The new European Union (EU) General Data Protection Regulation (GDPR) is something worth thinking about; although you are probably not involved in the politics, its implementation can have far-reaching consequences. Laws provide orientation, but often are far removed from security professionals in the field. Organisations need practical solutions to enforce policies and reach compliance.
In December 2015, after four years of work, the Commission of the EU Parliament approved the final text of the new GDPR. The regulation and the directive are likely to enter into force in the spring of 2016, after the formal approval of the EU Parliament. The new GDPR will apply 24 months after the date in which it will enter in force. In other words, processors and controllers (organisations) will have 24 months to become compliant.
In principle, the GDPR applies to every company in the EU processing personal data—any information relating to an individual, whether it relates to his or her private, professional or public life; a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address. The scope of the GDPR even extends beyond the EU, as it also applies to foreign companies processing data about EU residents.
Companies that violate the GDPR can expect significant fines, up to 4 percent of their annual global turnover, which, for some large companies, could mean many millions of dollars.
New Mandatory Requirements
Although a complete set of requirements cannot be overseen yet, and many will be developed as part of the derived national legislation, a number of key requirements are already set as directives in the new GDPR: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.
- Data protection by design and by default, including the pseudonymisation and encryption of personal data.
- Designation of a Data Protection Officer to ensure compliance within organisations; to be appointed for all public authorities and for enterprises processing data that are employing 250 persons or more.
- Obligation of organisation to demonstrate compliance with data privacy requirements through the adoption and implementation of appropriate policies and procedures.
- Notification of breaches to the supervisory authority within 24 hours of discovery of a breach, including information on the breach itself, the measures taken to fix it and possible consequences.
- Prevent any unauthorised access to personal data—unauthorised disclosure, reading, copying, modification, erasure or removal of personal data.
- Controlling of data on mobile devices.
Requiring New Solutions
To become compliant with the new EU GDPR, companies need visibility on what is happening on the network. In other words, what devices are connected to the network, when they connected, who has access to what data, and proof that mechanisms to secure private data, such as encryption agents, are operational. Controlling this in a manual way is a losing proposition. Companies need automated policies to enforce their security operational processes—and to demonstrate compliance to the security authority. Orchestration between different security appliances is key to quickly identifying a security breach, even while the network may be under a Distributed Denial of Service (DDoS) attack.