GDPR law applies to all companies that collect and process data belonging to European Union (EU) citizens. You have every reason to fear it because failure to comply will be costly. Credit: Thinkstock The General Data Protection Regulation (GDPR) is in the news these days — for good reason. This sweeping new law applies to all companies that collect and process data belonging to European Union (EU) citizens, even if this is done outside of the EU. This includes companies with operations in the EU and/or a web site or app that collects and processes EU citizen data. Key areas of the legislation cover privacy rights, data security, data control, and governance. The good news is the law will be pretty much identical in all 28 EU member states, meaning they only have to comply with one standard. However, the bar is set high and wide — forcing most companies to invest considerable resources to becoming compliant.Failure to comply with GDPR could result in a hefty fine. If a company is found guilty of a breach that compromises an EU citizen’s data, the penalty could be up to 20 million euros or four percent of an enterprise’s worldwide revenue, whichever is larger! Putting that in perspective: a large enterprise could be fined hundreds of millions of euros for a single breach.In addition, two pain points are conspicuous: a requirement to notify EU authorities within 72 hours of a breach, and another to prove your company’s security approach is state-of-the-art. What’s mandated by GDPRSince all of the GDPR requirements have not been finalized, some organizations have adopted a ‘wait-and-see’ approach. Let’s consider the new obligations being introduced by this regulation:Data controlTo preserve subjects’ privacy, organizations must: Only process data for authorized purposesEnsure data accuracy and integrityMinimize the exposure of subject identities, andImplement data security measures.Data securityData security goes hand-in-hand with data control. GDPR puts security at the service of privacy. To preserve subjects’ privacy, organizations must implement:Safeguards to keep data for additional processingData protection measures, by defaultSecurity as a contractual requirement, based on risk assessment, and encryptionRight to erasureSubject data cannot be kept indefinitely. GDPR requires organizations to completely erase data from all repositories when:Data subjects revoke their consentA partner organization requests data deletion, orA service or agreement comes to an endIt is worth noting, however, that subjects do not enjoy a carte blanche right for their data to be erased. If there are legal reasons — specified in the regulation — an organization can retain and process a subject’s data. Exceptions are few, however.Risk mitigation and due diligenceOrganizations must assess the risks to privacy and security, and demonstrate that they’re mitigating them. This requires they:Conduct a full risk assessmentImplement measures to ensure and demonstrate complianceProactively help third-party customers and partners to comply, andProve full data controlBreach notificationWhen a security breach threatens the rights and privacy of a data subject or subjects, organizations must:Notify authorities within 72 hoursDescribe the consequences of the breach, andCommunicate the breach directly to all affected subjects 6 steps to GDPR complianceTo prepare for GDPR, organizations can use this six step process: 1. Understand the lawKnow your obligations under GDPR as it relates to collecting, processing, and storing data, including the legislation’s many special categories.2. Create a road mapPerform data discovery and document everything — research, findings, decisions, actions and the risks to data.3. Know which data is regulatedFirst, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.4. Begin with critical data and proceduresAssess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories. 5. Assess and document other risksInvestigate any other risks to data not included in previous assessments.6. Revise and repeatRepeat steps four to six, and adjust findings where necessary.For CSOs, GDPR provides a good opportunity to upgrade the organization’s security capabilities to both meet the regulation’s requirements and improve overall security vis-a-vis data confidentiality and privacy. Related content opinion Embracing risk management elevates security pros to business leaders. Why do they still find it so difficult? The transition from an “it’s all about security and protecting the crown jewels” to “we need to mitigate risk and embrace risk management” is a crucial step next step for the information security profession. By Leslie Lambert Dec 17, 2018 4 mins Risk Management Security opinion Securing connected medical devices: Will categorizing them as ICS help? Now that they’re no longer protected by an “air gap,” let’s consider what’s needed to protect connected medical devices from security threats. By Leslie Lambert Oct 04, 2018 4 mins Internet of Things Critical Infrastructure Security opinion Staying secure as the IoT tsunami hits The ubiquitous adoption of devices in virtually every industry is creating a massive, global security gap. Data science can help reign in the risks. By Leslie Lambert Jul 12, 2018 4 mins Internet of Things Data and Information Security Security opinion The time for network behavior analytics has come Once considered the eminent domain of networking teams, network telemetry data is becoming a requirement to provide security analytics with a more complete view of enterprise threats. By Leslie Lambert Jun 07, 2018 5 mins Network Security Analytics Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe