The General Data Protection Regulation (GDPR) was adopted in April of 2016 and is set to go into effect on May 25, 2018. Between now and then, there is a lot for companies to consider and understand. The European Parliament established GDPR as a mechanism to protect the personally identifiable information (PII) of European Union citizens. PII, as defined by GDPR, is not simply details like name, address, and birthday, but is much broader and includes online identifiers such as IP address, MAC address, cookie data, etc.
GDPR provides EU citizens with specific rights pertaining to their PII and outlines how organizations must treat that data. It extends legal liability beyond the borders of the EU so that any organization anywhere in the world that maintains PII of EU citizens must comply. GDPR will force organizations to change the way they collect, store, manage, transmit, share, and protect PII. There are many components to GDPR, but for this blog, I will focus on the three that I believe will create the greatest impact.
1. Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) are intended to provide a way to identify technology and process gaps in an organization’s data privacy compliance status. DPIAs are similar to the audit processes associated with other compliance frameworks (like HIPAA, SOX, GLB, etc.) DPIAs create a framework used by organizations to measure current state, consult with stakeholders, consider risks, evaluate solutions for identified problems, and document the entire process.
Adhering to the DPIA process will serve two important functions: to implement better privacy technologies and procedures, and to document a reasonable approach to protecting the PII of EU citizens. In the event of a breach, DPIA documentation can demonstrate the effort of an organization to meet GDPR requirements. The code of practice document provides details on when and how assessments can and should be done. This formal process will add cost and consume IT resources that are already pulled in lots of different directions.
2. Role Definitions: Data Controllers, Data Processors, and Data Protection Officers
GDPR has defined the roles and responsibilities for data controllers, data processors, and Data Protection Officers (DPOs). Data controllers define how and why PII is processed, whereas data processors have and use PII. Data processors can be internal resources or third parties contracted to use that data for specific purposes. For example, consider a product manufacturer, which contracts a third party to deliver emails to consumers. In this case, the product manufacturer is the data controller and the third party is the data processor. Ultimately, both the data controller and data processor are liable for the integrity of PII data. Data controllers will therefore need to invest time and energy into evaluating the security practices of the data processors with whom they have relationships.
Data controllers and data processors must name a DPO, a decision that cannot be taken lightly. DPOs are responsible for ensuring that the company and its employees are aware of the GDPR compliance requirements and for conducting DPIAs and security audits. They also act as the single point of contact with Supervisory Authorities. The DPO is the person held responsible for all aspects of GDPR compliance.
3. Breach notification must occur with 72 hours
The aspect of GDPR that is likely to cause organizations the greatest difficulty is the requirement of breach notification. If a breach occurs at a data processor, they are obligated to notify the data controller without undue delay. Data controllers are legally obligated to notify the Supervisory Authority within 72 hours of becoming aware of a data breach. They must identify the name and contact information of the DPO and, as part of the notification, data controllers must describe the nature of the breach and number of data subjects involved. In addition, they must outline the likely consequences of the breach and specify the measures taken (or proposed to be taken) to mitigate the issue.
The need for real-time forensics
When high-profile data breaches have occurred in the past, such as Sony, Target, Yahoo!, Equifax, etc., the public was not made aware for weeks or months after the breach occurred. Even months after the breach, many details about the attacks remained unknown. Historically, organizations have hired a third-party forensic analysis firm to try to piece together information to identify what happened. Under GDPR, companies are no longer afforded this luxury. Now, data forensics needs to be captured in real time and retained to ensure root cause analysis and breach details can be accessed quickly. 72 hours is an incredibly small window of time to investigate and understand what happened. A network traffic analytics platform like Scrutinizer is an absolute must for any organization worried about GDPR compliance. You must be able to collect details about every conversation on the network and be able to quickly deliver reports and identify root cause.
For more information on the types and sources of forensic data that Scrutinizer collects, check out a blog I recently wrote called Network Incident Response with NetFlow and Metadata.