GDPR: Taking A Risk-based Approach To The Technological Measures Required To Protect Data (Part 2 of 5)

In Part 1 of this GDPR blog series, we looked at the PII threat landscape and the legal & financial consequences of technology failure. In this post, we highlight the major provisions in the GDPR for technological measures to protect data, and examine the importance of taking a risk-based approach to GDPR technology investments.

The GDPR (General Data Protection Regulation) legislation sets forth a complex regime of measures an organization must take to protect personal data, including the appointment of a data protection officer and the maintenance of detailed documentation to prove compliance. However, the GDPR does not offer a precise prescription for all technologies required to secure data.

At this time, data security implementation details are left to interpretation in the GDPR. While it is binding, enforceable law, we see the regulation as a work in progress. EU regulators informally acknowledge the GDPR sets broad, ambitious goals, while leaving the details to be articulated in the future.

What we do know is the GDPR takes a risk-based approach to requiring particular technical measures. Higher risk mandates more expense and effort to secure data.

The overriding issue is whether data is at risk and which practices and technologies will effectively reduce those risks.

GDPR: Organizations should revisit risk calculations

Providing evidence of risk mitigation counts as much as securing data

According to GDPR legislation, organizations must demonstrate that they have implemented appropriate measures to mitigate privacy risks. Even in the absence of a breach or customer complaint, regulators may request firms to exhibit evidence of their compliance and risk management strategies, including a privacy impact assessment (PIA). Security teams play a crucial role in building this documentation. For example, they must demonstrate that they have deployed access controls and rights management, paying special attention to processes for access recertification. Tokenization, encryption, and key management controls will require documentation, as well.

In practice, risk is to be evaluated by a particular organization, its data protection officer and any relevant legal authority authorized to investigate a situation or an implementation.

With due regard to the state of the art

One of the challenges facing lawmakers is how to account for future technological innovations without having to re-issue a legal framework every time something new comes to market.

Within the GDPR legislation, the phrase “with due regard to the state of the art” is such a future-oriented attempt. While a few specific technological approaches are mentioned in the text of the GDPR – such as encryption and pseudonymization – organizations are given a much broader mandate to ensure the state of the art for data protection is considered when selecting or designing applications, services, and products used for processing personal data (Articles 25 and 32).

For example, new state of the art approaches currently coming to market include behaviour analytics, privileged access management and format-preserving encryption (FPE).

Selected technological provisions of the GDPR legislation – Articles & Recitals

The GDPR regulates organizations that control or process personal data, recognizing that such entities vary by size, sophistication, amount of data processed etc. As such, no single program will fit all organizations. While some will implement technical measures directly, others may turn to third parties to protect their data from unauthorized use, access, loss and corruption.

The following highlights major provisions in the GDPR legislation for technological measures to protect data.

Article 5(2) and Article 30

These articles place obligations on an organization to demonstrate that it is in compliance. Compliance might be demonstrated, for example, through the creation and maintenance of documentation that proves the organization is using technology for continuous monitoring of data and continuous evaluation of vulnerabilities.

Article 25(1)

Privacy-by-design will be the biggest challenge to address. The GDPR legislation states that firms must consider privacy at the start of any new project and ensure that the right security controls are in place throughout all development phases. Sustained collaboration between teams will be critical, so firms will have to establish new processes to encourage, enforce, and oversee it.

This article also requires an organization to implement data protection principles, such as data minimization, to safeguard data and protect the rights of individuals, technically known as “data subjects.” The exact words of the regulation do not limit the rights that must be protected to only privacy rights. Therefore, the rights referred to in the words of the regulation might be privacy rights, civil rights, rights to freedom, rights to be forgotten or other rights. The requirement calls for the use of both technical and organizational measures.

Article 28

An outsourcer (data processor) must have technical and organizational controls in place to ensure data is protected and documentation to prove compliance.

Article 32

Article 32 is the primary provision requiring technical measures to protect data. Article 32 emphasizes that the degree of effort invested in a particular measure must be informed by the risk present in a particular setting or application. Thus, for example, a non-EU retailer processing the data of many thousands of EU data subjects is expected to implement stronger measures to protect its data than would a retailer processing data for only a handful of data subjects.

Although Article 32 gives examples of security measures, it does not provide a comprehensive list of security measures. It motivates an organization to find, implement and revise effective security measures in light of the dangerous and rapidly changing information security threat landscape.

Article 32 mentions in particular:

(b) the ability to ensure the ongoing Confidentiality (C), Integrity (I), Availability (A) and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The CIA triad is an established model in information security. Whilst a lot of the GDPR is concerned with privacy (an aspect of confidentiality), risks from unlawful destruction, loss and alteration of data are also highlighted which broadens the range of threats to data and technology solutions that need to be considered.

Article 32 further calls attention to risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.”

Articles 33 and 34

In the event of a data security breach, these articles call for the evaluation, documentation and notification of the breach. Notification under Article 33 is provided to a relevant supervisory authority. Notification under Article 34 is provided to individual data subjects.

The Data Breach Notification requirement will be a game-changer. The GDPR legislation gives companies 72 hours from the moment they become aware of them to report any data breaches to authorities and affected customers. Compliance with this requirement will be tougher than many companies expect.[4]  They will first have to understand and share complicated details with regulators about any exfiltration of personal data, including how many records were lost or stolen, over what period. However, the bigger challenge is that they’ll also have to share those details with customers. That means you and your incident response team will have to craft clear, compelling messages that reflect adequate levels of competency, sensitivity, and customer care.[5]

Automated IT testing, monitoring and analysis would enable the discovery of a breach.

Automation also can evaluate breaches and provide information required to determine whether notification is necessary and, if so, the content of notification.

Recital 39

Any processing of personal data should be lawful and fair. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 49

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.

This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

These principles cover a very wide scope and are challenging, but according to the European Commission[6]will incentivise businesses to innovate and develop new ideas, methods, and technologies for security and protection of personal data.

GDPR compliance: where technology is impacted

  • Article 15 – Right of access by the data subject
  • Article 16 – Right to rectification
  • Article 17 – Right to erasure (right to be forgotten)
  • Article 18 – Right to restriction of processing
  • Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 – Right to data portability
  • Article 21 – Right to object
  • Article 22 – Automated individual decision-making, including profiling
  • Article 25 – Data protection by design and defaultArticle 32 – Security of processing
  • Article 35 – Data protection impact assessments

There is nothing particularly innovative or new about the technology solution areas involved with meeting compliance requirements, but all companies handling EU citizen’s personal data may now have to revisit risk calculations because the new penalties for failing to comply with the EU GDPR will be much higher than those currently levied.

activereach helps organizations overcome the hurdles of GDPR compliance and works with technology vendors providing best-in-class GDPR solutions – please contact our Pre Sales Consultants on 0845 625 9025 for further details.

Read Part 3: GDPR: Technology goals aid business transformation and legal compliance

References

[4] European companies today still lag behind those in other regions in the prioritization of IR and forensics capabilities. For more details on the effects of data breaches on business reputation and how companies are preparing to meet GDPR’s notification requirement, see the “Vendor Landscape: Global Legal Privacy And Cybersecurity Services” Forrester report.

[5] For more information, see the “The Forrester Wave™: Customer Data Breach Notification And Response Services, Q3 2015” Forrester report.

[6] https://europa.eu/rapid/press-release_MEMO-15-6385_en.htm