In Part 1 of this GDPR blog series, we looked at the PII threat landscape and the legal & financial consequences of technology failure. In Part 2, we highlighted the major provisions in the GDPR for technological measures to protect data.
This post (Part 3) looks at some real life scenarios whereby organizations have effectively reduced their data security risk, and examines some of the guiding principles to be considered in relation to the technological impact of the GDPR within an organization.
The GDPR’s focus on technology is much more explicit than its predecessor, the Data Protection Directive. If it is to be properly effective, however, the GDPR must assist in the delivery of business transformation and legal compliance.
In the PwC report April 2017, “Technology’s role in data protection – the missing link in GDPR transformation”, key GDPR principles are distilled down to three specific technology goals.
GDPR Technology Goal #1
Driving data protection principles into technology, through appropriate technical and organizational measures
The data protection principles set out the core compliance goals of the law. They have been at the heart of European data protection regulation from its very beginning in the 1960s. The principles must be delivered through technology and organizations must take ‘appropriate technical and organizational measures’ to do so. When developing those technical and organizational measures, organizations must have full regard to the ‘nature, scope, context and purposes of processing’ and ‘the risks of varying likelihood and severity for the rights and freedoms of natural persons’.
The obvious implication of this requirement is that a risk assessment must be performed in all cases. These risk assessments require a deep understanding of the effect that technology can have on individual rights and freedoms.
GDPR Technology Goal #2
Ensuring the technology environment can protect individuals’ rights
If people are to have control over their personal data, they need rights over that data and transparency about what is happening to it. But the exercise of these individual rights is only truly effective if an organization’s IT systems are fully responsive to them, and have the right functionality embedded in them.
The core individual rights are the ‘right of access’, ‘right to rectification’, ‘right to erasure’ (or the ‘right to be forgotten’), ‘right to restriction of processing’, ‘right to data portability’ and ‘right to object’. In a functional sense, these rights require the technology to:
- Connect individuals to their personal data;
- Categorise personal data by type and processing purpose;
- Map or trace the full information lifecycle;
- Perform search and retrieval;
- Enable rectification, redaction, erasure and anonymisation;
- Enable freeze and suppression;
- Enable the transmission of personal data from one technology stack to another.
All of this must be protected by appropriate security.
GDPR Technology Goal #3
Adopting a proper approach to technology design and deployment
One of the GDPR’s innovations is the inclusion of requirements that provide organizations with practical assistance in how to flow data protection into technology. These are:
- Accountability – proving that technology works properly
- Records of processing activities – understanding the data lifecycle and what technology does
- Data protection by design and default – getting technology right from the start
- Data protection impact assessments – understanding technology risk
- Breach notification – delivering transparency in technology failure
Collectively, these new requirements provide a ‘user manual’ for delivering operational success.
Case Studies In Reducing Data Security Risk
Two examples provided by the SANS Institute demonstrate how implementing automated network controls, testing and monitoring can reduce an organization’s data security risks.
Each of these also demonstrates how organizations can implement the requirements in GDPR Article 32: “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing” of personal data.
Case Study 1: Tightening Access and Automating Security Procedures
Company: A large UK-based outsourced customer management service provider that controls and processes great quantities of personal information throughout Europe and elsewhere.
Analysis of the company’s data security revealed a lack of visibility into its complex network environment, including more than 80 firewalls. It lacked confidence some new firewalls had been implemented with the organization’s own policies. Its manual change management processes were slow and costly, which resulted in an inability to track changes and verify the firewalls were properly implemented. The company determined its risk profile was unacceptable and sought to become compliant with the Payment Card Industry (PCI) Data Security Standard and ISO 27001.
The company deployed an automated, integrated solution to reduce its systemic risk. The solution allowed staff to visualize and document all firewall rulesets to optimize its firewalls. This approach further allowed the company to tighten the access paths to its network and to change management. The new approach provided an automated process to scan for, assess and resolve network vulnerabilities.
As a result, the company materially reduced its overall network risk profile and improved its continuous, documented, provable compliance with standards and decreased its chances of a data security breach.
Case Study 2: Continuous Firewall and Device Monitoring
Company: A large-scale business services provider delivering business process outsourcing to more than 20 top-tier companies and government agencies in the UK.
The company was using resource-consuming manual management processes to achieve PCI compliance, including network security, data security, vulnerability management, access control, security monitoring and information security best practices.
The company’s increasing network complexity was making the cost of compliance unsustainable, and the company was not able to prove its firewalls were PCI compliant.
In response, the company automated its firewall audits and management to detect security and compliance problems. It tracks the identity of these problems and the responses to them so that the company’s staff can confirm they have been resolved.
Furthermore, analytics can find and remedy hidden risk factors by assessing interactions between network devices and zones. The company achieved reliable and continuous confirmation of its PCI compliance and, therefore, reduced its chances of a data security breach.
 2017 PricewaterhouseCoopers, “Technology’s role in data protection – the missing link in GDPR transformation”
 A SANS Whitepaper, Benjamin Wright, Attorney, February 2017, “Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners”