Now that a new year is upon us, we must remember that this is the year the General Data Protection Regulation (GDPR) supersedes Directive 95/36/EC. The new regulation will take effect May 25, 2018. In other words, this is the date by which organizations must be compliant.
GDPR applies to the processing of personal data of people in the EU by businesses operating in the EU. It’s important to note that GDPR doesn’t only apply to firms based in the EU—it applies to any organization providing a product or service to residents of the EU.
The new regulation applies to a wider selection of data than Directive 95/36/EC. Under GDPR, any data that could be used to identify an individual is protected (e.g., IP addresses, social media handles, and mobile device identifiers). There are also special provisions for biometric and genetic data. As with Directive 95/36/EC, pseudonymized data (i.e., data without direct reference to a named individual) is still in scope, though GDPR recognizes that the risks to individuals are reduced when data is pseudonymized.
Organizations defined as data processors also have obligations. Even if they process data only on behalf of a data controller, they are accountable for protecting that data, they must report breaches, and they can be fined if found to be noncompliant.
When a data controller becomes aware of a breach, it must notify its supervisory authority within 72 hours.
Every organization in scope must appoint a data protection officer, who acts as a data protection specialist and is responsible for ensuring compliance. Organizations must document what data they collect and process and why. They must not retain data that has no purpose for them.
It is critical for organizations to demonstrate that they have the consent of a data subject to process the subject’s data. Subjects must give their consent freely, and any written declarations must use plain language that can be understood easily. The subject can withdraw this consent at any time, and the company must be able to remove the subject’s data from all its systems. This rule is often referred to as the “right to be forgotten.” For children, data can be processed only with the consent of a parent or legal guardian. Data subjects are also entitled to make subject access requests to organizations that hold their data, for free.
If an organization is found noncompliant, the relevant supervisory authority will determine the exact level of penalty. This authority will consider several factors when determining the penalty, such as the seriousness of the infringement and whether the firm is deemed negligent. It will also consider whether the organization took steps to prevent a breach.
The largest fines will be imposed on organizations that haven’t even attempted to comply with GDPR. The maximum fine is either €20 million or 4% of the organization’s worldwide annual turnover, whichever is higher.
There were about 5,000 publicly disclosed data breaches in 2017 alone, so the impact of such a breach is well understood at this point. If an organization doesn’t have the basics right yet (application security, network security, database security, access management, and so on), clearly it is willing to incur the cost of an everyday data breach. But the cost of GDPR fines could put it out of business.
To avoid GDPR fines, an organization needs to communicate these points:
At any given time, organizations may have hundreds or thousands of software, network, configuration, and other security defects but decide not to fix those that are low or medium severity. The introduction of GDPR may change the defect severity ranking; what was once a medium- or low-ranked vulnerability may now become high. You will need to review your security defects through the lens of the impact that GDPR has on your organization.
Here are some actions to consider:
Once an organization determines what data it will process and why, it is essential to implement both organizational and technical controls to protect that data. The onus thus falls on the owner of the software that will process, store, and transmit the data. It is the responsibility of the software’s owner to implement the correct technical and organizational controls to adhere to GDPR. Designing and implementing appropriate protections, including pseudonymization, encryption, and access control, is critical.
GDPR aligns with the Synopsys goal to build security in. In fact, the title of GDPR Article 25 is “Data protection by design and default.” When it comes to determining noncompliance—and the fines imposed for such—the supervisory authority will consider whether and how an organization has tried to be compliant. It follows that software built to protect data by design should help reduce the risk of large penalties.
Organizations with mature business process will be OK provided they look at their applications and processes through the GDPR lens and understand what risks exist in the new world.
An important and complex regulation, GDPR seeks to protect people from the exploitation, loss, or use of their data without their consent. Complying with certain aspects will require additional work, but organizations already taking data protection seriously should experience a natural progression in their software security program rather than a total overhaul. Organizations that build software that processes personal data need to ensure that data protection, and therefore security, is built into that software.
Stephen Gardner is an associate managing consultant at Synopsys. He studied physics at Durham University before starting a career in software security. Stephen has experience growing an application security program at one of the UK’s largest firms. His primary technical focus is secure design, leading security implementation assessments in a wide variety of software. In his spare time, Stephen can be found hiking, road biking, or engaged in a lively topical discussion over a good pint of ale.