How Will the Arrival of GDPR on May 25th Affect Your Compliance?

GDPR–and no, it doesn’t stand for Gosh Darn Pain in the Rear (even though some might say it should). It’s General Data Protection Regulation, and it is a very important piece of legislature designed to protect the rights of our friends from the EU. 

The enforcement of this regulation will occur on May 25, 2018, and although it’s causing levels of confusion and anxiety in the United States, we’re actually pretty stoked for the evolution in public thinking, as it pertains to security, that GDPR indicates. See, GDPR is updating and replacing the EU’s existing cybersecurity regulation called the Data Protection Directive. The DPD is one of hundreds of regulatory relics still in operation that follow the ever-so-ineffective check-box compliance attitude. GDPR will do more to protect the personal data of individuals by beefing up technical and organizational measures of privacy to ensure confidentiality; its a major overhaul that finally recognizes the severity of a data breach in today’s world. 

So, in essence, we at Rivial appreciate the EU’s decision to take on a more holistic approach to cybersecurity and replace their former compliance framework that–and you almost won’t believe me when I say this–was designed and implemented pre-internet.

“Well cool, I’m happy for those folks across the pond, but how does GDPR affect my bank or credit union over here in the U.S.?”  

The law itself is pretty ambiguous in many areas, and since these regulations aren’t official until May, there is not yet any precedent for compliance. 

But there are some things we can interpret, and we’re fairly certain the law excludes the majority of community and regional financial institutions in the U.S.

In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.

We interpret this to mean that an institution not in the EU, that is not intending to service citizens of the EU, doesn’t necessarily have to comply with GDPR if an EU citizen fills out a form containing personal data on the institution’s website. If your web site clearly states something along the lines of Illinois Credit Union or King County Farmers and Merchants Bank, we would think you are not bound to comply with GDPR. 

For those who do have interests in Europe and must comply with GDPR, we dug through that giant, page-turner of a text to comprise a list of key items to consider when updating your information security program:

Personal Data

One of the goals of the new regulation was to redefine what constitutes personal data, and it’s more than the PII we’re used to. In the context of GDPR, it means any information relating to an identified or identifiable natural person (‘data subject’); According to the law, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, etc. identity of that natural person. Remember, this doesn’t apply only to members/customers. Employees count as well!

Risk Assessment

The information security risk assessment should be conducted in a similar fashion to what you’re likely to be doing already. But to comply with GDPR, make sure you include EU citizen personal data and the systems that store or transmit EU citizen personal data. The law itself says this: 

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

GDPR Page 48 (76)

Look also to, 

In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage. 

GDPR Page 52 (83)

Data Minimization 

The data minimization outlined in GDPR should be the same what you’re already practicing internally and with your vendors. Be sure to keep the amount of privileges and data stored for each process at the minimum necessary for business. 

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”

GDPR Page 152 Article 25

Designate a Data Protection Officer

One of the more formal changes that will arise when GDPR is enforced this May is the designation of a Data Protection Officer for select entities. Their function is to monitor compliance and report to C-Suite. Your DPO can either be an employee or a contractor, so don’t hesitate to outsource this responsibility. 

The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.

GDPR Page 171 4.37

Data Breach Notification

Delayed breach disclosures have been the topic of recent debate over the past year. Considering it took Uber a year to report a hack after it was discovered, and the delayed disclosure of the Equifax breach, the GDPR has decided to quantify exactly what they believe to be an appropriate allocation of time before reporting a breach to a data supervisory authority becomes necessary. Organizations that monitor individuals on a large scale or process sensitive personal data are required to notify the appropriate EU supervisory authority within 72 hours of a data breach. 

There are, of course, some exceptions outlined in the law itself. You are not bound to report a data breach if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons” (GDPR Page 163 Article 33). But remember, “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay,” this ‘undue delay’ being 72 hours (GDPR Page 163 Article 34). 

Information Security

Most of the items referenced in the new GDPR law are privacy-related items you may already be doing. These standard items include:

a.) the pseudonymization and encryption of personal data; 

b.) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c.) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d.) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

GDPR Page 161 2.32 

Remember, the law itself is pretty squishy in its details, which seems to be intentional to give the regulatory body more flexibility in issuing fines. And since the law isn’t official until May, there is not yet any precedent for compliance. We’ll be sure to keep you updated as we know more. 

Looking for someone to take a closer look to ensure your organization’s GDPR compliance? Go ahead and contact us at info@rivialsecurity.com.