GDPR – A New Regulation
By Sean Atkinson, Chief Information Security Officer
In previous blogs, we deemed 2018 the “year of data privacy.” With privacy in mind, let’s examine the upcoming General Data Protection Regulation (GDPR). The requirements under the GDPR have provided a new compliance path for many organizations around the globe. This path comprises multiple steps in order to conform to the regulatory requirement. Let’s take a look at how organizations can take the first few steps towards GDPR compliance.
A great first step to GDPR compliance is to think about the data your organization manages and how it is processed. Whether data management is an internal function or outsourced, if you are making decisions about how you collect data and how it is processed within your organization, you are a Data Controller. The Data Controller is a specific role in GDPR. However, if you process requests for such actions (data processing or management) from a customer or data provider then it is more likely you are in the Data Processor role. No matter which roles apply to your organization, if your company handles EU citizens’ personal data, GDPR compliance is still required.
What data is now considered “personal”?
PII (personally identifiable information) consists of typical data elements plus some other items that you may not have considered in the past as personally identifiable:
- Basic identity information such as name, address, and ID numbers
- Web data ‘online identifiers’ such as location, IP address, cookie data, and RFID
Special Personal Data
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What is the intent of these privacy controls?
The purpose of GDPR is to institute specific controls in regards to how personal data is treated. The main focus is to create a set of standard operating procedure as it pertains to how personal data is managed within organizations.
Examples of such requirements are:
- Mandatory breach notifications – Requires a fast response or organizations could face large fines
- The ‘Right to be forgotten’ – Necessitating the ‘ability to be found’
- Consumer profiling restrictions – Personal data should not be used without consent, a specific approach to opt-in and the ability to opt-out of consent for organizations to utilize Personal Data
- Be accountable for your data – Conduct a privacy impact assessment to determine what type of personal data is handled, processed and stored, and for what purpose
- Access to personal data – Right to access; data should be controlled based on a ‘need to know’
- Right to rectification – Right to update personal data and correct inaccuracies
- Privacy by Design – New functions and elements of future processing capability or personal data management must utilize this as a non-functional requirement in the conceptualization of the business process
What should organizations do?
Several steps are required and each organization should review the GDPR to ensure specific requirements are met. Here are some key steps that can help you achieve GDPR compliance:
- Conduct a Privacy Impact Assessment – This assessment will show you what data the organization owns which is personal data or special personal data
- Examine data flows – Know where your data is, who has access to it, and for how long you keep it
- Conduct a Risk Assessment – Based on the privacy impact assessment and the data flow review, you’ll emerge with a clearer picture of what risks the organization is accepting
- Implement privacy by design – With GDPR, privacy must now be a consideration in change management, implementation of new systems, or business processes that handle PII
- Implement security controls and measures – employee training and security controls can help protect data
- Working with third parties – If you engage data processors or controllers as part of your business, make sure to require GDPR compliance. If a failure in the third party processes reveals PII to those who do not have a need to know, your organization will also be held liable.
- Hire a Data Protection Officer (DPO) – Hire or assign the responsibility of a DPO; this role can encompass the responsibility of GDPR requirements
How can CIS help?
CIS has numerous resources which can help your organization work towards GDPR compliance.
CIS SecureSuite® Membership: Includes access to CIS-CAT Pro Assessor configuration assessment tool, CIS-CAT Pro Dashboard web application with enhanced reporting features, remediation kits for rapid implementation of secure CIS Benchmark configurations, and more.
CIS Hardened Images: Bringing the security of the CIS Benchmarks to cloud computing environments on AWS Marketplace, Microsoft Azure, and Google Cloud Platform
CIS Controls™: Prioritized best practices and policy guidance to help organizations defend against the vast majority of cyber threats.
Download our white paper: Are You GDPR Ready? (PDF)