Preparing for the EU’s new data protection regime: General Data Protection Regulation (GDPR)
Could your business withstand a fine of 4% of its worldwide revenue? That’s turnover, not profit. Most would face severe difficulties, if not insolvency. But that’s the sort of fine that the European Union (EU) will soon be able to impose on companies who work with personal data if they allow a security breach or can’t demonstrate adequate data protection. It’s all thanks to a new regulation, the EU’s General Data Protection Regulation (GDPR) which will, after several years of wrangling, come into force on 25th May 2018.
It’s a date every CIO and IT manager should have circled in their diaries in neon highlighter, because, as international law firm Allen and Overy argue:
“The GDPR places onerous accountability obligations on data controllers to demonstrate compliance”.1
The GDPR may sound like yet another annoying spool of red tape, but it has been designed to protect the private citizen in the digital world. As more of us share our lives online through social media, apps and e-commerce, the EU has decided to act to harmonize data security and give users more protection, rights and control. Its edicts will affect any organization that processes EU residents’ personal data.
Its 173 rules, or recitals in euro-speak, provide for homogeneity across the union for a whole range of issues such as privacy by design, right to be forgotten, data breaches, and data portability. Note that this is an EU regulation, not a directive. The latter have to be enacted by parliaments in member countries through changes in their own law to comply. A Regulation is immediately in force on the set date.
And if you are based in the UK and you think we are leaving the EU, so it won’t apply: think again. Not only will the new regulation arrive before the UK has formally left, but anyone wanting to trade with EU member states will have to demonstrate compliance. Furthermore, UK digital minister Matt Hancock recently confirmed to a House of Lords sub-committee that GDPR will be incorporated into UK domestic legislation and that “the government wants to ensure unhindered data flows after Brexit”.2
So what can managers do to prepare for GDPR?
Start now is the key advice, there’s a whole raft of measures that urgently need to be undertaken involving IT staff, management, partners and stakeholders to provide the necessary oversight of data governance. As the UK’s Information Commissioner’s Office (ICO) warns:
“It is essential to start planning your approach to GDPR compliance as early as you can and to gain ‘buy in’ from key people in your organisation…In a large or complex business this could have significant budgetary, IT, personnel, governance and communications implications.”3
Data protection by design
A key area that activereach has recently been flagging up to our customers who are preparing for GDPR is the ‘data protection by design’ aspects of the regulations. This is particularly pertinent for those involved in running Web applications and servers.
The key section of the new regulations is what is known as ‘recital 49’ which requires organizations to “resist accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data…”.4 The recital goes on to specifically mention denial of service (DoS) attacks and malicious code distribution. These are two areas where Web applications and their servers are particularly vulnerable thanks to a number of well-known exploitations such as cross-site scripting, SQL code injection and botnet recruitment.
How can technical staff improve security in this area?
The answer lies partly in a Web Application Firewall (WAF) with Distributed Denial of Service (DDoS) protection. There are two methods: a WAF employed as a physical device, placed in front of Web server hardware; or a remotely managed, cloud-based firewall system. Both methods use in-depth knowledge of how HTTP applications work to filter out the bad stuff and can be enhanced to also provide Layer 3/4 DDoS mitigation.
In our opinion, however, the latter method provides the easiest routine to GDPR-level security and also offers access to the collective intelligence of a large number of other organizations concerning novel, zero-day threats. As Information Age magazine note, many smaller organizations struggle to keep physical WAF infrastructure fully maintained and configured for a rapidly evolving threat landscape.5
There’s a great deal of work to be done over the next twelve months to get organizations battle ready for GDPR, and the high level of potential fines shows that the EU means business. Our advice is that a good first step, for technical staff at least, is to review their use of Web application servers and their associated protection. By outsourcing Web application security to a fully-managed service an organization can feel more confident that progress is being made towards full GDPR compliance.
[1] Allen & Overy, The EU General Data Protection Regulation (London: Allen & Overy LLP, 2016), p.3.
[2] Lomas, N., ‘On data protection Brexit means mirroring EU rules confirms UK minister’ [blog], TechCrunch (1st Feb 2017).
[3] ICO, Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now (Wilmslow, Cheshire: ICO, March 2016), p.3.
[4] DSB-MIT-SYSTEM, ‘EU General Data Protection Regulation (EU-GDPR)’, www.privacy-regulation.eu (2016).
[5] Lonergan, K., ‘Web Application Firewall: a must-have security control or an outdated technology?’, Information Age, 9th March 2016.