A Close Look at the Technical Side Of GDPR Compliance

For those of us who are in the business of computing and information technology, the hot-button topic of discussion across the Internet is the passing and enforcement of the General Data Protection Regulation (GDPR). The GDPR is the European Union's attempt at giving Internet users more control over their data (including where that data can be stored and used) as well as offering businesses a standardized set of rules that must be followed in order to gain access to an EU market. According to ZDNet, the new legislation has far-reaching implications for businesses and individuals across Europe. The part of the regulation that caused a lot of thorns is Article 32: Security of Processing. From the EU GDPR itself, this particular article states:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk..."

Let's break down this block of text and see exactly what is required to have GDPR compliance and how we can make sure we are meeting these regulatory requirements.

Do Basic Data Identification

In the wall of text above, we noted that it mentioned that the controller and processor need to implement measures that are commensurate with the risk associated with transportation of that data. So, before we could do that, we needed to figure out exactly what data we’re going to be dealing with. We could create a data flow map in order to break down our data into:

• Locations (Cloud locations, physical offices, third-party storage etc.)
• Transfer Methods (email, Local Area Network, etc.)
• Formats (hardcopy, database formats, local file formats, etc.)
• Data Items (records within a database such as names, addresses, emails, etc.)

This aids our organization in determining what data we are using as well as keeping us abreast of the cutting edge of technology.

Risk Assessment Methodology

Reading the block of text again, we can pull out the statement that we are responsible for, "the risk of varying likelihood and severity for the rights and freedoms of natural persons," which means that we need to be able to manage that risk. It would be ludicrous to expect a company to prepare for every single likelihood of an attack with a cookie checker (especially since some methods of attack haven't even been formulated as yet). Thus, we had to cover our bases by doing a standard security overview of our risk. This can be done with penetration testing and vulnerability scanning so that we can get a proper idea of what we're dealing with.

A vulnerability scan is automated for the most part and reports any weaknesses with a company's security architecture that may be exploited.

Penetration testing (also called ‘pen testing’) usually involves hiring a person who is certified in ethical hacking to attempt to penetrate the organization's security architecture. Penetration testing is a proven method of preventing cybersecurity attacks. Based on information from ERM, as little as 5.3 percent of all attacks on financial organizations succeed, thanks to their early adoption of penetration testing as part of their cybersecurity countermeasures.

When these tests were complete, we made recommendations for improving the security of our system. Dealing with risks can fall into one of four different methodologies:

• Avoid the risk — We can avoid the risk by eliminating it completely, usually by improving hardware or software.
• Using security protocols to modify the risk — This doesn't completely remove the risk issue, but it makes it difficult — if not impossible — to exploit.
• Use insurance to divide the risk — External insurance can help to mitigate risk scenarios.
• Keep the risk — This solution only applies if the risk falls within a tolerance level that allows us to ignore it.

The New Face of User Security

While a lot of companies have already adopted the practices mentioned above, a more substantial number don't bother with it because the amount of regular maintenance of this type costs is usually far in excess of what a company is willing to spend. While the suggestions of the GDPR are in good conscience and attempt to serve the users, it can create a sticky situation for smaller, less financially capable companies and websites to conform to the GDPR. Users within the EU can be secure in the knowledge that their data is protected, but quite a lot of them also lose the choice to go to sites that are non-compliant under the GDPR. It raises a lot of questions about whether security is worth limitation of access or not.