How will the EU’s GDPR set a higher data security standard?

By mid-2018, global organizations doing business in Europe will need to comply with a new data security regulation known as the General Data Protection Regulation (GDPR). In light of recent high-profile data breaches, the GDPR is a much-needed revision of the EU’s 1995 Data Protection Directive 95/46/EC. It establishes new best practices for organizations doing business in the EU.

While it is a European Union regulation, the GDPR applies to any organization in the world doing business with residents of the union. Like the previous Data Protection Directive, the GDPR sets a high bar for data protection. It provides a new baseline for other nations looking to guard against future data breaches. However, it is not without controversy.

Regulation goals

One goal of the new legislation is to give citizens/end users control over personal data. This is a radical departure from the U.S. perspective, which has resisted limits on data collection. For example, the recent Senate decision to allow internet providers to sell usage data. This fundamental difference—that the user is in control, not the organization collecting the information—may make it hard to reconcile with other nations.

Another goal is to reduce the number of data breaches. For example, last April’s data breach at Wonga, a payday loan service, affected 245,000 customers in the United Kingdom. Or the October 2015 Talk Talk data breach affecting 157,000. The latter resulted in a record £400,000 fine.

The right to erasure

One of the hallmarks of the EU’s original data protection directive is the right to be forgotten. Under this policy organizations collecting data must comply when a customer requests that all their personal data—that’s right, all their data—be deleted. This was legally tested and validated in 2014 by the European Court of Justice in its affirmative Google Spain v. AEPD and Mario Costeja González decision.

The GDPR expands on this concept. Under the new regulation, organizations must erase personal data “without undue delay” if:

• The data is no longer needed,
• the data subject objects to the processing, or
• the processing of the original data was unlawful.

At the same time, the General Data Protection Regulation limits what can be erased. The right to erasure must balance against:

• Freedom of expression
• The public interest in health
• Scientific and historical research
• The exercise or defense of legal claims

Encryption debate

Another controversial element is the emphasis that the GDPR places on encryption. In the wake of recent terrorist actions, the British government has suggested a backdoor be installed on all web encryption. U.S. Congress has suggested a backdoor for mobile phones. Security expert Bruce Schneier points out that if one nation bans or compromises encryption, the rest of the world will not.

From an InfoSec point of view, encryption is not political. It addresses the confidentially part of the C-I-A pyramid. Encryption is the cornerstone of e-commerce, e-health, and mobile banking. Using the latest algorithms, with the strongest keys, is a good security practice.

Pseudonymization

The GDPR encourages the active replacement of actual data with placeholder data, what it refers to as pseudonymization. What this means is that actual data (e.g., customer name, address, phone number) is somehow transformed such that the resulting data cannot be attributed back to its source without a key. For example, a customer name “John Smith” might become “Ox5eQ bE3s23” under pseudonymization. Encryption would satisfy this requirement in addition to tokenization.

A token, like the gibberish cited above, has no real value except as a place holder. Mobile services like Apple Pay, Samsung Pay, and Google Pay currently tokenize mobile transactions so that the actual credit card number stays secure with them; the merchant sees a randomized number standing in for the specific transaction. Any large database can also use tokens, replacing annual sales or budget figures with placeholder data.

Data breaches

The main point behind the General Data Protection Regulation is to reduce the number of large data breaches in the EU. Should an organization experience a data breach, one that exposes information on any EU citizen, that event must be reported to the supervisory authority within the first 72 hours. Individuals may then be notified if personal risk is determined.

Breach disclosures do not have to include individuals if the data is properly encrypted or pseudonymized. The idea here is that without the key, the attacker won’t be able to decrypt the stolen data. This is like data breach laws in the United States. However, the laws vary and don’t exist in every state. At the moment, only 48 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have laws. California’s data breach law is considered the strictest in terms of disclosure to affected customers.

Data protection by default

The General Data Protection Regulation also requires that enterprises adopt data protection designed into the development of business processes for products and services. The data protection by design and by default section of the GDPR requires that privacy settings must be set at high levels throughout the life cycle of handling any customer data.

A document by ENISA (the European Union Agency for Network and Information Security) describes some best practices for data protection by default. For example, encryption and decryption must be done locally, not in the cloud. This also keeps the keys with the data owner, and not a third party.

Penalties

The risk to organizations not following the General Data Protection Regulation is nontrivial. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). Also note that the “cloud” will not be exempt from the penalties.

Penalties can also be assessed for not having privacy by design, or notifying the supervisory authority of a data breach within the proscribed time period.

Nothing is perfect

The General Data Protection Regulation is just one of many models. As security is always a moving target, changes in the threat landscape tomorrow will require new models. As a baseline, there is always still room for improvement. What’s interesting is that U.S. companies like Amazon and Google are already abiding by the existing EU directive, and must abide by the new regulation starting in May 2018. So why aren’t they pushing for similar standards in the United States and in other markets?

Given that organizations are only as secure as their weakest link, it makes sense that multinational organizations comply with the stricter regulations in all their locations. Not just in those countries that require it. Similarly, if organizations won’t do it, then countries should be looking to each other and improving their own laws in accordance with these new best practices.