The Year of GDPR
Way back in 2012, the European Commission laid down initial plans for the European Union’s data protection reform. It took the relevant parties four years to reach an agreement on what would be involved and how it will be enforced. And now, here we are! As close as ever to the May deadline in the year Europe finally takes the leap to be “fit for the digital world”, and business will be changing the way which data is handled, processed, and protected with the General Data Protection Regulation (GDPR).
Being citizens of today’s crazy world, almost everything we do and have revolves around data. Every time we use a service, you better bet that our data is being recorded and analyzed. Our names, addresses, ID numbers, credit card info, etc. are constantly being collected, tracked, analyzed, and in many cases even saved by organizations. With data being everywhere and the contents being so valuable, data breaches have become inevitable. Hackers gonna hack, and businesses have notoriously fallen short when it comes to the protection of their customers data, meaning that the hackers have been doing pretty well at this raging cyber war.
And here enters GDPR. But first, let’s quickly rewind and refresh our memories on what the GDPR is.
Shortly put, the GDPR is a new set of rules in place for EU citizens to have more control over their data while simplifying the data-related regulations for businesses. The new rules and regulations aim to reflect the fast-paced and connected world we live in.
Following four years of long debates and vast preparation, the European Parliament approved the GDPR in April 2016. And so, the GDPR will come into effect on the 25th of May, 2018, and all EU member-nations are expected to have incorporated the GDPR into their own laws by the 6th of May.
GDPR and Organizations
Under the GDPR, organizations will need to ensure that all personal data gathered is done in a legal-manner and under strict conditions. Organizations are duty-bound to protect the data from exploitation and must respect the rights of data-owners. Organizations will also face some pretty serious penalties for failing to protect the data.
It’s important to note that the GDPR applies to organizations and individuals operating and residing within the EU, as well as organizations outside the EU which offer services or goods to customers in the EU. The GDPR essentially is a legislation that extends around the world, as companies based outside the EU will still need to comply.
And on the topic of how the GDPR will affect businesses, the European Commission says that “By unifying Europe’s rules on data protection, lawmakers are creating a business opportunity and encouraging innovation”. The Commission claims that by having one authority for the entire EU, it should make it a simpler and cheaper process for businesses operating within the region. This will be done by products and technologies providing what is essentially “data protection by design and by default” (Art. 25).
GDPR and Citizens
One of the biggest changes brought by the GDPR is how citizens are now armed with the right to know when their data has been breached. Organizations will be required by law to notify the designated and relevant national organizations as soon as a breach is detected to help ensure their customers’ keep their data from being abused. Furthermore, customers will now have a more transparent view of how their data is processed.
It really feels like many organizations have already been making some steps towards that transparency between them and their customers. I, for one, have already started receiving emails from companies giving me much more information on how my data is used. Additionally, many organizations have been contacting customers to see whether or not they still want to be part of their database, making it as easy as ever for a customer to opt-out of being on mailing lists.
Finally, the GDPR is at last bringing up the much buzzed-about ‘right to be forgotten’ process’ (Art. 17). This process allows citizens who no longer want their data to be processed and to exist and flow through systems to have it deleted (once proving there’s no grounds to keep it).
GDPR and Data Breaches
As mentioned earlier in this blog post, once the GDPR comes into effect, it will introduce a new set of rules all organizations must follow when it comes to a data breach. For starters, organizations are obligated to report any breach or unauthorized occurrence revolving around the personal data of its customers. If a name, address, health record, bank detail, or any other bit of private data is breached or accessed by a malicious party, the organization is obliged to tell those affected and must report it to the relevant regulatory body so that the vastness of the damage can be restricted.
When a data breach occurs, the breach must be reported to the relevant regulatory body within 72 hours of the organization being made aware. At the same time, if the breach calls for customers to be notified, the GDPR rules that customers must be informed to handle the damage ‘as soon as possible’.
When a breach occurs, the organization must let those affected know via a breach notification (Art. 33) directly sent to the victims. Meaning, a press release or a notice on the company website does not cover the organization’s obligation to let its customers know. The notification must be one-on-one.
Fines and Penalties
The GDPR does not mess around. Failure to comply with GDPR has come serious financial repercussions and will depend of the severity of the data breach along with if the organization seems to have taken the compliance and security regulations seriously. Fines range from 10 million euros to 4% of the organization’s annual global turnover (meaning, for some companies, billions of euros). There is a maximum fine of 20 million euros (or if a greater number – 4% of annual global turnover) for violations of data owners, not giving the customers access when requesting their data, illegal or unauthorized international transfer of personal data, and failure to put the necessary GDPR procedures in place.
GDPR and AppSec
I recommend reviewing the following Articles to review the application security requirements in the GDPR (click the number to jump to the Article): 25, 32, 33, 34, and 35. These Articles recap what organizations need when securing the data flowing through their applications in addition to what needs to be done if there is a data breach. Here are some notable takeaways:
- As mentioned earlier in this blog post (but I’m emphasizing it again here), organizations must follow the ‘privacy/security by design’ rule to ensure data is secured from attackers by default. The idea is that data security and privacy must be considered during the product’s planning phase as opposed to during development (or even further down along the line).
- For existing operations, organizations must work to discover any weak points in how the data flowing through is processed and handled by performing gap analysis to find what works and what needs to be worked-on or removed.
- Organizations should make habit of ‘spring cleaning’ to remove any data that is no longer needed.
I hope this blog post is able to shed some light on what is to come during this year of GDPR. So, is your organization GDPR ready? Tweet us the answer!
Did you know that Checkmarx fully complies with GDPR? Checkmarx’s CxSAST makes addressing the new GDPR guidelines much easier with a static code analysis solution as it applies the following requirements:
- Developing secure software and applications by embedding security as part of the development cycle
- Routine testing of security systems and processes in order to ensure the right level of security