The General Data Protection Regulation (GDPR) EU legislation will come into force on 25 May 2018. GDPR is a significant upgrade and replacement for previous rules in the Data Protection Directive and introduces a number of new data protection obligations for organizations. As with other regulations such as HIPAA and SOX, compliance with GDPR requires that your organization implements appropriate measures to ensure you meet your legal data protection obligations. However, one of the key differences is that GDPR requires more than just putting in place a technical solution. Organizations will also need to adopt organizational measures to demonstrate GDPR compliance.
Encryption remains a cornerstone of data protection and privacy within the GDPR. It is widely recognized that using encryption:
- reduces the negative impact on individuals (data subjects): in the event of a laptop theft or hacker access to stored data, the encrypted data remains unusable;
- increases the effectiveness of data protection policies by raising awareness across the organization of the importance of privacy and security measures;
- reduces the cost of addressing problems such as loss or theft of laptops and mobile devices.
AlertSec provides a solid foundation on which to build your compliance program. Organizations are increasingly storing and sharing data via cloud-based services that provide good encryption and key handling. However, to protect the personal and sensitive data defined by the GDPR, you will need additional data security measures.
GDPR will require data to be protected wherever it may be stored, accessed or processed. GDPR will also require protection for a wider data set, to include hidden data such as digital identifiers, IP addresses and cookie ID’s as well as a person’s name, address, Social Security number etc.
Therefore, encryption will need to cover the data you know about in documents and spreadsheets on computers, and the data you may not be aware of: background copies that are downloaded to the computer hard-drive by apps even when processing cloud-based data; the copies shared between staff and third party subcontractors on removable media; hidden data such as author details embedded in documents; IP addresses embedded in emails; and login credentials stored by browsers. This is where the AlertSec service plays a critical role.
AlertSec provides strong protection against accidental loss of all data on endpoint devices: on computers and removable media, in files and documents, embedded in emails and browsers. The Alertsec Service enables your organization to:
- encrypt all data on computers and removable media (USB sticks/drives etc.), which includes any embedded information and meta data on the device
- extend encryption to third party data processors and enforce data protection code of conduct agreements
- address many GDPR requirements for technical measures for integrity, confidentiality and protection against accidental loss of personal data
- enable data processors (service providers) to take appropriate security measures for data protection
- provide some organizational measures to support GDPR principles
- deploy and manage compliance through a cloud management tool
- demonstrate the adoption and implementation of data protection measures
GDPR is a significant upgrade and replacement for previous rules in the Data Protection Directive and introduces new data protection requirements on organizations inside and outside the EU.
The changes include (but are not limited to):
- Expanded geographic scope of EU regulations: organizations not based in the EU may still need to meet GDPR data protection requirements;
- New obligations on data controllers: for example erasing personal data if required (the “right to be forgotten”), and demonstrating the adoption of protection measures and privacy policies;
- New legal obligations for data processors (service providers): for example, being accountable for data breach notification and paying significant fines for non compliance;
- Safe Harbor replacement by Privacy Shield: companies need to self-certify to join the new framework;
- New definitions of personal and data: compliance with other legislation such as HIPAA may not be sufficient for GDPR compliance;
- New trigger for breach notification: GDPR expands the definition of a breach to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
- Increased fines: data controllers and processors can be fined up to €20million or 4% of total annual worldwide turnover for non-compliance.
This text focuses on the General Data Protection Regulation (GDPR) that will come into force in May 2018.
The information in this text is not exhaustive. Our aim is to provide an overview of the major changes that will be relevant to small and mid-sized businesses. There are some new GDPR obligations, such as the need to appoint a data protection officer and maintaining records of data processing activities, which are not covered below as they apply only to particular industry sectors, or to organizations with more than 250 employees.
Further references are provided at the end of this text where you can find further details about GDPR and the actions your organization needs to take to prepare for GDPR.
Many companies have already adopted data protection processes and procedures. However, the General Data Protection Regulation (GDPR) contains a number of new definitions, and expands the scope of legal obligations with the threat of very significant fines and penalties for non-compliant data controllers and processors.
Previously, EU data protection regulations only applied to organizations having a presence within the EU, or using equipment within the EU to process personal data. GDPR will apply not only to businesses based in the EU but also to businesses outside the EU that process personal data collected through offering services or products to EU citizens, or from hosting their data. It will be relevant where goods and services are directed to EU citizens.
Note that the UK government is expected to implement GDPR despite the UK’s decision to leave the EU (‘Brexit’). Organizations that process or host personal data of UK citizens will also need to comply with GDPR.
GDPR will bring a significant change for service providers (‘data processors’). Where previously only the controller was held liable for data protection compliance, GDPR will place direct legal obligations on data processors as well. As a result, data processors must take appropriate security measures and inform controllers of any data breaches suffered. Data processors also risk significant fines for non-compliance.
