As we enter the New Year, IT and security leaders have most likely been glued to revelations of major new CPU-level vulnerabilities Meltdown and Spectre, described by researchers as among the “worst ever” discovered. However, there’s arguably an even more pressing concern, not just for IT but the entire organisation: GDPR compliance. There are now just over four months to get your house in order before the sweeping new EU regulation formally comes into force on 25 May.
Regulators will be given the power to levy fines of up to 4% of global annual turnover or £17m, whichever is higher. While such sums are unlikely for most organisations they should serve as a reminder that all firms must take their data protection responsibilities seriously.
A helping hand
At Centrify, we’ve been helping to make sense of this extensive piece of new legislation in a monthly blog series, focusing on a different part of the law each time. Our first blog explained the scope of the GDPR, while the second addressed the first key step organisations should take: data mapping. Our third blog covered Brexit and its impact on the GDPR, followed by a fourth focusing on data flows, and a fifth which looked at the related NIS Directive. We’ve also looked at how internationally recognised standards can help with compliance efforts.
The new regulation is fundamentally designed to empower EU consumers with new rights and protections relating to their personally identifiable information (PII) and how it is used and stored. For organisations, this means a host of rigorous new requirements around how they use, secure, manage and obtain consent to use that data.
A New Year Checklist for Compliance
As we head into the New Year, here’s a quick checklist of activities to help accelerate your compliance efforts:
- Internal privacy team: ensure you include experts from all relevant parts of the business, from legal to IT and HR to procurement. A Data Protection Officer (DPO) should also be appointed in many cases to oversee compliance.
- Data classification: this vital first step will tell you what data you’re using, where it resides and where it flows. With this information you can work out if your security controls are adequate or need updating.
- Data protection: is a core component of the GDPR and crucial to get right in order to prevent damaging breaches. Follow industry best practice security measures such as multi-factor authentication (MFA), more of which below.
- Breach notification: is another key requirement, so ensure you have the right tools and incident response plans in place to detect and notify within 72-hours of discovery.
- Privacy notices: these will most likely need updating.
- Review policies, processes and procedures: to comply with the raft of new rights protected by the GDPR, including the right to erasure, data portability and access.
- Identify and document the lawful basis for all data processing: in order to comply with the GDPR’s “accountability” principle.
- Seeking, recording and managing consent: processes detailing how you do this will also need updating.
- Privacy Impact Assessments (PIAs): may be required for new projects to comply with principle of privacy-by-design.
- GDPR is global: and applies to any organisation processing data on EU citizens, including the UK post-Brexit. Choose a lead data protection supervisory authority where your main HQ is, and be aware that strict rules govern where you or your data processor can transfer data to internationally.
Taking a Zero Trust Approach
As mentioned, the GDPR is not all about data protection, but it’s certainly a key component. In fact, the regulation can be seen in part as an attempt by European lawmakers to minimise the number of damaging data breaches that have plagued organisations across the globe for the past decade.
Article 32, which deals with the security controls organisations must put in place, does not talk in specifics, aside from mentioning encryption and pseudonymisation technologies. But it’s clear that regulators expect organisations to show they have their customers’ best interests at heart by following industry best practices. These “appropriate technical and organisational measures” should take account of the “state of the art,” it adds.
The discovery in December of a database of 1.4 billion breached passwords on a dark web site should serve as yet another reminder that identity and authentication remain the key to best practice security. Static password/username combinations are no longer fit-for-purpose: they allow attackers to steal, crack or guess their way into customers’ accounts and — even worse — they also expose corporate accounts to compromise.
At Centrify we espouse a Zero Trust Security model which assumes that all users, endpoints and resources are untrusted and must always be verified to reduce the risk of a breach. In a modern, hybrid cloud world, this means verifying identity at the application layer, rather than the network perimeter layer, with tools that support open scalable standards like FIDO. Consider risk-based MFA, single sign-on (SSO) and a least privilege access policy at the bare minimum to help assure GDPR regulators that you’re following industry best practices.
Stay tuned to our monthly GDPR blog series running until May for more useful tips on how to keep the regulators happy and consumer data safe and secure.