Cloudy With a Chance of GDPR Penalties

Posted on Apr 12, 2018

As the May 25, 2018 General Data Protection Regulation (GDPR) enforcement date looms, the cloud hanging over information security and compliance professionals comes with a chance of penalties.

Click to listen to the full webinar.

What is GDPR?

In April 2016, the European Commission, the European Union’s legislative branch, voted to override the 1995 Data Protection Directive and replace it with GDPR. Over twenty years, data breaches increased in frequency, severity, and complexity. Thus, the Commission determined that the previous Data Protection Directive, lacking legal and punitive authority, no longer provided EU citizens the appropriate level of protection over data privacy for personal data collected.

The GDPR focuses on organizations within member states as well as those outside member states who offer good or services to EU data subjects. It also incorporates organizations monitoring EU data subject behavior of EU data subjects, such as social media companies located within the United States.

How Does GDPR Differ from Other Privacy Laws?

In the United States, the GDPR’s primary focus differs from the traditional approach. US laws typically require organizations to ensure ongoing information security and cybersecurity programs with little focus on data subjects’ rights. The GDPR, however, shifts the focus to providing data subjects increased control over their information. Defining “personal data” as any information directly or indirectly identifiable, the GDPR intends to incorporate new types of information such as social media posts and a computer’s IP address.

Additionally, by shifting information control to data subjects from data controllers, both data controllers and data processors now have more transparency requirements. While the data controller sets the purpose of the What is GDPR? In April 2016, the European Commission, the European Union’s legislative branch, voted to override the 1995 Data Protection Directive and replace it with GDPR. Over twenty years, data breaches increased in frequency, severity, and complexity. Thus, the Commission determined that the previous Data Protection Directive, lacking legal and punitive authority, no longer provided EU citizens the appropriate level of protection over data privacy for personal data collected. The GDPR focuses on organizations within member states as well as those outside member states who offer good or services to EU data subjects. It also incorporates organizations monitoring EU data subject behavior of EU data subjects, such as social media companies located within the United States. How Does GDPR Differ from Other Privacy Laws? In the United States, the GDPR’s primary focus differs from the traditional approach. US laws typically require organizations to ensure ongoing information security and cybersecurity programs with little focus on data subjects’ rights. The GDPR, however, shifts the focus to providing data subjects increased control over their information. Defining “personal data” as any information directly or indirectly identifiable, the GDPR intends to incorporate new types of information such as social media posts and a computer’s IP address. Additionally, by shifting information control to data subjects from data controllers, both data controllers and data processors now have more transparency requirements. While the data controller sets the purpose of the information collection, the data processor acts on that controller’s behalf. Unlike traditional US privacy laws, the GDPR requires informed consent to opt in. Simply, organizations can no longer assume silence equates to consent. Moreover, the burden of educating consumers using clear, non-legalese language falls to organizations.

Why is the data subject focus important?

Shifting focus from opt out to opt in requires a different level of data integrity and protection. Not only must organizations ensure educated consent, they must also provide records upon request. 


Under current US financial data privacy laws, for example, financial institutions provide opt out notifications. However, consumers often ignore these notices as part of an account opening. Thus, their silence equates to consent. GDPR places a notification burden on organizations to ensure data subjects not only provide affirmative consent but can understand how data could be used. 


Rather than collecting all data as part of usual business operations, the GDPR forces organizations to drill down their collection processes to focus on the information most important to their business operations.

What are the roles of CISO and CPO?

The European Union data protection directive represents the first formalized Europeans requirements. Similar to the United States, the CPO implements the overall program while the CISO responds to specific issues thus working as a team. GDPR, thus, strengthens the relationship between these two officers. 


GDPR compliance requires equal parts policy and process. European laws focus as much on letter as on spirit. Thus, the CPO and CISO relationship must allow mutual enablement to protect information. For example, if a CPO creates a policy that meets the strict requirements but the CISO cannot implement the policy effectively, the organization fails at compliance. Conversely, if the CISO implements a protective control but the CPO does not the policy to the controls, the organization equally fails. 


Communication between CPO and CISO increases compliance value while also creating stronger organizations. Easing GDPR compliance burdens requires tools that enhance communication and transparency.

How does an organization collect, use, share, and protect personal data?

Compliance requires that organizations understand data use for business operations. The Human Resources onboarding process, for example, collects information that gets shared with different parties from healthcare providers to nonprofits, and organizations must bookmark data use.
SecurityScorecard CEO Yampolskiy reminds companies that security practitioners and organizations need to classify information to safeguard the integrity and categorize it as public, internal, confidential, and most rigorous is secret. Moreover, they should incorporate tools that periodically scan for any unprotected personal information.