For details of the definition of ‘data controller’ and ‘data processor’, refer to GDPR Article 4.
There are seven fundamental principles of data protection and privacy at the heart of the GDPR. They are set out in Article 5 and are the principles that organizations need to address for compliance.
While many are similar to those in the previous Data Protection Directive (DPD), there are a number of new obligations and expanded definitions within those principles. As a result, compliance will require all organizations to adopt a much more rigorous approach to data protection than before.
The following table summarizes the seven principles. (For the complete descriptions, refer to: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/principles/.)
|‘Lawfulness, fairness, transparency’||Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject|
|‘Purpose limitation’||Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes|
|‘Data minimisation’||Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed|
|‘Accuracy’||Personal data shall be accurate and, where necessary, kept up to date|
|‘Storage limitation’||Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed|
|‘Integrity and confidentiality’||Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures|
|‘Accountability’||The controller shall be responsible for and be able to demonstrate compliance with these principles.|
As well as these seven data protection principles, there are other principles that have been introduced covering the rights of individuals and organization accountability. These new principles include the rights of individuals to data access, the right to erasure (the “right to be forgotten”), and the principle of “privacy by design and default”.
Taken together, these principles emphasize that data security and privacy protection require more than a technical solution bolted on as an afterthought. Technical measures need to be supported by operating principles and data protection policies.
The overview below explains some of the key definitions and principles relating to data protection and compliance. This is not an exhaustive list and you should use the references provided to get more detail.
Previous rules of data protection covered the most obvious data – the kind stored in databases that could identify an individual, such as names, addresses, date of birth, Social Security number, photographs, an email address or bank details.
GDPR expands the definitions of ‘Personal Data’ and ‘Sensitive Data’ to include digital and online identifiers such as online location data, posts on social media, a computer’s IP address, genetic and biometric data.
For details of the definition of personal data, refer to GDPR Article 4.
For details of the definition of sensitive data, refer to GDPR Article 9.
This principle addresses data retention and is consistent with other data protection legislation: that personal data should not be retained for longer than necessary.
What is different is individuals’ “right to be forgotten” under which people have the right to erasure of personal data. Data Controllers need to be able to respond to and comply with requests for access and erasure where necessary. Controllers must notify any third parties with whom they have shared the relevant data that the individual has exercised those rights.
For details about individuals’ “right to be forgotten” refer to GDPR Article 17.
The GDPR sets out data security obligations for data controllers and data processors, whereby personal data must be protected against unauthorized access using appropriate organizational and technical measures. This goes to the heart of protecting the privacy of individuals.
Depending on the nature of the processing, these measures may include:
- encryption of personal data;
- on-going reviews of security measures;
- redundancy and back-up;
- regular security testing.
Data controllers and processors need to assess the risk to privacy, implement appropriate security for the data concerned and check on a regular basis that it is up to date and working effectively.
Relevant to this principle is another new individual right to data portability. This gives people the right to see their personal data in an easily read format and move, copy or transfer personal data easily from one IT environment to another in a safe and secure way. Controllers will need to control who can see data in clear text and enable that data to be moved in a safe and secure way, possibly being required to transmit the data directly to another controller where it is technically feasible to do so (the “right of data portability”).
The right of data portability is detailed in GDPR article 20.
The new accountability principle makes controllers legally responsible for compliance, and requires controllers to be able to demonstrate compliance with the data protection principles. Accountability measures might include Privacy Impact Assessments, audits, policy reviews, activity records and in some cases appointing a Data Protection Officer a (“DPO”).
Data controllers are required to implement appropriate technical and organizational measures not just at the point of processing but also in the design and maintenance of information systems and mode of operation for each organization. This might include having encryption as the default setting rather than a user-selected option, restricting the sharing of personal data with third parties, and implementing privacy enhancing codes of conduct and policies.
For details of the principle of ‘Privacy by design and default’, refer to GDPR Article 25.
The maximum fine for failing to comply with the regulation is 4 per cent of the previous year’s annual global turnover, or €20m ($22.5M), whichever is the higher. Mandatory notification of a breach applies to both data controllers and data processors.
In addition, data processors that have not complied with GDPR obligations are liable for damage caused to the data subjects.
For details about penalties, fines and liabilities, refer to GDPR Article 83.
GDPR contains a new definition of “personal data breach”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. This broad definition differs from other legislation, for example in the U.S. where a breach notification is triggered only upon exposure of information that can lead to fraud or identity theft.
GDPR makes data processors responsible for notifying any data breach to the controller without undue delay.
In addition, GDPR introduces a 72 hour deadline for data controllers to report a data breach. If the breach puts individuals at high risk, those individuals must also be notified ‘without undue delay’. This raises the risk of reputational harm to organizations suffering a data breach.
For details about notification of a personal data breach, refer to GDPR article 33.
