GDPR Arrived... And The Roof Didn’t Fall In … So What Next?
On 25th May, the EU’s General Data Protection Regulation became effective. The regulation is intended to raise the bar with respect to protecting citizens’ personal data. In my previous post, I shared my thoughts on why I thought this new regulation came to be, and indeed, since writing that, the revelations have occurred about the use of personal data in election manipulation with Facebook and Cambridge Analytica. The issue is that the threats in this space are ever increasing, so GDPR is part of a constant refresh to keep ahead of those threats; and it comes with a nasty stick in the form of hefty fines and compensation.
The approach required by 25th May was around addressing privacy requirements within the design and implementation of the business process. Hence, the effort to date has been on understanding and documenting the business process, establishing legal use, applying special measures as required, integrating individual rights such as right to erasure and potentially incorporating ‘privacy-by-design’ measures. Ideally under privacy by design, the process is designed so that only under the control of the individual is the personal data unlocked. Techniques such as pseudonymisation are used so that in other circumstances the identity of the individual is protected, as privacy by default. This is helpful for us in the IT world in circumstances like testing, when often production data might be used to test the next release of an application, but in an environment where the access controls are less restricted. This aspect of GDPR is not mandated because of the rework cost on existing systems. But on new processes, it’s worth remembering the intent.
GDPR is Now Live ... What's Next?
Now that GDPR is live, the emphasis changes to operations. The requirement centres around personal data to be processed “by appropriate technical and organisational measures”. Many of the technical measures are well understood security measures, such as;
- network boundary management
- vulnerability management
- data leakage prevention
- disaster recovery
- access control
- physical asset management, etc.
There has been significant industry collaboration and agreement around the necessary controls as a result of the emergence of cloud and mobile computing in recent years, and the reduction on reliance on the network boundary. A mesh of countermeasures is important, especially considering only recently the US Department of Homeland Security, the FBI and the UK’s National Cyber Security Centre issued a joint technical alert on Russian state-sponsored cyber actors attempting to take down network-level protection over systems. Over-reliance is a weakness; having a useful reference model on security – many of which are in the public domain now - is becoming increasingly important.
Another EU change happened in May – this time a directive on defence of essential services . Applicable from 10th May, most large organisations in a range of industries from energy, utilities, health to digital infrastructure are now required to implement positive measures to protect against cyberattacks. This includes the measures to identify and report those attacks. Most organisations affected will have been contacted by the industry watchdog or government department tasked with coordinating introduction. The EU Directive (2016/1148) is known as, the NIS Directive and concerns measures for a high common level of security of network and information systems across the European Union.
Back to GDPR - it’s not an offence to have data compromised; if you’ve been hacked, then the offence was the attackers. This new regulation also allows for mistakes happening, however, a breach must be reported within 72 hours from knowing. Knowing early is good, knowing you had appropriate technical and operational measures in place is going to enable a solid night’s sleep without worry. Good surveillance and detection measures are going to increase in importance as they become more widespread in adoption through the NIS directive. By the way, the National Cyber Security Centre (part of the Government Communications HQ) reported that 81% of large enterprises have reported a breach from cyber-attacks . It is a very big reality out there.
If you’re still standing after 25th May, what’s next? Here are a few of my suggestions:
- Remember GDPR has shifted security design up to the business process level. On new business processes, consider the privacy-by-design that you weren’t required to retrofit. It can easily be forgotten.
- Look at your operations now and consider how well aligned you are to recent security frameworks in the public domain. Make sure your policies, practices and assurances match the framework.
- Consider the need for proactive monitoring to alert you to compromises. Breaches are much more common that people realise.
Follow Simon for more GDPR content. If you'd like help with any of the above, Virtual Clarity has significant experience with supporting large organisations through transformation programmes and their adoption of cloud in a secure fashion.