What information should organizations store and not store?

The EU GDPR legal requirements matter, but Segalis suggests organizations gain insight from the Tindr example. Data subjects, individuals, have the right to request their information. When individuals asked Tindr for their data, and the company provided 500 pages of information about various connections and interactions. Fundamentally, the GDPR regulation drives companies to thoughtfully balance retention with requests. As an additional example, CEO Yampolskiy shared that a database might be safe, but the downloaded document on a shared might not be.


Retention policies also extend to third parties with whom the organization shares information. Bookmarking employee on-boarding data acts as the first step. As a second steps, organizations must share with data processors the minimum required information they need. For example, organizations choose to share employee information with both charities and healthcare providers. However, charities should obtain the least intrusive data such as name and address while healthcare providers should obtain more information. Similarly, a payroll processor may not need an employee’s healthcare records but only the policy information to enable payment. 


GDPR requires organizations compartmentalize information the way they do authorization to systems. Thinking carefully about who gets information and how they use that information adds additional transactional costs up front but may enable better security long term. 


Is there a capability to detect and investigate a breach where personal data has been stolen?


In Europe, the data protection directive acts as a new, robust, pan-European notification requirement. The broadly defined breach categories include lost data, lost integrity, and lack of availability.


Organizations must notify both regulators and victims. However, Segalis explains, incident reporting depends on how an organization suffered a breach. In other words, an organization might know an abnormality exists but not whether it impacts information.


Capability, shares Yampolskiy, is the key term. Intrusion detection systems may not help when the system triggers an overload of alarms. Organizations must incorporate policies and procedures detailing actors, a chain of command, and a list of lawyers/forensic responders. Capability requires process and solutions devoid of an operational answer lack substance.


The inherent disconnect between “incident” and “abnormality” comes from the divergent readings of Article 33 and Article 34. Article 33 sets out the 72-hour notification requirement. According to that article, organizations must notify everyone who has been affected or who is at high risk of data impact. However, Article 34 defines three scenarios when organizations do not need to meet the Article 33 requirement, including where encryption protects the personal data affected. Thus, organizations who continuosly monitor their transit encryption and endpoint encryption status could circumvent the 72-hour requirement.

How organizations track data processors to ensure their security measures?

"Data processors" as defined in the GDPR text are new to the US but not Europe. Processors handle information only on behalf of and instructions of their business customers. Segalis notes Cloud storage provides a classic case of a processor because they store but do not touch information. EU GDPR Article 28 details requirements for due diligence steps ensuring processor compliance.


Yampolskiy follows up that modern organizations exist in an ecosystem since vendors hold various information meaning that a vendor breach affects all reputations in the stream. He notes that Fazio, the small HVAC company doing Target’s air conditioning, caused Target's infiltration. Organizations must group vendors by risk using security ratings, such as those by SecurityScorecard, as a litmus test.

Does the GDPR regulation limit or enhance the commercialization of big data?

The data protection direction creates onerous requirements for establishing, recordings, and defending reasons for data collection. Consumer businesses must understand their data processing choices. SecurityScorecard's Yampolskiy notes that volume, velocity, and veracity magnify possibilities for misuse. Although the GDPR appears to create beautiful, nicely compartmentalized, easy-to-achieve requirements, further inspection resembles a spaghetti bowl.


Most difficult for US companies will be the different values in European law where process and form matter as much as substance. EU law focuses on the letter as much as the spirit of the law, but GDPR fines and penalties ultimately rely on enforcement. 


As companies prepare for the enforcement date, many question how far GDPR will reach. The GDPR created a tiered approach to fines. Penalties with smaller infringements, such as record-keeping, are 2% of annual global turnover while serious infringements, such as insufficient customer consent, can be as high as 4% of annual global turnover or $23.7M. Enforcement requires detection of those not in compliance with the regulation. 


Theoretically, the GDPR equally applies to large companies like Facebook as well as small, local cafes in the United States who require registration of EU citizens to obtain free WiFi. Since GDPR applies to those marketing to EU citizens, both of these entities fall within the legislation. An outstanding question lingers as to whether the Supervisory Authorities, the investigative and corrective organizations, will have the necessary administrative resources to ensure compliance. GDPR’s global reach makes detection and enforcement difficult leaving many anxiously awaiting the depth of penalization that will occur in 2018 and 2019. 


information collection, the data processor acts on that controller’s behalf. Unlike traditional US privacy laws, the GDPR requires informed consent to opt in. Simply, organizations can no longer assume silence equates to consent. Moreover, the burden of educating consumers using clear, non-legalese language falls to organizations. 

Security Research in your Inbox

Thanks for siging up for the newsletter!

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!

Request a Demo

Thank you for requesting a demo!