With enforcement of the EU’s new General Data Protection Regulation set to begin on May 25, companies around the world that don’t already have GDPR-compliance efforts in place may find themselves with little time to make the necessary preparations to avoid the potential for huge penalties over their ability to protect consumer data privacy.
GDPR data breach notification poses some challenges, but not the only ones, for companies that will soon be responsible for protecting the privacy of personal data related to EU data subjects. For that matter, who exactly will qualify as an EU data subject?
While much of the focus on GDPR remains on the potentially high penalties for failures in protecting the privacy of personal data, those concerns may be overblown — and may be distracting many security professionals from the detail work that needs to be done to achieve compliance.
Darron Gibbard, chief technical security officer at Qualys, offered some answers in response to questions posed by SearchSecurity about who is a GDPR data subject, how to handle GDPR data breach notifications and other aspects of GDPR compliance.
There’s been speculation about who exactly is entitled to protection under GDPR. Is it EU citizens or anyone who is a resident in the EU, no matter what their citizenship status is?
Darron Gibbard: There are many confusing and ambiguous statements within the regulation itself that [do] not make this easy for organizations to understand. What also contributes to the issue is the interchangeable use of the terms ‘EU citizens,’ ‘EU residents’ and ‘data subjects’ throughout the regulations. But Article 3 [territorial scope] does provide the clearest definition of what GDPR covers yet and states ‘This Regulation applies to the processing of [personal] data of data subjects who are in the Union.’
Is there a consensus developing around what the GDPR right to be forgotten, GDPR data breach notification and even data portability will mean in practice?
Gibbard: For the examples given, each EU member [state] can determine how GDPR is implemented in its own way. Right to be forgotten requests can be dealt with quicker with some members and slower in others. Breach notification can vary from immediate to 72 hours. Data portability can be any format and agreements need to be made between controllers on a case by case basis. This is because of the way that each member has implemented the regulations. Each member has now published their own version of GDPR so for organizations that use EU data subjects’ information it is vitally important to understand how GDPR operates in each member and ensure that any processes around these three processes are documented and understood. I would always recommend that organizations take the shortest time requirement and use that as the standard for the processes, rather than tailoring the approaches for each member.
How will the GDPR data breach notification requirement work?
Gibbard: The problem for organizations is understanding which countries the personal data resides [in] and is being processed. Each EU member will have its own data breach notification rules. For example Holland requires immediate notification, the U.K. requires 72 hours and there will be variations by each EU member in between. So if you are responsible for running an operations team you will need to understand the rules for each EU member and ensure that the operational procedures are very clearly defined. I would highly recommend that the legal team engage with the procedures and they handle the notifications to the respective information commissioners. In the U.K., there is a breach notification template that takes 15 minutes to complete.
There is a lot of scaremongering around the size of the potential penalties for violations of the GDPR, 20 million euros or 4% of annual turnover, whichever is higher. What will a company have to do to get hit with the maximum fine?
Gibbard: The best advice at the moment is that all fines will be proportionate and not issued for every breach. For the maximum fine to occur, the organization must have suffered a breach multiple times, failed to inform their respective information commissioners, completely disregarded the regulation and had serious failings and also if the data subjects have been subjected to significant data privacy risks. Elizabeth Denham, the U.K. Information Commissioner, has a great phrase to make this very clear: ‘Tell it all, tell it fast, tell the truth.’
Is data anonymization likely to be a practical solution for GDPR compliance? And if it is, will it be easier or just as hard (or harder) as using encryption to protect consumer data?
Darron Gibbardchief technical security officer, Qualys
Gibbard: Both are hard to complete with the remaining time left, but both approaches rely upon your organization understanding where every piece of personal data resides. Organizations should by now have this clear understanding. If anonymization is done properly, then it will place the processing and storage or personal data outside the scope of GDPR. But for this to be fully in line with Recital 26 of the regulation, this means that all anonymized data must be stripped of any identifiable information, making it impossible to gain insights on an individual, even by the tool, vendor or solution that is responsible for anonymizing the personal data.
What advice do you have for CISOs who need their organizations to become GDPR-compliant by the enforcement date?
Gibbard: My advice for CISOs is to get the basics right and focus on preventing breaches from occurring. Do what you can to ensure that the risks are minimized and that simple things like patching do make a massive difference to protecting your organization. Don’t ignore patches due to availability concerns; patch as quickly as you can. Use vulnerability management and threat intelligence services to understand and limit attack vectors. It is important that the operations teams are familiar with what to do in the event of breach so test at regular intervals and ensure that the legal teams are involved.