Thirteen Essential Steps to Meeting the Security Challenges of the New EU General Data Protection Regulation

Once in force, the European Union General Data Protection Regulation (GDPR) will require every multinational company that offers products or services to European Union residents to adhere to a strict set of data privacy and security measures. These requirements will apply equally to those companies’ business partners and call for the use of emerging technologies and for systems design concepts that will likely be new to U.S. information security professionals. However, those professionals can leverage much of their existing capabilities, along with the addition of a few key components, to meet these new requirements and enable compliance with the Regulation in all 28 EU member states. Organization of this Document IT leaders in many multinational companies have recognized the need to begin the process of making changes to their information infrastructure in order to meet the many requirements of the Regulation. This document was envisioned to assist information security professionals in prioritizing changes and additions to their information security programs. Those familiar with current EU protection regimes can skip directly to the Thirteen Essential Steps section; those not familiar will likely want to read the entire document through in order to see the context in which the Regulation was promulgated. The Appendices offer an in-depth look at key concepts of the Regulation and a comparison of the Regulation with the existing regime, the Data Protection Directive 95/46/EC. What is the General Data Protection Regulation? On May 4, 2016, the official text of the General Data Protection Regulation (the “Regulation”) was published in the Official Journal of the European Union, capping a four-year process to replace the European Union’s principle data privacy and security regime, the Data Protection Directive 95/46/EC (the “Directive”).1 The Directive, enacted by the European Parliament and the Council of the European Union in 1995 and primarily applicable to organizations located in the EU, set a high bar for the protection of personal data but proved inadequate to resolve challenges posed by changing technology. A fundamental limitation of the Directive was that it didn’t require individual EU member states to pass one standard text into law. Instead, it listed a set of data privacy principles and directed those states to pass legislation based on them, leading to a unique version in every state. As a result, implementation varied by state and enforcement often lacked real teeth. Conversely, the Regulation is binding on all EU members as enacted and, at 88 pages, was designed to address the disruption to data privacy wrought by the rapid evolution of information technology and business models over the past 20 years. In May of 2018, the Regulation will be enforceable by the data protection authorities (called “supervisory authorities” by the Regulation) of member states. While multinational companies can likely meet some of the law’s requirements right now, most will find that they need all of those two years in order to be completely ready for enforcement. Why is the Regulation Important to Information Security Professionals? a. The penalties for violations are much more severe. The penalties for the violation of existing privacy regulations in EU vary among member states, with the potential for fines in the €150-900k range. In a number of matters involving privacy violations, supervisory authorities had little recourse against large, well-funded multinationals who could view such fines as merely a cost of doing business. Under Article 83(5) of the Regulation, however, those authorities can impose fines of up to €20M or 4% of the offending company’s global annual revenue, whichever is higher. In anticipation of such regulatory power, legislative bodies in France are discussing increasing the maximum fines that can be levied by France’s supervisory authority, the CNIL, to match those under the Regulation now, rather than wait for May of 2018. b. The definition of “personal data” has expanded. In the U.S., definitions of personally identifiable information (PII) vary among jurisdictions and, at the federal level, among agencies. The National Institute for Standards and Technology (NIST), for example, is relatively prescriptive in its definition of PII: Copyright © 2017. Tenable, Inc. All rights reserved. , Nessus, and SecurityCenter Continuous View are registered trademarks of Tenable, Inc. Tenable and SecurityCenter CV are trademark of Tenable, Inc. All other products or services referenced are trademarks of their respective owners. 3 Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.2 The Regulation defines personal data in a similar but expanded way by including a person’s “identity” in other contexts: `personal data` means any information relating to an identified or identifiable natural person (`data subject`); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person[.] [emphasis added]3 These additions to the definition of personal data are important to information security professionals because they implicate data that may not seem, at first glance, to qualify as personal. IP addresses, application User IDs, Global Positioning System (GPS) data, cookies, media access control (MAC) addresses, unique mobile device identifiers (UDID), and International Mobile Equipment IDs (IMEI) are some examples. As a consequence, companies and third parties that “process” this data will have to do so with a legal basis that is listed in the Regulation. For example, using software to travel through a network to inventory software for licensing purposes is considered processing of personal data (application User IDs) and implicates the Regulation. c. The Depth of the phrase “technical and organisational [security] measures.” The Regulation requires data “controllers” (the entities that have the last word on how the data is used) to “implement appropriate technical and organisational measures”4 to protect personal data. In fact, the Regulation uses this phrase 21 times. In doing so, the Regulation cites as examples the rather amorphous “ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems” and the more specific “encryption”
Please complete the form to gain access to this content