Key articles in the GDPR for the enterprise

After May 25, 2018 doing business in the EU will mean abiding by GDPR. If you have EU customers, even if you are not based in the EU, you will be subject to its laws.  Once GDPR goes into effect, a data breach will not just mean a whole heap of embarrassment and reputational loss for businesses and organizations. It will also constitute huge fine – 20 million euros or 4 % of turnover to be exact, whichever is greater. To put that into context, the current fine for a data breach is around 500K . For those who don’t have their calculators handy, that’s a 40x increase.

Moreover, companies will have just 72 hours to report a breach to the regulator and its customers under GDPR. Quietly working out a plan will no longer be an option.

While this spike may be unsettling, it’s a sign of the times. The EU is serious about the protection of consumer data. Ultimately, the purpose behind GDPR is to activate organizations to get serious about the adopting a customer-centric approach to data security, not to make everyone bankrupt.

No one is debating whether GDPR is a big deal, but its magnitude can certainly inspire some analysis paralysis. Where is the most impactful place to start?

For enterprises, GDPR is a lot to make sense of. When it comes to sorting through the confusing 100 pages of text that is GDPR, it can be difficult to isolate which articles and action items truly need to be addressed.  To help take the guesswork out of the equation, I’ve identified the most crucial articles for the enterprise to focus on and distilled their key takeaways.

Article 16: Right to Rectification

In one of the GDPR’s shortest articles, just 54 words, the EU states that citizens are entitled to the “right to rectification.” This means that customers have the right to have inaccurate information about themselves corrected in a timely fashion.

At first this sounds simple, but it becomes increasingly complex as you factor in third-party vendors that have come into possession of the data.  Think critically about your ecosystem of tools and where consumer data is shared. Complying with Article 16 will require additional controls that allow organizations to either alter or delete data that has already left their network. The takeaway here is to ensure you can update or alter customer data across your supply chain and partners when needed.

Article 25: Data Protection by Design and by Default

The 25th article of the GDPR starts with one mouthful of a sentence:

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”

This is a long-winded way of saying that data must be protected while at rest, in transit, and in use. In some instances, where sensitive personally identifiable information is being processed, organizations are also required to put technical measures in place that anonymize the individual in order to protect his or her privacy.

Ask yourself, all things considered, what does it take anonymize an individual with our current data structure?

Organizationally, keep a close eye on who has access to what. Ideally, you will have a tight rein on access permissions at the user-level.

Article 25 goes on to say that organizations can only process the portions of the data that are relevant to the analysis being conducted, which will require companies to provide both “technical and organizational” privacy assurances. Plus, these security assurances must be applied to data by default, reducing the possibility that information is leaked or misused.

The takeaway here is to ensure you encrypt sensitive data and that only certain parts of the organization can access the data.

Article 30: Records of Processing Activities

Article 30 of the GDPR deals with record keeping, specifying how companies and the third-parties they work with must track the flow of customer data throughout its life cycle. For security teams, this means that they must deploy IT solutions that can provide real-time auditing capabilities and capture granular usage details. These details include: the nature of the activity (viewing, editing, printing, and so on), the user who performed the activity, the time and location (IP address) of the activity, and more.

Having access to this data is just the start. The purpose of the record keeping is to have evidence in case of inevitable audits by a “supervisory authority,” whose powers are also defined within the GDPR’s text. Who plays the role of the “supervisory authority” will be determined on a case-by-case basis, depending on the member states involved. This means that the oversight bodies will likely have slightly different policies and procedure, further complicating the situation. My assumption is that none of these bodies will be shy about using their auditing powers, especially in the first few months, to prove the EU is committed to enforcing the GDPR’s regulations.

The takeaways for this article is to make sure you log, audit, and monitor all personal data processing across your applications. You may need to run forensic activity for a very specific user and prove something about his data.

Article 46: Transfers Subject to Appropriate Safeguards

The final article is the 46th, which is arguably one of the most important in the GDPR. Article 46 requires organizations to apply the same stringent data protections, no matter where the information is transferred or stored. This article is crucial because it addresses the key concern behind the GDPR’s inception — that once European citizen data is transferred outside the EU, it can become subject to surveillance by nation-states, which has been deemed a privacy violation by the Commission.

To remain in compliance with this requirement, security teams must look at security tools that are applied at the data level. This way, as the data travels, the security precautions remain in place, allowing the organization to freely share information throughout its international network.

The takeaway here is that everything should be encrypted leaving your boundary. Federated partners and interconnected cloud providers should be authenticated and authorized using TLS, SAML2 and SSO strategies.

Time is running out, but enterprises can still put the necessary measures in place. Cybersecurity and IT leaders must come together and pool collective expertise to determine the optimal strategy for achieving compliance with the GDPR.