What is GDPR

 

In short GDPR (General Data Protection Regulation) is an updated version of the Data Protection Act 1998 and will be made law in the UK on the 25th of May 2018.

The EU recognises existing legislation pre-dates developments in use of the internet and social media and that Data is now more readily available to everyone to share around without adequate laws and legislation designed to safeguard personal information.

This GDPR EU compliance regulation will have a far-reaching impact for organizations throughout the world. 

With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences.

If your organization suffers a data breach, under the new EU compliance standard, the following may apply depending on the severity of the breach:

However, GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations.  For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners. 

The chances of being fined are also reduced if the organization is able to demonstrate that they have tried to secure its data to the best of there abilities and have activley reported data breaches to the ICO (information Commissioner’s Office) within 72hr

To address the GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

  • Servers, including via file, application, database, and full disk virtual machine encryption.

  • Websites
    • Cookie Policy. A page on your website that states what cookies are used on the site, both yours and from third parties and what data you capture with them and what you do with it.
    •  Privacy Policy
    • Ensure thorough privacy policy's statments are written or updated including website owner’s full statement of what data is captured, when and what the data is used for, the third party’s details and the process.
    • Correct SSL Certificate are implimented. The purpose of this is to securely encrypt all the details that are entered into any forms or fields on a website. A must-have on e-commerce sites and now recommended for all sites in general.
    • Newsletter Sign-up managment for customers wishing to stay opted in.
    • Ensure all tick box that handles subscriptions are set to the user has to OPT-IN and not opt out as well as adding un-subscribe function.
    • Contact Forms
    • Ensure that all details are not stored in the website’s SQL database unless stored with encryption.
    • Right To Be Forgotten!  All websites must have the ability to remove any stored information held on customers.
  • Storage, including through network-attached storage and storage area network encryption.

  • Media, through disk encryption.

  • Networks, for example through high-speed network encryption.

In addition, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files and comply with a user’s right to be forgotten. 

Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. It is critical that the security controls in place be demonstrable and auditable.

Data Control

GDPR expects organizations to stay in control of their data to ensure that it is accessed and processed by authorized users only when appropriate. The control requirements are covered in Articles 5, 25, and 32.

According to GDPR organizations must:

  • Only process data for authorized purposes
  • Ensure data accuracy and integrity
  • Minimize subjects’ identity exposure
  • Implement data security measures

Encryption keeps data in an unreadable state unless a user or process presents the appropriate key. In accordance with GDPR, this simple control method can restrict data processing only for authorized use, and restrict the amount of time that people are identifiable by their data. Encryption also prevents unauthorized data manipulation; limiting data access to authorized users and monitoring key usage greatly reduces the ability for data to change without authorization. Organizations properly using encryption and its access controls can demonstrate their data’s integrity.

Multi-factor authentication is the first line of defense in any scenario. Strong authentication controls which users have access to the network and the resources found within. By assigning credentials to individuals, organizations can track access to resources to monitor internal risks. Multi-factor authentication also makes it more difficult for unauthorized users to access sensitive resources. For both known and unknown threats, multi-factor authentication raises the barriers to data access making it easier for an organization to stay in control of their data.