The EU General Data Protection Regulation (GDPR) is the European Union’s upgrade of the current Data Protection Direction. The GDPR is one of the most sweeping overhauls of data protection the world has ever seen. Not only does GDPR come with real teeth – including fines starting at €10 million and escalating to upper level €20 or 4% of worldwide annual revenue, which ever is higher. But it significantly lowers the bar for actionable events against a company.
Why GDPR Was Implemented
The EU GDPR was implemented in April 14, 2016 and came into enforcement in May 25, 2018. EU member state residents needed a way to enforce cybersecurity to protect the private data privacy of EU citizens. GDPR compliance is enforced in any country that conducts data collection of EU citizens and extends to the United States. Therefore, organizations must enforce data security, prevent data breaches, perform due breach notification diligence and meet the requirements set forth by the EU GDPR. Or else. Any enterprise that controls or processes relevant data is required to implement people, processes and technology to ensure adequate data protection as outlined by the GDPR. Even if a business is not headquartered in the EU, the regulation is directly binding and applicable.
What GDPR Means & Consequences for Non-Compliance
Per article 79, for example, individuals have the right to an “effective judicial remedy” where they consider their rights and freedoms have been infringed upon by an organization’s non-compliance with the regulation. Under GDPR, “infringement” on an EU citizen’s rights includes physical, material, and even non-material damage. However, while the new regulation has yet to be tested in the courts, it is likely that the courts will maintain – perhaps even extend – the broad view of what constitutes personal damage developed under the old Data Protection Act.
Under that law, an organization can be found liable even for the non-pecuniary damage to personal dignity, integrity, and autonomy, as well as personal anxiety and distress of an individual claimant. Financial loss of the claimant is not necessary. The court found that failure to protect the privacy of individuals leading to “emotional distress” is an infringement on their fundamental rights and freedoms.[1]
What this means is that information security for GDPR compliance is no longer an IT security concern. If, for example, individuals believe they are inappropriately profiled for specific sales offers based on collected personal data, the company could be liable for “damages” and fines under GDPR.
The Changing Definition of “Personal Data”
In addition to training each GDPR stakeholder group throughout the organization on the proper use and protection of personal data, organizations are scrambling to understand the scope of their current personal data inventory and how that data is being processed from collection to destruction:
- Personal data, per article 4(1), “means any information relating to an identified or identifiable natural person.” The data may be usable to identify a person directly or indirectly. Data types include, but are not limited to, name; any ID number; geolocation data; online identifiers such as IP address; physical, physiological, genetic, mental, or economic traits; and cultural or social identifiers.
- Processing, per article 4(2), means any operation or set of operations performed on data. Such operation may include but are not limited to, collection, recording, organization, or structuring the data. Processing operations may also include adaptation or alteration, storage and retrieval, use and consultation, transmission resulting in disclosure, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
What the courts will likely find after GDPR is adopted is that if an organization has personal data of an EU resident, someone somewhere in the company processed it. Thus, it is imperative that all stakeholders throughout the organization thoroughly understand both what personal data is and what the risks associated with processing that data.
Exemptions to GDPR Compliance
According to article 82(3), an organization can claim exemption from liabilities only “if it proves that it is not in any way responsible for the event giving rise to the damage.”[2] Organizations working with personal information of EU residents, therefore, are by default responsible for the broad definition of damages under EU legal precedence. Thus, information security for GDPR compliance will require that all organizational stakeholders actively participate in data security and protecting personal privacy.
Cybersecurity and Information Security Concerns for GDPR Compliance
Some concerns arise with regards to data collection, data processing and GDPR compliance. For example, organizations are worried that the GDPR, as a supervisory authority, views personal data as the property of the individual, relinquishing ownership from data controllers and/or processors. They are also concerned about the global reach of the EU GPDR, since citizen data is protected wherever they may be situated, irregardless of where the organization is located. Enterprises are also concerned that they don’t have the adequate cybersecurity program in place to address cyber risk as outlined by the EU GDPR.
Standard Firewalls
Common firewall technology is just not enough measure to achieve GDPR compliance, let alone to protect IT infrastructure and applications from a cyberattack. Large organizations are at increased risk because their attack surface is more expansive. Consumers and users may not be adequately secured throughout all stages of the data journey, from the frontend, to the backend and everything in between. Now, with the emergence of IoT-embedded devices in our everyday lives, edge cases must also be considered. Businesses, therefore, are advised to apply a multi-layered approach to cybersecurity and information security.
