Five Common Questions on the General Data Protection Regulation (GDPR)
Over the last couple of months, you've probably been observing the stress levels rise with security teams as the European Union (EU) General Data Protection Regulation (GDPR) deadline approaches. In about 6 months (May 25, 2018), the GDPR takes effect.
GDPR is a critical regulation because companies that fail to achieve GDPR compliance before the deadline will be subject to steep fines and penalties. The GDPR mandates penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance.
Designed to protect the personal data and privacy of EU citizens, it spans 99 articles and 11 chapters. As a result, there are still a number of questions on these requirements. During discussions with security teams, we often receive a number of questions on the GDPR and its applicability to breach and attack simulation:
Here are the top FIVE questions we hear on the GDPR:
1. Question: Does the GDPR encompass only personally identifiable data for EU citizens?
The GDPR definition of consumer data that needs to be protected encompasses not only personally identifiable web data such as location, IP address, cookie data and RFID tags, but also data containing health, genetic, biometric, racial,ethnic, political, or sexual orientation information.
2. Question: How often do organizations need to validate compliance with GDPR?
Compliance needs to be ongoing.
GDPR places the burden of “continuous risk assessment” on the data controller, the data-collecting organization and requires that any organization that is processing data be GDPR compliant. In fact, Article 32 states that companies must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Article 32)
This is actually good news. We already know the legacy approach of point-in-time, manual validation cannot keep pace with dynamic environments. Continuous risk assesment is the right approach and the best way to do it is by automating hacker breach methods via breach and attack simulation. This enables companies to proactively and continuously validate the data protection security controls that are in place.
3. Question: How does breach and attack simulation assist with GDPR?
Companies need to implement reasonable data protection measures to protect EU citizens’ personal data and privacy against loss or exposure, and demonstrate compliance of processing activities. Breach and attack simulation can assist in the following ways:
4. Question: Do all organizations need to hire a DPO?
Some companies must appoint a data protection officer (DPO) to oversee data security strategy and GDPR compliance. The misconception with GDPR is that everyone has to appoint a DPO, but in fact, this is only applicable to companies that process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. (Article 37, 38, 39)
5. Question: Do all incidents need to be reported?
Under the GDPR “the "destruction, loss, alteration, unauthorized disclosure of, or access to" the EU personal data must be reported to a regulator in 72 hours. (Article 33 and 34)
Regulators do not need to be notified if: