How does Information Security support the EU GDPR?
Everyone has a digital footprint from many sources of data, and personal data privacy is now a major area of focus in global government compliance and regulation. You will likely see the consequences and results of non-compliance with the European Union’s General Data Protection Regulations (GDPR) as we progress into 2018.
There is a bit of confusion in the market related to the GDPR. Some claim that GDPR is a security framework to operate by, but it is not that at all. GDPR is consumer and data privacy legislation that will require full support from information security best practices. GDPR’s core tenants are privacy, policy, and lastly information security. You have to build all three pillars successfully to meet the strict requirements of the GDPR.
Are you interested in what information security best practices will be needed to support compliance with the EU GDPR? Take a look at the security controls required below to manage the data of EU subjects according to the GDPR.
Using a Solid Information Security Policy for Breach Notification
Perhaps one of the most critical aspects of the EU GDPR is breach notification in Article 33. As a company that handles EU subject data, you must, without undue delay, notify an EU supervisory authority competent in breach notification. If you already have a well-developed information security policy and procedure for incident response, then you will be in the right place for meeting this portion of the EU GDPR. You may need to update your information security policy, or if you don’t have one, you may want to consider using a template to start and customize as you go.
In preparing your information security policy, you should consider including the following areas from SANS Institute:
General Information Security Policy
- Acceptable Encryption Policy
- Acceptable Use Policy
- Clean Desk Policy
- Data Breach Response Policy
- Disaster Recovery Plan Policy
- Digital Signature Acceptance Policy
- Email Policy
- Ethics Policy
- Pandemic Response Planning Policy
- Password Construction Guidelines
- Password Protection Policy
- Security Response Plan Policy
- End User Encryption Key Protection Policy
Network Security Policy
Server Security Policy
(Template Sources: SANS Institute Security Resources)
Interested in GDPR Assessment and Consulting? Learn more about CIPHER’s GDPR Services.
If you operate under a multinational organization, you might face a bit of a dilemma with the GDPR breach notification requirement. For example, if you’re working within a U.S. multinational organization and you experienced a significant data breach, you may be forced to prematurely notify your U.S. customers by waiting to notify an EU supervisory authority. This could place your organization at risk for noncompliance with the GDPR, and your organization could face fines up to 4% of your Adjusted Gross Revenue (AGR).
With a robust information security policy, you can show follow best practices for information security and security incident response.
Check out these blog articles on Incident Response Plans:
- Organizing an Incident Response Plan Template
- Does your Incident Response process lead you in every direction?
Leveraging a Security Framework to Support Compliance
If you already adopted an industry-recognized framework, such as ISO, NIST, ICGS, SANS or PCI DSS, you are already one step ahead of the pack. The GDPR encourages organizations to align their compliance with the GDPR with a major security framework, noted in GDPR Article 32.
A solid security framework will help you in providing organization and structure for handling EU data subjects and meeting the compliance requirements of the GDPR. Not only that, but a security framework also shows regulators that your company has implemented proper security controls and made their due diligence in ensuring the organizational security measures are aligned to best practices.
Measure your security maturity in CIPHER’s simplified security framework based on NIST here.
Or, check out our self-assessment tools to gauge your maturity across core domains: https://www.cipher.com/resources
Data Privacy and Encryption
Since the GDPR is entirely related to data privacy, data encryption is paramount. An organization must ensure that its EU subject data, both Personal Identifiable Information (PII) and highly sensitive personal information, are protected from hackers and third-parties attempting to harvest that information.
If you are using encryption, it protects your organization from physically stolen devices and from a hacker accessing your device through malware or virus. Most of your EU subject data will be at rest or archived within a database. However, your organization may be a data processing organization or use data processors and must do everything to safeguard EU subject data with encryption. Consider these three types of encryption in the context of the GDPR as well the common areas you should encrypt within your environment:
Encrypted Data Types:
- Data at Rest: you encrypt data archived in the database; field encryption is preferable, table and database are also options
- Data in Transit: encrypt both the data and use an encrypted transport protocol such as SSL or VPN
- Data in Use: sensitive data should be obfuscated, such as showing dots for a credit card number (except possibly the last four digits)
Areas of Encryption
- Data Encryption: you must ensure that files, media, and data are encrypted using disk encryption
- Server and Storage Encryption: you must use full disk encryption to protect your servers, storage, and applications running on the IT equipment
- Network Encryption: you need network encryption for any data in transit over your network (web-based transactions, internal network traffic,
In the event of a security incident or data breach, encryption can ensure that EU subject data is unusable. Encryption makes it much more difficult for common hackers to make any connection between the data and its subject.
Generating Security Logs on Incidents
GDPR calls for a record of any data processing activities on EU data subjects in Article 30. A Security Incident and Event Management (SIEM) tool is a security best practice for complying with the EU GDPR. A SIEM will generate a substantial amount of data on malicious security incidents and network activity. It will also allow you to monitor user and system activity closely. SIEM logs can be used by a security analyst to identify patterns, detect malicious activity, and create an actionable alert for your organization if someone attempts to access sensitive EU subject data.
You may also want to consider advanced security analytics tools that can free up the security analyst’s time on analyzing logs. Advanced security analytics tools can enable the security analyst to know exactly what data has been accessed and what data events are a priority for your team.