Network Access Endpoints
An increasing number of interconnected devices, including mobile, desktop and IoT devices, increases the risk of data being exploited or misused. Any device, whether it be laptops, smartphones or tablets, expand the attack surface vectors – entry points for threats. Technology is all around us and a security strategy is in place to ensure all devices are secured. This means adequate threat detection, with steps to prioritize and mitigate threats, is necessary. Nowadays, we are more connected to our devices than ever, between home, work-related tech, even during our travels.
Auditing for Data Breaches and Incident Responses
CISOs are clearly in need of refining their process of auditing for data breaches as part of their security strategy. If an organization suffers from a data breach, the CISO must also be prepared for incident response and remediation, which includes forensic investigation, addressing vulnerabilities that led to the data breach and paying the piper for data compromises. That’s why auditing will help an organization to better understand their security posture to ensure adequate security controls are in place.
Enterprise Threat Modeling for GDPR-Compliant Information Security
ThreatModeler™ is the world’s first enterprise threat modeling solution, automatically yielding concrete, actionable outputs for stakeholders throughout the organization. With ThreatModeler™, both security teams and DevOps teams can build threat models of applications, on-premises and cloud-based infrastructures, IoT and mobile devices, and industrial control and cyber-physical systems, network endpoints, or any combination thereof. Threat models built in ThreatModeler™ are based on the architecture of the item under consideration, so anyone with a familiarity of the intended use-cases can create detailed, actionable threat models.
Furthermore, ThreatModeler’s easy-to-use knowledge-base UI allows organizations to define threats relevant to the organization – including threats specifically related to information security for GDPR compliance.
Assign GDPR-Related Attributes within Threat Models
Consider the following architectural diagram for a popular bakery’s mobile application threat model. As with most public-facing applications, the Login feature will ask for the user’s username and password, which is considered personal data protected under the GDPR. By simply right-clicking on the Login feature and choosing the Attributes option, ThreatModeler™ allows users to associate the appropriate GDPR risk-related attributes with the Login feature:
By associating the risk-related attributes with the Login feature, ThreatModeler™ automatically generates a list of relevant threats and their associated risk. With the click of a mouse, ThreatModeler™ can provide information security for GDPR compliance:
From the ThreatModeler™ Executive Dashboard, users can review all the information related to the Login or any other architectural component. The items highlighted below are specific to information security for GDPR compliance. However, note the list of additional threats identified by ThreatModeler™ for this one architectural component, based on the information provided to the threat model such as data elements and widgets:
Cyber and Information Security for GDPR Compliance Starts with ThreatModeler™
If you process personal data of natural persons residing in the EU, complying with the GDPR is not optional. Oliver Wyman, a management consulting firm, expects regulators levy and collect $6 billion in GDPR non-compliance fines in just the first year of the new regulation.[4] According to a recent PwC Survey of 200 C-level stakeholders, more than half of US multinationals say preparing for GDPR is their top data protection priority, with 77% of survey respondents indicating their company is planning on spending at least $1 million to an excess of $10 million getting ready.[5]
Unfortunately, that investment is only to get the multinational companies to the GDPR starting line. Objective and actionable evaluation of risk to the rights and freedoms of data subjects will continue to be a daily-operating concern. Getting a handle on information security for GDPR compliance, evaluating the relevant risks, and – very importantly – developing cost-effective mitigation strategies to reduce the GDPR-related risks is why organizations and InfoSec consulting firms need ThreatModeler™. In addition to identifying the relevant technological and business-related risks in applications, deployment environments, devices, and systems, ThreatModeler™ enables stakeholders throughout the organization to identify GDPR-related risks and mitigation strategies at the click of a button.
Ready to learn more about how ThreatModeler™ can enhance your information security for GDPR compliance? Book a demo to speak to a ThreatModeler expert today.
Sources
[1] “Damages for distress under the Data Protection Act: Google v Vidal-Hall & Ors.” Bond Kickinson LLP: London. June 16, 2015.
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, Vol. L119. May 4, 2016.
[3] “A Practical Guide for GDPR Compliance.” RSA. Osterman Research, Inc: Black Diamond. July, 2017.
[4] Nadeau, Michael. “General Data Protection Regulation (GDPR) requirements, deadlines, and facts.” CSO Online. IDG Communications, Inc: Boston. June 29, 2017.
[5] “Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets.” PwC GDPR Series. PricewaterhouseCouper, LLP: London. 2017.