GDPR says you should care, but how you should go about it remains murky at best. Credit: Thinkstock If you’re in IT or information security, and are wondering what GDPR is, welcome back from outer space!GDPR is the new regulation passed by the European Union (EU) parliament to fortify data protection for all individuals within the EU. It has been the talk of the town over the past year because GDPR will come into effect starting May 25th, 2018. Here’s the kicker, you had two years to prepare yourself and your organizations to comply with this regulation. GDPR is meant to protect the privacy and personal data of end users and is less about cybersecurity and hacking.For instance, it doesn’t tell you how to secure your assets and the data they contain but provides guidance around how organizations need to protect the privacy of users, make users aware of and consent to the data being collected about them, and make it easy to delete their personal data upon request.A common question that organizations have is whether or not GDPR applies to them. If your organization is established in the EU, or serves EU customers, and stores or processes their data, then GDPR applies to you. I’ve also heard customers running workloads in the public cloud say that because their cloud provider is GDPR compliant, they are covered. This is a misconception that can cost you dearly. The shared responsibility model puts the responsibility of managing data privacy and usage squarely in the domain of the customers. While the leading cloud providers offer data protection capabilities such as encryption and access control, organizations still need to use these controls to manage data privacy effectively.You have to get ready now and get your cloud infrastructure ready too. GDPR does not offer a manual for compliance, only general guidelines. These are written in legal terms as opposed to technological ones, making it challenging to know what exactly needs to be done in order to be compliant. Here’s just one example (section 1 out of article 25 talking about data protection by design and by default): Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall […] implement appropriate technical and organizational measures […] in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.What are appropriate measures? What is an effective manner? And who decides what are necessary safeguards? This is open to interpretation, preferably by a lawyer who understands this kind of English.GDPR regulation differs between the “controller” and the “processor” of the data, and their responsibilities in keeping the confidentiality and integrity of the private data. As a business owner, you (or someone on your behalf) are the data controller. You need to know what kind of data you have in your possession and why; where and how is it stored; how is it processed and also be able to prove your compliance. The processor can be the cloud provider, who does the processing on behalf of the controller. The processing must meet the regulation requirements and be able to prove that. Both processor and controller hold responsibility for GDPR compliance, but according to article 24, it is the controller’s responsibility to choose a processor that can prove and demonstrate their compliance.In order for you to be GDPR compliant, you need a custom-made solution. There’s no one-size-fits-all. The solution that’s right for you has a lot to do with your personal infrastructure, the service that you give, the kind of data you work with, etc. Nevertheless, here are some practical things you should be doing right away:Access restrictionsEstablish access to data on a need-to-know / need-to-access basis. If you are dealing with personal and private data, hackers might take advantage of it, or try to steal other people’s credentials to get access to it. Prevent this from happening by restricting access. This is the basic security concept of Principle of Least PrivilegeEncryptionTreat the private data in your possession like crown jewels. Make sure it is safe. Even if your system is design to restrict access to the data, there’s no 100 percent guarantee in security. Keeping the data encrypted and having the keys kept in a safe place will give you another layer of security. This is the concept of Security by DesignMonitoring and loggingYou should be able to know what’s going on in your environment at all times. When looking at GDPR and the need to prove your compliance and best efforts, keeping track on all events and being able to query backwards is very important Minimal footprintDelete and stop saving all data that is not necessary for you to do your work. We love data and love making the most out of it, but in this case excessive data is more responsibility and potentially more headache.Know exactly what kind of data you keep, and where you keep itIn case of an audit, or worse, in case of a security incident, you need to know what assets you have and where they are kept. That way you can manage your risks better and respond quickly.Prevention + detectionWhen planning compliance, you always prepare for the worst. The assumption should be that a security breach is only a matter of time. Therefore, in order to minimize the risk, try to spot the breach as early as possible.For all the ambiguity around what data protection measures are required, the penalties associated with a lack of compliance with GDPR are painfully clear. Getting caught unprepared can cost you a lot of money! Penalties can vary from two percent of global gross revenue or €10M (whichever is higher), to four percent or €20M, depending on the type of violation. An event like the Uber breach that occurred in 2016, but was disclosed only last November, would have cost them heavily if GDPR was applicable at the time. Not only did Uber fail to keep its users’ data safe, but they also failed to inform the authorities within 72 hours, as GDPR requires. The new regulation has lot of bite, and it is time to get prepared. Although reading the GDPR articles can leave you with more questions than answers, remember that its intention is to keep users’ private data, private. When designing your security, use common sense and established principles, and make your best effort to respect the privacy of the data you were allowed to save. Best practices like the ones I’ve mentioned here and in previous posts are a good starting point as you make your way towards GDPR compliance. Good luck! Related content opinion What your enterprise needs to know about cyber threat intelligence Understanding the threats and vulnerabilities in your IT environment. By Shira Shamban Aug 24, 2018 7 mins Technology Industry Cloud Security Cybercrime opinion Don’t fall off the log! Effective log management is key to data security in the public cloud. By Shira Shamban May 08, 2018 5 mins Technology Industry Cloud Management Cloud Security opinion Dear IT security pros: it's time to stop making preventable mistakes Examining commonalities: shared strategies or mistakes across multiple cybersecurity incidents. By Shira Shamban Feb 16, 2018 6 mins Technology Industry Data and Information Security Network Security opinion The hackers are coming: 6 cloud computing trends you will see in 2018 Growth is good, and will bring many changes to the cloud industry. But not all changes will be good, especially when it comes to security. By Shira Shamban Jan 08, 2018 6 mins Regulation Phishing Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe