Lets take privacy serious this time!
The chances of being fined are reduced if the organization is able to demonstrate a “ Secure Breach” has taken place.
To address the GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:
- Servers, including via file, application, database, and full disk virtual machine encryption.
- Storage, including through network-attached storage and storage area network encryption.
- Media, through disk encryption.
- Networks, for example through high-speed network encryption.
In addition, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files and comply with a user’s right to be forgotten.
Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. It is critical that the security controls in place be demonstrable and auditable.
Pseudonymization will not save online advertising companies from having to seek consent to use browsing and other personal data. This note explains why.
Personally identifiable data (PII) will become toxic in May 2018 when the General Data Protection Regulation is applied, unless data subjects have given consent.
Some businesses may try to rely on “pseudonymization”, a partial method of anonymization, to continue to use PII without consent. This would be a mistake, as the GDPR (and a previous opinion from the Article 29 Working Party).
Pseudonymization separates PII so that identifiers that could link the data to a specific person are no longer linked to the other data, so that unless these data re relinked the person is not identifiable. The Regulation mentions pseudonymization in several recitals and articles as a useful tool to reduce risks to data subjects.
However, the GDPR also makes clear that pseudonymized PII data remain PII nonetheless, provided the controller or another party has the means to reverse the process. As The Article 29 Working Party cautioned in 2014 that pseudonymization was a partial and reversible measure that “merely reduces the linkability of a dataset with the original identity of a data subject”.
Consider the following example in the domain of online advertising: a DMP (data management platform) that receives pseudonymized personal data from an ad exchange could partner with a website that retains users’ login details to find data subject’s real e-mail addresses. The DMP could then not only reverse the pseudonymization, but could combine these PII with other data about the same person that it has collected from other websites, from data brokers, and other sources.
Under the GDPR companies have the flexibility to use PII for “general analysis” if they pseudonymize the data. However, to do this a company must first have had consent to process the original data.
In other words, whether or not PII are pseudonymized, the company that controls the data must have consent.
As we have noted previously, consent – and nothing short of it – is the necessary legal basis for processing personally identifiable data for behavioral advertising.
The way forward
Brands, publishers, agencies, and adtech companies are faced with two challenges. The first is to obtain consent, or find ways to target ads and operate programmatic without PII. The second is to fix data leakage.
The GDPR introduces a requirement to notify your customers and users and authorities about personal data breaches. But you’d be mistaken to think that breaches to privacy-related data will be interpreted in a narrow sense.
The regulation requires you to disclose not only how personal data was affected, but also information that will help the authorities assess what made the breach possible. They will also want to know the corrective actions you’ve taken and plan to take, how you (or someone else!) detected the breach, how long it took to detect, and how you assess its damage. They’ll want you to speculate on how you and your customers will be affected by the residual risks. This information will enable people outside your company to form a more complete picture of your ability to protect any aspect of your business.
If there’s dirty laundry in your information security posture, it will soon be apparent. Was the personal data you handle acquired lawfully? (Pro tip: get familiar with how to acquire a valid user consent). Were your cybersecurity protections adequate given the threat? There will also be questions about your network and information security, hiring procedures, physical security and your ability and willingness to honor your commitments beyond user privacy, such as SLAs and corporate secrets.
Being compliant prevents breaches
Regulators know that no law will miraculously put an end to criminal activity. Neither will the GDPR incentivize all companies to turn into cybersecurity leaders. Rather, the GDPR aims to raise the minimum level of security and privacy protections across the board. And while minimum protections will help address accidental leaks and prevent each mishap from escalating into full-blown chaos, they will do little to stymie criminals.
Make no mistake, your adversaries will continue to attempt to breach your business. They’ll know you have made some minimal enhancements in predictable places in a less-than-enthusiastic manner. So if you have to comply with security-enhancing regulation, why not comply with style?
This is your moment to make good cybersecurity posture a differentiator in your business. Take pride in making your organization stand out from the crowd. When customers compare service providers and want proof of a company’s ability to deliver GDPR compatibility, you’ll rise above the rest. Exceeding the minimum expectations can also be seen as a business continuity asset that not only lowers the cost of cyber insurance, but saves a pretty penny when you need to activate your incident handling plan. When things start falling apart for your competitors and the regulators start asking everyone difficult questions, you’ll have added degrees of freedom to operate.
Europe is spearheading the breach notification regulation
The European media seem to treat GDPR as a novelty and something unheard of in the rest of the world. That is not the case.
While there is no federal law on the subject, 47 states in the US already have breach notification laws. That’s why there are so many public accounts of American security breaches. It is not that American businesses are worse “in cyber” than Europeans – they are just more open and honest about their mishaps.
Cybercrime is like a force of nature, nothing will stop you from getting hacked
In 2012, speaking at the RSA Conference, the then-director of the FBI, Robert S. Mueller, III, suggested that in the future the divide will be between companies that have been hacked and companies that will be hacked again. His comments reflected what the incident response and law enforcement community had already seen in practice: what separates winners and losers in cyber security is the way the organizations prepare for the inevitable breach.
There will be attempts to breach your systems. It’s likely the attackers will succeed someday, in some fashion. Your cybersecurity posture will be measured by how well you learn from mishaps and near-misses and keep stepping up your protections. Failure to do so will manifest itself not only in breaches, but in repeated breaches.
Only through careful analysis of each incident and attempted breach can one determine which security controls actually worked, and which gaps are left for attackers to exploit. Those who fall victim to attack are being offered a valuable lesson – it would be wise to take the hint. The best performers, however, will be the ones who learn from mishaps that happen to others.
You must know when your business is breached
After May 2018, when the GDPR has entered into force, it will still be perfectly okay to continue to build up resiliency towards cyber threats and design your systems around the notion of segregation in an effort limit the likely damages. What will not be tolerated, however, is having no way of knowing when your protections have failed.
It’s common for breaches to go unnoticed for extended periods of time. But under the GDPR, many executives will find that ignorance is not an excuse. In the spirit of Director Mueller’s statement from 2012, the big divider in post-GDPR Europe will be between those who have been breached and those who have been breached but have no clue about it.
Having a reliable and effective intrusion detection and response system in place will be very important when GDPR comes into force. Recommended is a system that combines human and machine intelligence. Such a system will minimize false positives, so actual incidents that require attention don’t get buried. Many companies will find that a managed service is the way to go, as it offers the fastest, most cost-effective way to get set up, along with dedicated cybersecurity expertise.
MYTH: You will know what to do when your business is breached
Years of experience from incident response and forensics investigations specialists has shown that many organizations are ill-prepared to handle the eventuality of a security breach. Their capability to detect anything other than malware-based attacks is underdeveloped, logs are either missing or in a non-actionable state, and staff is untrained or inexperienced. Get your degree or training now!
Most first-time victims of a breach will improvise a response, make hasty decisions that either destroy or alter evidence, and end up hurting business in the process. What’s worse, if the adversary is any good at their tradecraft, all the pomp and circumstance of incident response efforts will yield no results as the intruder will simply stop, clean up and head out the door.
The GDPR will require companies to let regulators know the mitigation actions they plan to take and how those actions will address the problem. Companies that don’t know what they’re doing will stick out like a sore thumb under scrutiny. The authorities, customers and the media will question the relevance and efficiency of each action taken post-breach. That’s why there’s no better time to think about your response plan than now – waiting until a breach happens is too late. You must get a DPO – Data Protection Officer in place.
Do you really know which incidents must be disclosed?
The fact that the GDPR is a regulation, not a directive, means it will be directly enforceable by EU officials. Member states are not in a position to interpret the regulation locally, but will have to follow pan-European guidelines. At this stage, no one in Europe is in a position to define what the thresholds for notifications will be.
Given the situation, your best defense will be to start building up a baseline of the types of incidents and near-incidents your organization faces and develop threshold definitions of your own. Later, if faced with authorities who disagree with you on which incidents need to be reported, you’ll already have developed a sense of what constitutes a serious incident and you’ll be better prepared to argue your case.
There are bound to be situations where the authorities have been tipped off about a potential breach and they approach you requesting information. In such cases, they’ll want an explanation of why they were not informed on your own initiative.
GDPR expects organizations to stay in control of their data to ensure that it is accessed and processed by authorized users only when appropriate. The control requirements are covered in Articles 5, 25, and 32.
