GDPR – What security pros need to know about the new era of privacy regulations

Many security professionals no doubt have heard of the new European Union (EU) omnibus data protection regulation called GDPR. GDPR, which stands for the EU General Data Protection Regulation, is in many ways a landmark regulation when it comes to the protection of personal data inside the enterprise. Not only does it introduce possible fines that can reach a head snapping 4% of global revenue, but it also enshrines a set of fundamental data rights for consumers and commensurate obligations for the companies that collect and process personal data of EU residents.

For security professionals more versed in the technology minutiae of cyber detection and defense, any whiff of privacy will likely earn only the most passing of glances. After all, privacy historically has been the domain of lawyers who cared more for policy and process and less for product. Privacy was a thing apart from security with more ambiguous aims and indefinite consequences.

99 problems and privacy ain't one

GDPR is any many ways at the vanguard of a new set of national privacy regulations now numbering 124, that aim to change organizational views and behaviors when it comes to personal data. Stretching to 99 articles, the GDPR legislation is not meant for easy consumption. However, within its many pages the framers set down a number of requirements for the protection of personal privacy and data that can only be achieved through data protection and governance product.

GDPR forces companies to be accountable to their employees and customers through better accounting for the data those organizations collect and process. In fact, GDPR inverts the traditional corporate view of personal data; it codifies the concept that the data belongs to the individual and that companies are only custodians of the information. Individuals retain their legal rights to the data and protections around the data usage even while the data is under the stewardship of the corporation.

This creates challenges for corporate IT of course since organizations don't keep a detailed ledger of what data they collect and process. Big Data after all is not detailed Data. Worse, the new rules broaden the definition of what is identifiable and personal. Any data that can be mapped to a user under GDPR is personal information. This includes data that is encrypted. It also includes data like GPS coordinates and even dynamic IP addresses that have previously never been viewed as identifiable or personal. In the new conception of Personal Information (PI), organizations don't just have a charter to know their PI, they are obligated to know all their personal data.

[Related: General Data Protection Regulation (GDPR) requirements, deadlines and facts]

Navigating GDPR without a map

There is an old aphorism in security that you can't protect what you can't find. PI unaccounted is not invisible, it's just vulnerable. Knowing what personal data an organization has is the first step to meeting GDPR compliance obligations. It also happens to be a necessary step to protecting and governing the most important asset a modern organization has: its customer data.

GDPR is not the first regulation to place responsibility on companies for finding and managing types of data. PCI DSS did this for payment card information. HIPAA did this for personal health information. GDPR and similar rules around the world, however, broaden this obligation to all personal data. In the vernacular of the industry it requires organizations to map their personal information. But mapping under GDPR is not just another classification exercise. It also requires the organization to inventory or correlate the data back to an individual, a country of residence, consent, purpose of use and more. Under GDPR it's not enough to just know the data content; it's also essential to know the context of the data.

The reason becomes easier to understand when you do dig into some of the more attention grabbing obligations. Under GDPR and many similar laws, EU residents have a right to access their data; they have a right to port their data; they have a right to rectify their data; and they have a right to erase their data. Clearly it is impossible to deliver on any of these personal data rights without first knowing what data belongs to whom. This is a data mapping and inventorying (by data subject) challenge.

Under GDPR, organizations are obligated to document how data comes into the organization, gets processed and get disposed. This requires an ability to map the flows of data. Clearly this can be done without product using interviews and drawing tools. However, without product it will be impossible to map to the actual data and maintain the necessary documentation in an evolving organization.

Under GDPR, like many countries around the world, there are requirements for companies to identify a breach and notify affected individuals within a limited time frame. Again, to do this within the timeframes set down requires an organization to map their data and understand residencies by country and state to determine legal obligations. This can only be affected through mapping and inventorying by residency of personal data.

These examples are just a limited number of the rules that require a detailed map or atlas of the personal information organizations collect. Certainly these maps would be hard to impossible to achieve using the technologies developed in previous eras to address prior regulations like PCI or HIPAA. But fortunately for companies, Big Data and machine learning give rise to new possibilities for finding, mapping and inventorying personal information in the enterprise.

Privacy vs protection: a difference without a distinction

For security professionals habituated to think in terms of data protection, privacy at first blush may seem an unnatural thing to concern one's self about. However, as made clear by the regulation's name choice, GDPR is very much about Data Protection. It is about the safeguarding of an individual's data and the protection of that data against loss, abuse and misuse.

For security professionals it raises the bar for governing data in the organization. It sets down a set of markers for how data must be accounted for, managed, analyzed, shared or processed in any way. But rather than looking upon this as a burden, organizations should rightfully view this as an opportunity to better know their customers by knowing their data.

Customers are the lifeblood of any modern digital business and therefore, safeguarding that data is essential to the success of the modern enterprise. Customers buy from companies they trust and companies that can't protect their most important asset i.e. their customer data, can't guarantee the loyalty of those customers.

For the past decade, the only approaches to protecting identity data have been indirect (endpoint, network, application, cloud, server but not PI) and therefore increasingly unsuccessful. GDPR and similar global privacy regulations elevate the importance of PI in the enterprise. And just like Sarbanes Oxley ushered in indispensable security innovations like SIEM and IAM, GDPR will ultimately give organizations tools to better know and protect their customers by knowing and protecting their data.