Posted on Apr 12, 2018

Cloudy With a Chance of GDPR Penalties

As May 2018 closes in, the General Data Protection Regulation (GDPR) hovers above companies.  In our webinar, Boris Segalis, co-chair of Norton Rose Fulbright Privacy and Cybersecurity Practice speaks with Aleksandr Yampolskiy, CEO and Founder of SecurityScorecard, to explain some GDPR compliance nuances.

Click to listen to the full webinar.

What are the roles of CISO and CPO?

The EU data protection directive represents the first formalized Europeans requirements.  Similar to the United States, the CPO implements the overall program while the CISO responds to specific issues thus working as a team.

How does an organization collect, use, share, and protect personal data?

Compliance requires that organizations understand data use for business operations. The Human Resources onboarding process, for example, collects information that gets shared with different parties from healthcare providers to nonprofits, and organizations must bookmark data use.

SecurityScorecard CEO Yampolskiy reminds companies that security practitioners that organizations need to classify information to safeguard the integrity and categorize it as public, internal, confidential, and most rigorous is secret. Moreover, they should incorporate tools that periodically scan for any unprotected personal information.

What information should organizations store and not store?

The EU GDPR legal requirements matter, but Segalis suggests organizations gain insight from the Tindr example. Data subjects, individuals, have the right to request their information. When individuals asked Tindr for their data, and the company provided 500 pages of information about various connections and interactions. Fundamentally,  the GDPR regulation drives companies to thoughtfully balance retention with requests.

As an additional example, CEO Yampolskiy shared that a database might be safe, but the downloaded document on a shared might not be.

Is there a capability to detect and investigate a breach where personal data has been stolen?

In Europe, the data protection directive acts as a new, robust, pan-European notification requirement. The broadly defined breach categories include lost data, lost integrity, and lack of availability.

Organizations must notify both regulators and victims. However, Segalis explains, incident reporting depends on how an organization suffered a breach. In other words, an organization might know an abnormality exists but not whether it impacts information.

Capability, shares Yampolskiy, is the key term. Intrusion detection systems may not help when the system triggers an overload of alarms. Organizations must incorporate policies and procedures detailing actors, a chain of command, and a list of lawyers/forensic responders. Capability requires process and solutions devoid of an operational answer lack substance.

How organizations track data processors to ensure their security measures?

"Data processors" as defined in the GDPR text are new to the US but not Europe. Processors handle information only on behalf of and instructions of their business customers. Segalis notes Cloud storage provides a classic case of a processor because they store but do not touch information. EU GDPR Article 28 details requirements for due diligence steps ensuring processor compliance.

Yampolskiy follows up that modern organizations exist in an ecosystem since vendors hold various information meaning that a vendor breach affects all reputations in the stream. He notes that Fazio, the small HVAC company doing Target’s air conditioning, caused Target's infiltration. Organizations must group vendors by risk using security ratings, such as those by SecurityScorecard, as a litmus test.

Does the GDPR regulation limit or enhance the commercialization of big data?

The data protection direction creates onerous requirements for establishing, recordings, and defending reasons for data collection.  Consumer businesses must understand their data processing choices. SecurityScorecard's Yampolskiy notes that volume, velocity, and veracity magnify possibilities for misuse. Although the GDPR appears to create beautiful, nicely compartmentalized, easy-to-achieve requirements, further inspection resembles a spaghetti bowl.

Most difficult for US companies will be the different values in European law where process and form matter as much as substance. EU law focuses on the letter as much as the spirit of the law, but GDPR fines and penalties ultimately rely on enforcement.

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 categories of risk. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!