Over the last couple of months, you’ve probably been observing the stress levels rise with security teams as the European Union (EU) General Data Protection Regulation (GDPR) deadline approaches. In about 6 months (May 25, 2018), the GDPR takes effect.
GDPR is a critical regulation because companies that fail to achieve GDPR compliance before the deadline will be subject to steep fines and penalties. The GDPR mandates penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance.
Designed to protect the personal data and privacy of EU citizens, it spans 99 articles and 11 chapters. As a result, there are still a number of questions on these requirements. During discussions with security teams, we often receive a number of questions on the GDPR and its applicability to breach and attack simulation:
Here are the top FIVE questions we hear on the GDPR:
1. Question: Does the GDPR encompass only personally identifiable data for EU citizens?
The GDPR definition of consumer data that needs to be protected encompasses not only personally identifiable web data such as location, IP address, cookie data and RFID tags, but also data containing health, genetic, biometric, racial,ethnic, political, or sexual orientation information.
2. Question: How often do organizations need to validate compliance with GDPR?
Compliance needs to be ongoing.
GDPR places the burden of “continuous risk assessment” on the data controller, the data-collecting organization and requires that any organization that is processing data be GDPR compliant. In fact, Article 32 states that companies must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Article 32)
This is actually good news. We already know the legacy approach of point-in-time, manual validation cannot keep pace with dynamic environments. Continuous risk assesment is the right approach and the best way to do it is by automating hacker breach methods via breach and attack simulation. This enables companies to proactively and continuously validate the data protection security controls that are in place.
3. Question: How does breach and attack simulation assist with GDPR?
Companies need to implement reasonable data protection measures to protect EU citizens’ personal data and privacy against loss or exposure, and demonstrate compliance of processing activities. Breach and attack simulation can assist in the following ways:
- Continuously validate security controls (Article 25, 32) – Breach and attack simulation can minimize security exposure and continuously validate that “state of the art” security controls that have been deployed are actually working. For example, security teams that have implemented security controls that only allow certain types of data to travel between networks or data centers can actually prove that their implementation is sound, or identify configuration errors in security deployments that may lead to a data breach. More importantly, this validation uses “real attack techniques”, generating a more accurate reflection of true enterprise risks.
- Prepare for GDPR Impact Assessments (Article 35) – Breach and attack simulation can prepare security teams for impact assessments. Specifically, it can be used prior to an actual assessment to assess the “measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance”. This includes security technologies but also extends to SOC and MSSP teams involved in the security measures for GDPR.
- Justify GDPR investment — Breach and attack simulation can also prove whether or not additional investment is required for GDPR compliance. Security investment is too often a “gut feel” based measure, since actual security has until now been difficult to measure. This means that executive teams only start appropriate security investment after a breach has occurred. Breach and attack simulation can provide real security data, to prove whether further GDPR security investment is required.
4. Question: Do all organizations need to hire a DPO?
Some companies must appoint a data protection officer (DPO) to oversee data security strategy and GDPR compliance. The misconception with GDPR is that everyone has to appoint a DPO, but in fact, this is only applicable to companies that process or store large amounts of EU citizen data, process or store special personal data, regularly monitor data subjects, or are a public authority. (Article 37, 38, 39)
5. Question: Do all incidents need to be reported?
Under the GDPR “the “destruction, loss, alteration, unauthorized disclosure of, or access to” the EU personal data must be reported to a regulator in 72 hours. (Article 33 and 34)
Regulators do not need to be notified if:
- the controller has “implemented appropriate technical and organizational protection measures” that “render the data unintelligible to any person who is not authorized to access it, such as encryption” (see Step 2 above)
- the controller takes actions subsequent to the personal data breach to “ensure that the high risk for the rights and freedoms of data subjects” is unlikely to materialize
- when notification to each data subject would “involve disproportionate effort,” in which case alternative communication measures may be used.