The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. Hailed as the most significant change in data privacy regulations in two decades, GDPR was the result of years of intense activity and discussions among legislators, consumer groups, the legal community, and data privacy specialists. Its primary motivation was to halt gratuitous collection, storage, and usage of private data by both empowering data subjects and imposing painful sanctions on non-compliant data owners.
GDPR is enforced in each country by the duly mandated national data protection agency. The sanctions and fines for non-compliance are well-defined and substantial. In the biggest enforcement action so far the French data regulator fined Google ~€50 million in January 2019 for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”.
In this article, we provide background on GDPR itself and practical guidelines on how your company can safeguard the private data that it holds so that you’ll always be GDPR-compliant.
A GDPR Primer
First, it is important to understand that the GDPR applies to any entity that collects and stores personal data on EU residents, no matter where that entity is located. In the example we gave above, the French data protection authority is fining Google for actions taken in Europe even though Google is an American corporation.
Second, the GDPR fines and sanctions are potentially disruptive. Category A fines for improper preparedness or administrative failures are up to €10 million or 2% of worldwide annual turnover, whichever is greater. Category B fines for actual breaches or major compliance failures are up to €20 million or 4% of worldwide annual turnover, whichever is greater. The data protection authorities can also temporarily ban data processing if a company is suspected of non-compliance and issue a permanent ban if corrective measures aren’t taken.
Third, the data owner’s responsibility for GDPR compliance extends across its entire supply chain, including business partners that collect, store, and/or process personal data on their behalf. Although the GDPR requires data processors to quickly inform the data owner of a breach, it is the data owner who must notify the supervisory authorities and, in some cases, the data subjects themselves. The data owner must also be able to demonstrate to the authorities that measures have been taken to remediate the breach and to prevent future breaches.
The key rights granted to data subjects by GDPR are:
- Clear consent: Data subjects must clearly and affirmatively agree that a company will collect personal data on them. Lack of compliance with this right is the main basis for the fine against Google.
- Access: Upon request companies must inform a subject if it holds their personal data and, if so, where and for what purposes. It must also provide an electronic and understandable copy of the private data, at no charge. Complaints have already been lodged with the Austrian data regulator that Amazon, Apple, Spotify, and YouTube do not properly comply with this right to access.
- Erasure: Data subjects can request that a company delete their personal data when it is no longer relevant to the original purpose for which it was collected. In March 2019, a Danish taxi company was fined ~€160,000 for failing to delete contact information that it had collected but was no longer using.
- Breach Notification: Data subjects for whom exposure of their personal data may risk their rights and freedoms must be notified within 72 hours of the data owner becoming aware of the breach.
GDPR takes a risk-based approach to implementation, specifying different levels of controls depending on the sensitivity of the personal data. Thus, for example, organizations that regularly process personal data at scale, or of a particularly sensitive nature, must hire a Data Protection Officer to independently oversee and audit the organization’s data privacy processes and practices.
Similarly, GDPR does not mandate specific methods or technologies that companies must use in order to be compliant. However, it does require that companies demonstrably implement privacy by design, i.e., collect only the data it needs to meet its declared purposes (data minimization), and diligently put in place state-of-the-art technical/organizational measures to ensure the privacy of the personal data that it collects.
A Practical Guide to Meeting GDPR Requirements
GDPR compliance cannot be achieved without cross-organizational collaboration and cooperation. If sensitive personal data on past and present employees, customers, partners, and others is going to be properly safeguarded, then IT, security, and network teams must work together under clear corporate guidelines. In this section, we explore three GDPR-critical areas that must be addressed by next-generation processes and technologies: data governance, data loss protection (DLP), and logging and monitoring.
Companies collect private data at scale in order to accelerate business outcomes through data-driven business intelligence, targeted marketing, new product development, and so on. Data governance is the set of policies, processes, and technologies that ensure that the right people have access to the right data at the right time.