According to GDPR organizations must:
- Only process data for authorized purposes
- Ensure data accuracy and integrity
- Minimize subjects’ identity exposure
- Implement data security measures
Encryption keeps data in an unreadable state unless a user or process presents the appropriate key. In accordance with GDPR, this simple control method can restrict data processing only for authorized use, and restrict the amount of time that people are identifiable by their data. Encryption also prevents unauthorized data manipulation; limiting data access to authorized users and monitoring key usage greatly reduces the ability for data to change without authorization. Organizations properly using encryption and its access controls can demonstrate their data’s integrity.
GDPR puts security at the service of privacy. Security obligations are covered in Articles 6, 25, 28, and 32. To preserve subjects’ privacy, organizations must implement:
- Data protection by design and by default
- Security as a contractual requirement with their partners and service providers
- Encryption or pseudonymization
- Security measures that respond to their risk assessment
- Safeguards if they are to keep data for additional processing
GDPR specifically calls out encryption as a security requirement. In addition, organizations will need to conduct risk assessments and then adopt measures that mitigate the risks that they find. Since no organization can identify all of the risks to their data, and no perimeter security approach is foolproof, organizations should encrypt their data to ‘secure the breach’. With encryption, it doesn’t matter if there is a breach, data will be protected regardless.
Multi-factor authentication can control access to network resources used to process data. To safeguard data against unauthorized processing, organizations can assign and change authentication settings to restrict additional processing after the first instance is complete. It can also mitigate the risks identified in the organization’s risk assessment, or protect access to data as it is shared with third-party partners.
Multi-factor authentication is the first line of defense in any scenario. Strong authentication controls which users have access to the network and the resources found within. By assigning credentials to individuals, organizations can track access to resources to monitor internal risks. Multi-factor authentication also makes it more difficult for unauthorized users to access sensitive resources. For both known and unknown threats, multi-factor authentication raises the barriers to data access making it easier for an organization to stay in control of their data.
Right to be forgotten!
Even after data is collected, individuals still have a claim to, and a certain amount of control over, that data. ‘Right to Erasure’ is covered in Articles 17 and 28. GDPR requires organizations to completely erase data from all repositories when:
- A data subject revokes their consent (‘Right to be forgotten’)
- A partner organization requests data deletion
- A service or agreement comes to an end
When an individual revokes consent to their data, an organization recalls data they’ve shared, or at the end of a service’s term, organizations will need to completely erase the concerned data. This is a difficult requirement because simply deleting data doesn’t fully remove it from disk. To fully comply, organizations can encrypt data and then delete the key. This data deletion method renders data completely and permanently unreadable.
If you need help to implement new business processes GDPR Watchdog has a list of trusted companies worldwide who can help you. Write to: firstname.lastname@example.org
Read also GRPR BIGGEST MISTAKE – This is NOT a task for your IT department!
For assistance about certification visit the EUROPEAN CENTER FOR GDPR CERTIFICATION
NOTE: The SWISS EU US PrivacyShield.gov has nothing to do with compliance under GDPR. This is moreover an agreement between the Swiss Data Protection Agency and the US in order to try to find a loophole around the actual EU GDPR privacy laws for American businesses who want to sell to Europeans. However Switzerland is not a member of the European Union! Furthermore their offering of Self-Certify must not be taken serious. Only 3rd party GDPR Certification and documentation based on ISO 6005 or similar processes including Privacy by Design and potential encryption should be recognized to ensure data subjects about the highest possible compliance and protection under the EU General Data Protection Regulation. Lets take privacy serious this time! There has been too many big breaches of personal data in the USA over the last years and lets never forget EQUIFAX!!! Giving corporations rights to self-certify is like letting the wolf watch over the lambs…… Here is the framework www.commerce.gov/news/fact-sheets/2016/02/fact-sheet-overview-eu-us-privacy-shield-framework – NO place is it even close to mention the specific rights of EU citizens laid out here “Know Your Rights!” and nowhere does this fact sheet mention that specific consent must be given and can be withdrawn just as easily. This is not about handling complaints, this is about handling privacy and simple requests from the data subjects how their data is used. That’s not a complaint before its missuses! Nor is there anything in this fact sheet about the FINES to US Corporations!
GDPR Watchdog will challenge the companies listed under PrivacyShield.gov to deliver accountable information to the data subjects(EU Citizens) after May 25th 2018. We will report back on that in our daily newsletters, so sign up!
At least America has tried but what about all the other countries around the world….? We suggest you only deal with companies which are: GDPR Certified