In our work with clients on the General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679), we have generally not seen organizations accomplish full compliance all at once. Instead of a full-on project, the actions we’ve seen have been addressed a little at a time. One client said they were just “chipping away at the stone,” which reminded me of a tune I hadn’t heard in a long while from Aerosmith: “Chip Away the Stone” (a very underplayed song by the way for how good it is, with the B-side live version even better. Click on the link or go to YouTube to listen to it… You won’t be sorry). With only 20% of organizations compliant by the deadline of May 25, 2018, that means you better get-a-chippin’.
You keep a wall all around ya
If you’re like many organizations, you’ve been feeling a little better lately about your security program. There is a lot of room for improvement of course, but at least you:
- Are on top of your penetration tests – You’ve implemented some cool new “Next Gen” tools, so you’ve completely detected and stopped any novice pen testers. You realize that you have to step it up next time so the company actually gets some value — maybe by those guys who contributed to Metasploit and the Pen Tester’s Framework (PTF), publish the Social-Engineer Toolkit (SET) and several Github repositories and tools.
- Have been getting a portion of what you need for a budget by presenting a good business case based on risks identified from TrustedSec’s Risk Assessment.
- Were PCI compliant until the latest controls came out, but fortunately you got that clarified from TrustedSec’s last webinar.
So just when you were catching up, here comes the GDPR — now with “extra-territorial applicability!” And in an instant, all that progress and well-being has turned to feelings of bitterness and anger about another onerous regulation.
(They’re) sittin’ so cool and nonchalant, draggin’ on a cigarette
The European Union rolled this regulation out with some huge fines (4% of revenue or €20 million Euros, and strict rules to go along with it) in order to protect and empower all EU citizens’ data privacy. The citizens (or more specifically “Data Subjects”) have rights such as the right to be forgotten, right to access of their information, right to be notified of a breach within 72 hours, and right of data portability.
They also have rights over how you conduct business! They have the right that you shall build “privacy by design” in your organization, and the right to force you to have a Data Privacy Officer.
It’s also a very broad interpretation of personally identifiable information that includes:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Push, don’t shove…
If you’re not just hoping this will go away, it’s going to take some interpersonal skills (such as leadership, communication and relationship building) to get there as this will include many areas of your organization. You’re going to need all of your soft skill training to ensure they don’t shoot the messenger.
First off, you must appoint a Data Protection Officer (DPO) as a single point of contact (don’t everyone stand up all at once). Again, this endeavor is going to impact many business processes, so you’ll be including C-level execs, maybe even up to the CEO in your efforts.
And this is not something a company can just insure away or give to your lawyers to deal with. GDPR explicitly states that there will be “No more hiding behind long, complicated legalese when requesting consent to collect data. If your (customer rights) form isn’t both ‘intelligible’ and ‘easily accessible,’ you’re violating the law.” Thus, you’ll need to sit down with your legal counsel and ask them for their input.
When discussing with other executives they (i.e. most likely You) will need to answer some questions such as:
- What data (and data flows) are impacted?
- Who is the data about and do they reside in Europe?
- Can a breach harm the individual?
- Can we determine how the breach happened?
- Who do we notify and how?
- How will this impact our marketing messages and proposal templates?
- Who is going to be accountable to potentially lose their job?
- Do we want to start a new business line or regional expansion with these restrictions?
These questions aren’t easy, so how should you go about addressing them?
Chip away, chip away at the stone
Boiling it down, there are five (5) major areas of GDPR that you must address:
1. Data Flow and Inventory
A data flow illuminates the path of information through the business throughout its life cycle to determine the existence and accuracy of data classification (i.e. Where is it? How does it move from system to system?). Once this is done, you can perform an access management assessment to determine which accounts (user and privileged) have access to privacy data.
2. Data Protection Impact Assessment (DPIA)
While there is overlap with the other four areas, the DPIA has 99 articles centered around “a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued.” It should primarily assess the necessity and proportionality of the processing operations in relation to the purpose it’s used for.
It should also look at whether you’re building “Privacy by Design” into all of your systems and data management practices along with the gap/readiness checkbox of control items and roles and responsibilities of the full 99 articles.
3. Risk Assessment
While this is called out in the DPIA, I’ve put this as a separate task since it’s so critical to the organization and addresses so many other needs. GDPR state that you must have:
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
This must start by analyzing information gathered from business leaders and the security assessment of networks, policies, and procedures to develop a plan of strategic and tactical security countermeasures.
A risk assessment also must closely tie in security controls testing to include threat analysis and adversary simulations looking for technical and human vulnerabilities from social engineering to reduce the risk that an attacker can gain access to this critical data.
This testing outlined is more closely aligned with Red Teaming as there is a goal to get at personally identifiable information (PII). GDPR specifically calls out adversarial (attack) simulation, and, as part of the breach prep below, it should test the organization’s detection and response capabilities.
4. Policies and Processes
It’s tedious, but certainly critical, to show that you’re not negligent by updating your existing IT and security policies and procedures to reflect GDPR expectations for Data Subject Rights. As we all know, it can’t stop there. We have to look at the processes so that we can actually operationalize that policy. That means working with business units to discover, classify, safeguard, and monitor sensitive data.
5. Breach Prep
Preparing for a breach revolves around Incident Response Planning and Testing of that plan. Therefore, it’s important to start by updating your incident response procedures, especially as they pertain to a potential breach of privacy information. This also includes reviewing and updating your logging and monitoring controls to ensure that your teams are notified immediately of inappropriate attempts to access sensitive data sets.
If hammer I must, I’m gonna get through your crust
GDPR truly compels action. One area of concern could be a “right to be forgotten storm”, i.e. thousands of data subjects ask you to erase their records all at once. If your organization doesn’t have automated and auditable processes to find, delete, and verify data erasure at scale, you could have a large issue on your hands where slow approaches won’t work.
Therefore, don’t be afraid to get help from third-party assessors to help walk you through it. On the bright side, GDPR can be used to help build your security program and align to the business needs. It also helps get a seat at the table on new initiatives by working in several areas of the company, not just IT (i.e. Legal, HR, Marketing, Operations, etc.)
And since this will continue through the “digitization” that transforms businesses to the Internet of Things (IoT), look for more meetings with the CEO and greater responsibility in your organization. Yet, no matter where you are in the process, it’s time to get after it and make sure you “won’t stop.”
Author: Stephen Marchewitz
Stephen has been in the security and risk industry for over 13 years and in IT for over 20 years. He has assisted companies in driving change to ensure clients are successful both in receiving value from products and services as well as managing the security and compliance risks of new projects and technologies. He’s served as an outsourced Chief Information Security Officer for a dozen different companies and consulted to some of the largest companies in the world. Prior to joining TrustedSec, Stephen was the Global Risk Practice Manager in the Digital Transformation Group at Cisco, President and Advisory Practice Lead for a leading information security firm for nine years, a Management Consultant with Ernst & Young, held Technology Management and sales positions with CA and Oracle, and developed new offerings in the insurance industry as an Underwriter and Program Director with Willis Coroon/Chubb in underwriting risk. He is dedicated to helping customers implement the right solutions and services that best meet their business needs, thus allowing them to achieve new levels of success.