An effective GDPR strategy begins with data governance. In order to be GDPR-compliant yet still be able to leverage private data for its intended purposes, an organization must know what data it has and categorize that data according to criteria such as its sensitivity and how long it has to be retained. It also has to be clear who in the organization does or, even more importantly, does not require access to the different data sets. Armed with these insights, the organization can then apply GDPR-appropriate data storage and accessibility measures.
There are several keys to data governance success. Some are organizational, such as establishing a data governance stewardship team that enjoys a clear corporate mandate. Others are technological, such as a Master Data Management (MDM) platform that creates and maintains a trusted “single source of truth” for the organization’s data assets. According to a recent Gartner Magic Quadrant report, some of the leading MDM software vendors include Informatica, Riversand, Tibco Orchestra Networks, and Stibo Systems.
Data Loss Protection (DLP)
Enterprises have long acknowledged that their data is one of their major assets. It is no wonder, therefore, that they invest heavily in protecting data—personal or otherwise—from loss, corruption or exfiltration due to human error, natural disaster, or malicious activity. DLP frameworks have emerged that automatically discover, classify, and track data across today’s complex hybrid and multicloud infrastructures. DLP platforms also manage role-based access to data, alert to anomalous user behavior or malware threats, and trigger realtime prevention and remediation workflows.
With GDPR, DLP solutions have taken on even greater importance. For example, encryption, which is one of the standard DLP features, is one of the few technologies explicitly specified by the GDPR. Personal data must be encrypted both at-rest and in-motion. In addition, DLP reporting tools have an important role to play when notifying supervisory authorities of data breaches.
According to Gartner Peer Insights, the top-rated enterprise-grade DLP vendors are Symantec, McAfee, Forcepoint, Digital Guardian, and GTB Technologies. It is also possible to put together a DLP stack comprised of multiple vendors and service providers, including the many security and compliance tools offered by the cloud service providers.
Logging and Monitoring
In order to secure IT assets in general, and data assets in particular, all activities must be monitored and logged across the enterprise infrastructure, from the center right out to the edge. However, the diverse streams of log data from virtual and physical storage appliances, networks, data stores and endpoints must be aggregated and analyzed in order to identify breaches quickly and remediate in real time.
One of the most popular centralized logging frameworks for enterprises today is the ELK Stack, a collection of three open-source products:
- Elasticsearch: A NoSQL database that indexes and stores log information.
- Logstash: A pipeline tool that parses and performs transformations on inputs from various log sources.
- Kibana: A visualization layer for Elasticsearch, making it easier to gain actionable insights.
The ELK Stack is well-positioned to help companies meet GDPR requirements. For example, it provides role-based access control down to the field level to ensure that only authorized users can access personal data in the Elasticsearch cluster. In addition, the Logstash fingerprint filter meets the GDPR pseudonymization requirements by replacing personal data with hashed values. The ELK Stack also supports TLS/SSL encryption to secure data in motion across the Elasticsearch cluster.
For an even more robust logging and monitoring solution, Logz.io adds scalability, availability and security to the ELK Stack. Applying crowdsourcing and advanced machine learning technologies, Logz.io’s built-in alerting engine quickly identifies critical errors and threats, and automatically resolves them before they can impact the security of your business in general and sensitive personal data in particular.
There was a lot of anxious buzz during the few months prior to the GDPR regulations coming into effect. Organizations were worried that the new rights granted to data subjects would hinder their data-driven business activities. They were also concerned that they did not yet have all of the processes and technologies in place to uphold those rights.
In reality, there has indeed been a steady flow of complaints to supervisory authorities regarding suspected GDPR infractions. In the meantime, the regulators seem to be giving organizations the benefit of the doubt if they can demonstrate that they are proactively dealing with actual breaches or weak spots in their data privacy processes. That having been said, the authorities have also shown that they fully intend to use the “teeth” that the GDPR gives them in order to ensure that companies take data privacy very seriously.
In our opinion, everyone wins when GDPR regulations are upheld. Enterprises put into place data protection best practices that earn them the trust of their end-users. We, the data subjects, are then more willing to share the personal information that gives us a more targeted and efficient end-user experience.