Posted on Dec 1, 2017
By: Fouad Khalil
On May 4, 2016 after four years in the making, the European Union (EU) General Data Protection Regulation (GDPR) was published and an application date was set: May 25, 2018.
With Black Hat Europe this week and the GDPR deadline getting closer every day, many practitioners are discussing and analyzing the potential ramifications of GDPR on their organizations. While the regulation went into effect on May 24, 2016, this application date of May 25, 2018 provides a tangible reminder of the importance of developing and maintaining an effective cybersecurity posture.
How GDPR Differs From the Data Protection Directive
This new European legislation, General Data Protection Regulation (GDPR), will replace the long-standing Data Protection Directive 95/46/EC. In addition to from the regulation’s enforceability, it also:
Key Provisions Within GDPR
Per the regulation, “The protection of the rights and freedoms of data subjects with regard to the processing of personal data require that appropriate technical and organizational measures are taken, both at the time of the design of the processing and at the time of the processing itself, to ensure that the requirements of this Regulation are met.”
The regulation covers many areas. Some of the key provisions are as follows:
Who Is Subject to This Regulation
Companies with more than 250 employees that process personal data for EU citizens will be subject to GDPR. Regulators and practitioners suggest that IT leaders involved with security management should focus on the following in their efforts to comply with GDPR:
The Definition of “Personal Data” Under GDPR
Similar to many U.S.-based regulations designed to protect personally identifiable information, protected health information, credit card information, and other sensitive information, GDPR is expanding current rules and definitions to include all “personal data.” It defines personal data as any information relating to an identified or identifiable natural person ('data subject').
Personal data includes online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs, and other online identifiers are all ”personal” and must be protected accordingly.
The GDPR also introduces a new concept of “pseudonymous data” – in simple terms, personal data that has been subjected to technological measures (like hashing or encryption) such that it no longer directly identifies an individual without the use of additional information. Pseudonymous data is still considered a type of personal data and so is subject to the requirements of the GDPR.
The Complexity of Data Subject Rights
GDPR introduces data subjects’ rights-- this makes compliance a bit more challenging for practitioners. While the core rules remain the same (compliance with all six principles), organizations now have to consider the stricter requirements on consent, additional protections around child consent, new data access rights such as the right to be forgotten and the right to data portability, and the requirement to inform data subjects on any profiling, such as online tracking and behavioral advertising.
At SecurityScorecard, we’ve defined a few key points to remember as the May deadline approaches:
The SecurityScorecard platform can help practitioners achieve continuous compliance with standards and regulations, like GDPR. The platform monitors vulnerabilities for companies and their vendors in key risk areas, highlighting opportunities for organizations to improve their cybersecurity posture and to ensure an effective compliance posture. Savvy organizations understand that enterprise security is only as strong as the third-party security that forms its foundation. GDPR compliance will be achieved through a continuous collaborative dialogue throughout their vendor ecosystem. Feel free to visit Booth #301 at Black Hat for more information.
Key Definitions in GDPR
About the Author:
Fouad Khalil is the Head of Compliance at SecurityScorecard with more than 25 years in the technology space, including software development, support, program and project management, and IT Security and Compliance. He holds CISA and ITIL certifications. His key areas of expertise within compliance and IT security include: IT, NIST, Internal Controls, SOX, PCI DSS, HIPAA, HITECH, and MAS compliance to name a few. Fouad is also an active member in ISACA, IIA, and Infragard.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.