Safe Harbor was designed for U.S. organizations that process personal data collected in the EU in order to assist with compliance with the EU Data Protection Directive.
In August 2016 the new program Privacy Shield was approved to replace the Safe Harbor program and allow the transfer of data from the European Union to the US. There are a number of differences between Privacy Shield and Safe Harbor and organizations need to self certify to join the framework.
For information about the Privacy Shield Framework see: https://www.privacyshield.gov/Program-Overview
The AlertSec Service provides data protection as a service. Instead of requiring the purchase of several individual components and needing to manage them separately, the AlertSec Service provides a single, policy based, cloud-managed package of components that support your compliance requirements . The following modules and service features are available:
|Full Disk Encryption (FDE)||Automatic encryption for any digital personal or sensitive data on the computer. Ensures that only authorized users can access data on protected computers. AES-256 encryption for maximum protection, certification to FIPS 140-2, Common Criteria EAL4 and BITS.|
|Media Encryption/Port Control||Media Encryption automatically encrypts any personal data stored on removable storage media such as USB sticks and external hard drives based on policy. Data remains transparent to authorized users. Enables secure data sharing with other authorized users. Port control prevents use of unknown/unauthorized media on the computer, helping to prevent unsecure movement of personal or sensitive data.|
|Compliance Check||Scans and checks all endpoints for compliance with pre-defined security policies, enabling demonstration of security software deployment and management of software update installation compliance.|
|Anti-Malware/Program Control||Malware detection and prevention using signatures, behavior blockers and heuristic analysis. Policy controlled Program (application) Control can be configured to limit the applications that can be run on the system to only those that have been explicitly approved, helping to prevent threats to data integrity.|
|Firewall||Proactive policy based protection: the firewall blocks targeted attacks and stops unwanted traffic, keeping data and systems safe.|
|Encryption for third parties||Monitor and enforce full disk encryption policies across third party data processor service providers. Enables demonstration of security software deployment and management of software update installation compliance.|
|Two factor authentication for administrators||Additional security for privileged administrator accounts on the AlertSec admin console, helping to prevent unauthorized access or changes to security policies.|
|Pre-boot authentication||Ensures that only authorized users will be allowed access to personal or sensitive data stored on the device. Prevents anything being read from the hard disk, including the operating system, until the user has provided valid login credentials.|
|Password management||Automatic locking of a user account after five failed login attempts, preventing unauthorized access. AlertSec help-desk processes for password reset and data recovery are designed to ensure devices are unlocked only for the authorized user.|
|Software development and support||AlertSec manages the ongoing development and release of security software updates to maintain maximum protection. Regular customer communications about security risks and good practice enable employee training and security policy assessments.|
Table 2 – AlertSec Service Features
GDPR will bring in significant, tougher regulations for data protection and organizations need to take action as soon as possible to understand the changes they need to implement. The following is a recommended but not exhaustive list of actions to start preparing for GDPR compliance:
- Know where data is stored, processed and shared:
Arrange an audit of the personal and sensitive data that your organization holds, where it came from and who you share it with. This is essential to understand whether GDPR applies to your organization (eg. if non-EU businesses are processing or sharing data about EU citizens); to understand where data is stored and how to retrieve it and delete it is necessary; and to identify potential risks for example through data sharing with third parties.
- Incident response planning:
Prepare an incident response plan with clear policies defining the criteria of a potential breach and reporting policies. Provide employees with sufficient tools and training to identify actual or suspected breaches. Create an escalation procedure for promptly notifying the appropriate contact person. Ensure AlertSec is one of the key contacts in your escalation procedure to alert the support team when a laptop or removable device has been lost or stolen.
- Technical measures for data security:
Review the policies for each user group in your AlertSec system and check compliance.
Review the available AlertSec services to maximize security and demonstrate compliance, for example:
- Media encryption: this service is included with your AlertSec security package as standard. Provide training for employees and third party suppliers to ensure that USB sticks are encrypted when sharing or moving data;
- Pre-boot authentication: check whether pre-boot authentication should be implemented to support your corporate policies and update user policies as appropriate;
- Encryption for Third Parties can help to support service provider compliance with your data protection codes of conduct;
- Two factor authentication for administrators can strengthen protection against unauthorized access to the AlertSec admin console.
Review backup and archiving policies to ensure data is deleted when it is no longer needed.
- Organizational policies and measures:
Employees must be trained and equipped to protect data. Provide appropriate and regular training for any of their employees who process personal data. Ensure employees and service providers know how to respond to requests from data subjects, know how to recognize and respond to a potential data security incident, and understand their obligations relating to data security and privacy.
Use the regular customer communications from AlertSec to support employee training, to raise service provider awareness, to inform executives of changing cyber-security threats and risk mitigation advice, and to keep data protection and security at the forefront of everyone’s minds.