What does GDPR enforcement mean for your business?

Avoiding GDPR penalties for noncompliance

If an organization is found noncompliant, the relevant supervisory authority will determine the exact level of penalty. This authority will consider several factors when determining the penalty, such as the seriousness of the infringement and whether the firm is deemed negligent. It will also consider whether the organization took steps to prevent a breach.

The largest fines will be imposed on organizations that haven’t even attempted to comply with GDPR. The maximum fine is either €20 million or 4% of the organization’s worldwide annual turnover, whichever is higher.

There were about 5,000 publicly disclosed data breaches in 2017 alone, so the impact of such a breach is well understood at this point. If an organization doesn’t have the basics right yet (application security, network security, database security, access management, and so on), clearly it is willing to incur the cost of an everyday data breach. But the cost of GDPR fines could put it out of business.

To avoid GDPR fines, an organization needs to communicate these points:

• This is what we’re doing to comply with GDPR.
• This is what we’re doing not to run afoul of compliance.
• This is what we’re doing to have a reasonable story to tell even when something bad does happen.

GDPR in relation to software security

At any given time, organizations may have hundreds or thousands of software, network, configuration, and other security defects but decide not to fix those that are low or medium severity. The introduction of GDPR may change the defect severity ranking; what was once a medium- or low-ranked vulnerability may now become high. You will need to review your security defects through the lens of the impact that GDPR has on your organization.

Here are some actions to consider:

• Establish a data inventory.
  • Who owns the data?
  • Who touches the data?
• Identify where EU data resides.
• Backups (tape, Iron Mountain, etc.)
• Ephemeral/temporary storage (how to guarantee secure erasure?)
• Transactional data in a database transaction log
• Other
• Inventory applications that interact with EU data.
• Account for deployment models.
  • On-premises
  • Cloud
  • Hybrid
• Rethink data storage.
  • Consider functional changes to the applications to avoid violating GDPR

Once an organization determines what data it will process and why, it is essential to implement both organizational and technical controls to protect that data. The onus thus falls on the owner of the software that will process, store, and transmit the data. It is the responsibility of the software’s owner to implement the correct technical and organizational controls to adhere to GDPR. Designing and implementing appropriate protections, including pseudonymization, encryption, and access control, is critical.

Summing it up

GDPR aligns with the Synopsys goal to build security in. In fact, the title of GDPR Article 25 is “Data protection by design and default.” When it comes to determining noncompliance—and the fines imposed for such—the supervisory authority will consider whether and how an organization has tried to be compliant. It follows that software built to protect data by design should help reduce the risk of large penalties.

Organizations with mature business process will be OK provided they look at their applications and processes through the GDPR lens and understand what risks exist in the new world.

An important and complex regulation, GDPR seeks to protect people from the exploitation, loss, or use of their data without their consent. Complying with certain aspects will require additional work, but organizations already taking data protection seriously should experience a natural progression in their software security program rather than a total overhaul. Organizations that build software that processes personal data need to ensure that data protection, and therefore security, is built into that software.