When it comes to information security for GDPR compliance, all stakeholders across the organization need to be involved.
The General Data Protection Regulation – the European Union’s upgrade of the current Data Protection Direction – is one of the most sweeping overhauls of data protection the world has ever seen. Not only does GDPR come with real teeth – including fines starting at €10 million – but it significantly lowers the bar for actionable events against a company.
Per article 79, for example, individuals have the right to an “effective judicial remedy” where they consider their rights and freedoms have been infringed upon by an organization’s non-compliance with the regulation. Under the GDPR, “infringement” includes physical, material, and even non-material damage. However, while the new regulation has yet to be tested in the courts, it is likely that the courts will maintain – perhaps even extend – the broad view of what constitutes personal damage developed under the old Data Protection Act. Under that law, an organization could be found liable even for the non-pecuniary damage to personal dignity, integrity, and autonomy, as well as personal anxiety and distress of an individual claimant. Financial loss of the claimant is not necessary. The court found that failure to protect the privacy of individuals leading to “emotional distress” is an infringement on their fundamental rights and freedoms.
Information Security for GDPR Compliance not an IT Security Thing
What this means is that information security for GDPR compliance is no longer an IT security thing. If, for example, individuals believe they are inappropriately profiled for specific sales offers based on collected personal data, the company could be liable for “damages” and fines under GDPR. Furthermore, according to article 82(3), an organization can claim exemption from liabilities only “if it proves that it is not in any way responsible for the event giving rise to the damage.” Organizations working with personal information of EU residents, therefore, are by default responsible for the broad definition of damages under EU legal precedence. Thus, information security for GDPR compliance will require that all organizational stakeholders actively participate in data security and protecting personal privacy.
In addition to training each GDPR stakeholder group throughout the organization on the proper use and protection of personal data, organizations are scrambling to understand the scope of their current personal data inventory and how that data is being processed from collection to destruction:
- Personal data, per article 4(1), “means any information relating to an identified or identifiable natural person.” The data may be usable to identify a person directly or indirectly. Data types include, but are not limited to, name; any ID number; geolocation data; online identifiers such as IP address; physical, physiological, genetic, mental, or economic traits; and cultural or social identifiers.
- Processing, per article 4(2), means any operation or set of operations performed on data. Such operation may include but are not limited to, collection, recording, organization, or structuring the data. Processing operations may also include adaptation or alteration, storage and retrieval, use and consultation, transmission resulting in disclosure, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
What the courts will likely find after GDPR is adopted is that if an organization has personal data of an EU resident, someone somewhere in the company processed it. Thus, it is imperative that all stakeholders throughout the organization thoroughly understand both what personal data is and what the risks associated with processing that data.
ThreatModeler™ Identifies Information Security Risk
Information security for GDPR compliance is all about assessing the risk to personal privacy, as well as related compliance risks. The GDPR provides significant leeway for organizations to define “risk.” Whatever the method employed for defining and determining risk, though, it needs to be applied consistently and in the spirit of the new regulation. Specifically, per Article 24(1), organizations processing personal data need to take into account “the nature, scope, context, and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms” of the data subject. Mitigating the risks to data subjects’ rights and freedoms – not just mitigating the potential for a data breach – is to be accomplished, according to Article 25(1), through implementing appropriate “technical and organizational measures.” Technical measures may include encryption and pseudonymization; organizational measures may include governance policies requiring data minimization and data retention lifetimes.
The challenge that many organizations are facing as the May 25, 2018 implementation date approaches goes well beyond an initial information security for GDPR compliance audit.
Organizations need a way define and understand the GDPR-relevant risks now as well as continuing to remain in compliance on an on-going basis cost-effectively. To this end, ThreatModeler™ offers a significant solution for organizations dealing with the personal data of EU residences.
Start with Enterprise Threat Modeling
ThreatModeler™ is the world’s first enterprise threat modeling solution, automatically yielding concrete, actionable outputs for stakeholders throughout the organization. With ThreatModeler™, both security teams and DevOps teams can build threat models of applications, on-premises and cloud-based infrastructures, IoT and mobile devices, and industrial control and cyber-physical systems, network endpoints, or any combination thereof. Threat models build in ThreatModeler™ are based on the architecture of the item under consideration, so anyone with a familiarity of the intended use-cases can create detailed, actionable threat models.
Furthermore, ThreatModeler’s easy-to-use knowledge-base UI allows organizations to define threats relevant to the organization – including threats specifically related to information security for GDPR compliance.
Assign GDPR-Related Attributes within Threat Models
Consider the following architectural diagram for a popular bakery’s mobile application threat model.
As with most public-facing applications, the Login feature will ask for the user’s username and password, which is considered personal data protected under the GDPR.
By simply right-clicking on the Login feature and choosing the Attributes option, ThreatModeler™ allows users to associate the appropriate GDPR risk-related attributes with the Login feature:
By associating the risk-related attributes with the Login feature, ThreatModeler™ automatically generates a list of relevant threats and their associated risk. With the click of a mouse, ThreatModeler™ can provide information security for GDPR compliance:
From the ThreatModeler™ Executive Dashboard, users can review all the information related to the Login or any other architectural component. The items highlighted below are specific to information security for GDPR compliance. However, note the list of additional threats identified by ThreatModeler™ for this one architectural component, based on the information provided to the threat model such as data elements and widgets:
Information Security for GDPR Compliance Starts with ThreatModeler™
If you process personal data of natural persons residing in the EU, complying with the GDPR is not an option. Oliver Wyman, a management consulting firm, expects regulators levy and collect $6 billion in GDPR non-compliance fines in just the first year of the new regulation. According to a recent PwC Survey of 200 C-level stakeholders, more than half of US multinationals say preparing for GDPR is their top data protection priority, with 77% of survey respondents indicating their company is planning on spending at least $1 million to an excess of $10 million getting ready.
Unfortunately, that investment is only to get the multinational companies to the GDPR starting line. Objective and actionable evaluation of risk to the rights and freedoms of data subjects will continue to be a daily-operating concern. Getting a handle on information security for GDPR compliance, evaluating the relevant risks, and – very importantly – developing cost-effective mitigation strategies to reduce the GDPR-related risks is why organizations and InfoSec consulting firms need ThreatModeler™. In addition to identifying the relevant technological and business-related risks in applications, deployment environments, devices, and systems, ThreatModeler™ enables stakeholders throughout the organization to identify GDPR-related risks and mitigation strategies at the click of a button.
Ready to learn more about how ThreatModeler™ can enhance your information security for GDPR compliance? Click here to schedule a live demo and let us show you what ThreatModeler™ can do for you.
 “Damages for distress under the Data Protection Act: Google v Vidal-Hall & Ors.” Bond Kickinson LLP: London. June 16, 2015.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, Vol. L119. May 4, 2016.
 “A Practical Guide for GDPR Compliance.” RSA. Osterman Research, Inc: Black Diamond. July, 2017.
 Nadeau, Michael. “General Data Protection Regulation (GDPR) requirements, deadlines, and facts.” CSO Online. IDG Communications, Inc: Boston. June 29, 2017.
 “Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets.” PwC GDPR Series. PricewaterhouseCouper, LLP: London. 2017.