requirements of GDPR. Part two details the technologies that can help meet these requirements and strengthen overall data security for your organization.
Evolutionary Changes Coming with GDPR
The evolutionary changes set in motion by GDPR have reached around the globe. This regulation will have a strong, far-reaching impact on organizations and individuals who do business with companies in the European Union or process data from users in the European Union. On a positive note, it’s an opportunity for organizations to rethink data security at both the system and infrastructure level, and, in the process, strengthen data protection on a number of levels.
GDPR is poised to become one of the most important and influential data protection laws enacted during our lifetimes. Why? Among the large number of distinct characteristics and mandatory requirements contained in GDPR, I’ve identified three that stand out as the most noteworthy, particularly for anyone tasked with maintaining the security of IT infrastructures. First, GDPR is proscriptive; it clearly states requirements and forbids certain practices when dealing with personal data. Next, the territorial provisions of the regulations expand the geographical range that applies. Finally, the joint liability clauses raise the consequences of poor security implementations, starting with the prospect of hefty fines for those who violate provisions. I’ll discuss these three aspects first and then suggest some effective solutions for responding to the demands of GDPR.
Top 3 Takeaways From GDPR
Some regulations bring specific mitigations to mind. When someone talks about HIPAA (the Health Insurance Portability and Accountability Act), you think: Encrypt at rest and in motion. When people discuss SOX (Sarbanes Oxley), you probably think about Segregation of Duties or SOD. At some point, as people talk about GDPR, you will think: Broadly protect all personal data. This difference should not be lost on anyone. GDPR does not explicitly require specific protection mechanisms or, for that matter, define personal information in a limited way. This concept is central to the law itself.
Protecting Personal Data
Personal data is “any information relating to an identified or identifiable natural person.” We might be tempted to interpret this to be PII (personally identifiable information) as we know it from other laws. However, GDPR defines personal data more broadly than is typical. What is considered personal changes with time. My great grandfather had personal data but didn’t consider an email address to be personal, nor did he know what email was. Today, an email address is absolutely considered personal data. GDPR includes, but does not limit the definition to, physical, physiological, genetic, mental, economic, cultural, or social identity information (leaving room to expand for future identifiers as well).
Sometimes IT organizations think that by checking enough boxes and implementing enough controls they are compliant, and, as a result, safe. To avoid perpetuating this myth, GDPR states the end goal, but not how to achieve it. Encryption is presented as an example of one way to protect data, but simply using encryption is not sufficient to comply with the law.
Recognizing Territorial Boundaries
GDPR effectively expands the reach of the law to companies and organizations that sell or offer goods or services to or monitor the behavior of individuals in the EU citizens. The intent is to be as all-encompassing as possible when protecting personal data belonging to individuals in the EU. It is incumbent upon you, the data controller, to know whether you process information about individuals in the EU. As defined in the GDPR Glossary, the data controller is the “entity that determines the purposes, conditions, and means of the processing of personal data,” and this responsibility extends to your selection and oversight of organizations that you enlist to process the data.
There’s not likely to be any leniency for those who say, “We didn’t know they were in the EU.” Many companies have decided, as a standard practice, to treat all personal data as if it belongs to individuals in the EU, which solves the problem of determining which data is owned by an individual in the European Union. More importantly, this level of responsibility can be a best practice for enterprises, beyond the basic goal of compliance.
Assuming Joint Liability
The authors of GDPR disallowed finger-pointing as way to dodge liability. We often hear statements such as, “the engineer forgot to patch the system” or “we had one rogue insider” or “our supply chain was contaminated”. GDPR makes it clear that you cannot escape liability simply by blaming a service provider for a breach. For example, you may hire a consulting company to collect and manage your customer database. This consulting company may use a Software-as-a-Service (SaaS) solution to provide value added services for your customers. The SaaS vendor may leverage a public cloud vendor for storage and compute cycles. This public cloud vendor may have one rogue insider contracting for them. Nonetheless, if the worst happens, you — as the data controller — can still be held liable for the breach. Your organization has defined the reason for the collection and initiated the effort. Regardless of how far removed you are from the breach, if it involves data you collected, you are on the hook.
The bottom line is this: You must protect the personal data of individuals in the EU wherever you do business, whether you know that you have their data or not, and there’s no passing the buck. If a breach occurs, you may still be liable. Easy to do, right?
To learn more about what you can do to improve data security and how the latest Intel® technologies can help, read part two of this article.
Intel® technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at www.intel.com.