Come May 25, 2018 companies doing business with persons living in the European Union must demonstrate compliance with the new General Data Protection Regulation (GDPR). An inability to demonstrate compliance could expose the company to a minimum fine of €10M, and go as high as 4% of the company’s worldwide revenues of the preceding year. These fines will be in addition to any judicial remedy provided by the courts for individuals whose rights and freedoms are found to be infringed upon by non-compliance with the GDPR.[1] The cost of GDPR non-compliance could well top $6 billion in the first year alone.[2] Avoidance of high potential penalties is motivating EU and international companies to spend millions on data discovery for GDPR compliance purposes.
The challenge facing organizations is that the regulation adopts an extraordinarily broad definition of personal information. For GDPR purposes, “personal data” includes “any information relating to an identified or identifiable natural person.” That means, not only is a person’s tax-id number considered personal data, but soon the person’s IP address will fall under the court’s protection. Furthermore, not only does the regulation require that any data which can in some way be considered a personal identifier (roughly half the people on the planet are male, nonetheless in the EU gender is about to become identifying information), but that data must also be accurate and secure.
Data Discovery for GDPR Compliance: more than Counting Records
EU companies and international firms are therefore scrambling with their data discovery for GDPR compliance. In particular, companies are seeking to detail
- The personal data they have on hand;
- How and why said data is gathered;
- Where the data is kept;
- How the company uses and stores personal data;
- The degree to which stored data is accurate; and
- The permissions needed, if any, from the person identified by the data.
Data Discovery Considers Risk
While companies spend millions of dollars / euros on detailing their data and current processing, that only covers a portion of what the new regulation is all about. The heart of the GDPR is protecting the rights and freedoms of natural persons. To that end the regulation repeatedly cites that organizations which collect personal information consider “the risk of varying likelihood and severity” that those rights and freedoms could in some way be compromised or infringed upon.
Thus, data discovery for GDPR compliance must implicitly consider the risk of personal data exposure. Furthermore, simply stating that data is at risk for exposure is insufficient for GDPR compliance; quantifying the potential degree of risk prior to collecting, processing, or storing personal will be crucial for complying with article 35 of the regulation
Where a type of processing … is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
ThreatModeler™ Yields “Impact Assessment” for GDPR Compliance
Quantifying risk prior to processing is the catch. Simply knowing what data your company is collecting and the purposes for collecting that data will not be sufficient. Data discovery for GDPR compliance necessarily includes assessing the risks involved and – per several other articles of the regulation – taking the appropriate technological and governance steps to mitigate those risks.
Enterprise threat modeling is the only way to understand the risks to “the rights and freedoms of natural persons” associated with collecting and processing personal data. While it is possible to gain a limited understanding of such risks through the analysis of a single application in isolation, few if any organizations collect and process personal data with isolated applications. Customer data is processed in a highly interconnected cyber ecosystem. Data is often shared across many applications, processed through shared components, and exposed to 3rd party systems. Thus, to understand and properly quantify the risks to personal data, organizations need to threat model the entire IT ecosystem and analyze their comprehensive attack surface for risks associated with personal data.
Interested in learning how ThreatModeler™ can help you in your data discovery for GDPR compliance? Click here to schedule a demo.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, Vol. L119. May 4, 2016.
[2] Nadeau, Michael. “General Data Protection Regulation (GDPR) requirements, deadlines and facts.” CSO Online. IDG Communication, Inc: Boston. June 29, 2017.