Over the last year, multiple new privacy regulations have gone into effect, the most famous of which is the European Union’s General Data Privacy Regulation (GDPR). This regulation is designed to protect the privacy of EU citizens by laying out strict requirements for how personal data should be processed and protected and the penalties for non-compliance.
Achieving compliance with GDPR requires a comprehensive data security strategy. Understanding the requirements of GDPR, the types of data that it protects, and how this data could be leaked is essential to avoiding the fines and other penalties associated with GDPR non-compliance.
What Are My Responsibilities Under GDPR?
The General Data Privacy Regulation (GDPR) went into effect on May 25, 2018. The purpose of the regulation was to ensure that the data of EU citizens was appropriately protected by the companies and organizations that collect, store, process, and transmit it. The GDPR is famous for the penalties that it levies on organizations in the event of a breach: 20 million Euros or 4% of global turnover, whichever is greater. Even if the organization only had administrative issues (failure to maintain proper records), they can be fined up to 2% of global turnover for non-compliance.
The GDPR applies to any organization that processes data of EU citizens, whether or not they are physically located within the EU. If a company has privacy regulations that meet or exceed the requirements of the GDPR, then they can process the data of EU citizens. Otherwise, the organization needs to internally implement equivalent data privacy and security protections before they are permitted to handle EU data.
The overall goal of GDPR is to protect the privacy of EU citizens. To accomplish this, it has several specific provisions that organizations must comply with (or risk penalties):
1.Notification: Data subjects are supposed to be notified about any potential use of their personal data.
2.Access: Data subjects have the ability to request a complete copy of any of their data stored by an organization.
3.Consent: Data subjects must explicitly opt into data collection, sale, etc. (rather than the default “opt out” used in the US).
4.Clarity: User agreements should be concise and easily understood by any user (not the standard legalese).
5.Deletion: Users have the “right to be forgotten” or to have all of their collected data deleted from an organization’s systems.
6.Reporting: All data breaches must be reported to the authorities within 72 hours of discovery.
7.Data Protection Officer: Certain organizations must appoint a Data Protection Officer (DPO)
If this wasn’t enough, the GDPR also expanded the list of types of “personal data”. Now, the list includes anything that could be used to identify an individual. This includes the standard Personally Identifiable Information (PII) like name, address, and payment card information but also includes data like email addresses, demographic information, and anything that can be used to uniquely identify an individual.
The Need for Web App Security
With the GDPR (and other privacy regulations), the bar has been raised for data security. Most organizations are accustomed to protecting “traditional” PII like payment card information and healthcare information under regulations like PCI-DSS and HIPAA. This data is typically stored only in well-protected databases secured with layers of hardened defenses.
With the new definition of “personal data” under GDPR, properly protecting sensitive data is more difficult. Web applications commonly process data that is now protected under GDPR like usernames, email addresses, and passwords. This data is designed to be easily accessible to users, meaning that it is also easily accessible to attackers. If a hacker identifies and exploits a vulnerability in a web application, they can steal “personal” data protected under GDPR and leave an organization liable for fines and other penalties under GDPR.
Organizations have already been penalized for violating the GDPR for a variety of different reasons. Regulators have demonstrated that they are willing to penalize violators but also to be lenient to those making an effort to implement strong data security.
Organizations that demonstrate a commitment to strong security and a willingness to cooperate with regulators are unlikely to be harshly punished by regulators. When designing a data security solution, it’s important to consider all methods by which sensitive data could be stolen. This includes web applications and data in-transit, so deploying a strong web application firewall and end-to-end encryption (with HTTPS) are an important step for any organization.
Securing Your Sensitive Data
With the new level of protection of personal data required by the GDPR, organizations need to implement better protections for user’s personal data. Under the new regulations, a wider range of data must be protected, including anything that could be used to uniquely identify an individual. Organizations are also required to make it easy for a data subject to deny consent for a use of personal data, request a copy of their data, and require an organization to delete any data that they have regarding an individual.
Data Protection Authorities (DPAs) are the departments tasked with processing complaints of GDPR violations, investigating, and levying penalties. It’s already been demonstrated that these DPAs are willing to levy fines for a variety of infractions. The first GDPR fine went to an Austrian betting shop whose security camera accidentally (and illegally) was filming part of the sidewalk outside the front door.
Organizations need to take the extra step to protect their customers’ personal data. Deploying a web application firewall and implementing encryption of data both at rest and in-transit are simple ways that an organization can greatly reduce their risk of being found non-compliant with the GDPR.