This episode is sponsored by NuHarbor Security.

What is GDPR?

The General Data Protection Regulation was passed in 2016 and went into affect as of May 2018.  I saw many organizations scrambling to achieve compliance the months preceding and following this past May. This new regulation Brought some additional changes Beyond the 1995 EU data protection directive. This regulation flipped a lot of organizations on their head, and for some security professionals inherited GDPR compliance obligations.

GDPR specifically focuses on reinforcing individual’s rights, strengthening the EU internal market, ensuring stronger enforcement rules, and streamlining international transfers of personal data and setting global data protection standards.

The changes will give people more control over their personal data making it easier to access their information. GDPR is also designed to make sure that people’s personal information is protected no matter where it is sent process for stored even outside of the EU As may be the case On the Internet.

This regulation flipped a lot of organization on their head and for some security professionals they inherited GDPR compliance obligations.

I’ve seen more security leaders pulling the short straw for GDPR responsibilities and are struggling to wade through the legal obligations.  So what exactly is the security obligation with GDPR?

How is GDPR different than the 95 EU Data Protection Directive?

First off – what’s the changes?  It builds on the 95 EU directive. Some background on the directive.

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data”.[2] The seven principles governing the OECD’s recommendations for protection of personal data were:

  1. Notice—data subjects should be given notice when their data is being collected;
  2. Purpose—data should only be used for the purpose stated and not for any other purposes;
  3. Consent—data should not be disclosed without the data subject’s consent;
  4. Security—collected data should be kept secure from any potential abuses;
  5. Disclosure—data subjects should be informed as to who is collecting their data;
  6. Access—data subjects should be allowed to access their data and make corrections to any inaccurate data
  7. Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.[3]

However – there was no enforcement to the directive.

What’s the Difference between Privacy and Security

Data privacy in data security Are 2 very different disciplines What data privacy Primarily focuses on the governance of the data It ensures that an organization is doing what they say there doing with that information. A core privacy Tenant Is that you will only Use the data in a way that you say you’re going to use the data The intersection with security Comes when You have lost the data Or data was manipulated Through A security weakness or security breach. At that point you have Use the data in a way that You have not informed the consumer as part of your purpose obligations.  In otherwords, because of a security weakness or breach you’ve done something with the data you didn’t disclose such as sharing it with people you didn’t intend to and allowed use of the data you didn’t receive permission for.

GDPR brings a lot of benefits for consumers including a right to be forgotten. It allows for easier access to one’s data And gives a right to data portability. It gives a right to know when one’s data has been hacked. In that data protection has been implemented by design and by default.

Security Hasn’t Changed

The core Security Tenant HAS NOT changed from the EU directive to GDPR.  It only provides more guidance, structure, and consequence how security should be implemented.  Security by design isn’t new.  Privacy by design isn’t new. Notifying folks of breach isn’t new (for most organizations), risk assessments aren’t new.

Now – the fact there’s consequence for non compliance is forcing many security teams to actually perform risk assessments and design the security architectures for their organizations and ensure timely breach notifications.  This isn’t new, now you gotta do it and that can be hard especially in large organizations.  As it stands now most security organizations are under funded and under resourced and completing this type of work in short order can be like hunting a bear with a bb gun.

If you’re unsure where to start – article 32 In article 35 are very clear that security control implementation should mitigate identified security risks. It reads “For security processing and data protection impact assessments are very clear that Security design Should take into account The state of the art, The cost of implementation, The nature, scope in context and purposes of processing As well as the risk of bearing likelihood in severity of the rights of freedoms of natural person.”

There’s two components to this that GDPR doesn’t answer. 1. How to do a risk assessment, and 2. what controls to implement to mitigate the risks.

Let’s start with the first one – risk assessment.  There is some standard risk assessment methodology is available in the industry today There are many But some of But one common one is NIST 800-30. This provides a framework That can be used to provide a comprehensive And robust risk assessment methodology. NIST 830 is also recognized by the payment card industry And the HIPAA OCR regulations as acceptable risk assessment frameworks.

The second one is control implementation to mitigate risks that have been identified exceeding the organizational tolerance.  There are many control frameworks in place and many are industry specific such as the PCI-DSS, HIPAA, NIST 800 series, or ISO 27002 which has a great catalog of security controls.

Coming Back to the Original Question

Coming back to our original question –  I’m the CISO and I’m now the DPO, can you help me?

If you’re a security leader in this position, your strength is going to be security subject mater expertise and how to best mitigate security risks.

Since business operations is not part of your day-to-day (especially for larger organizations) You need to become very friendly with your peers closer to the data collection and data processing activities.

There’s a lot you’ll need to know in order to actually advise them on their obligations under GDPR.

Now, probably the most important piece if you don’t have in house council you should find a trusted legal partner.  There’s a whole discipline for privacy law that covers privacy rights and what constitutes reasonable expectation of privacy in terms on the law.  In the organizations I’ve talked with, most folks are still working through compliance and trying to figure this out.  The success of GDPR in any organization is a team sport.