The Year of the GDPR
The Year of the GDPR
In this post, we review the regulations that will affect the ways that organizations and citizens handle their data, as well as what this means for AppSec.
Join the DZone community and get the full member experience.Join For Free
Way back in 2012, the European Commission laid down initial plans for the European Union's data protection reform. It took the relevant parties four years to reach an agreement on what would be involved and how it will be enforced. And now, here we are! As close as ever to the May deadline, Europe finally takes the leap to be "fit for the digital world," and businesses will be changing the way in which data is handled, processed, and protected with the General Data Protection Regulation (GDPR).
Being citizens of today's crazy world, almost everything we do and have revolves around data. Every time we use a service, you better bet that our data is being recorded and analyzed. Our names, addresses, ID numbers, credit card info, etc. are constantly being collected, tracked, analyzed, and in many cases even saved by organizations. With data being everywhere and the contents being so valuable, data breaches have become inevitable. Hackers gonna hack, and businesses have notoriously fallen short when it comes to the protection of their customers' data, meaning that the hackers have been doing pretty well in this raging cyberwar.
And here enters the GDPR. But first, let's quickly rewind and refresh our memory about what the GDPR is.
Simply put, the GDPR is a new set of rules in place for EU citizens to have more control over their data while simplifying the data-related regulations for businesses. The new rules and regulations aim to reflect the fast-paced and connected world we live in.
Following four years of long debates and vast preparation, the European Parliament approved the GDPR in April 2016. And so, the GDPR will come into effect on the 25th of May, 2018, and all EU member-nations are expected to have incorporated the GDPR into their own laws by the 6th of May.
The GDPR and Organizations
Under the GDPR, organizations will need to ensure that all personal data gathering is done in a legal manner and under strict conditions. Organizations are duty-bound to protect data from exploitation and must respect the rights of data owners. Organizations will also face some pretty serious penalties for failing to protect the data.
It's important to note that the GDPR applies to organizations and individuals operating and residing within the EU, as well as organizations outside the EU which offer services or goods to customers in the EU. The GDPR essentially is legislation that extends around the world, as companies based outside the EU will still need to comply.
And, on the topic of how the GDPR will affect businesses, the European Commission says that "By unifying Europe's rules on data protection, lawmakers are creating a business opportunity and encouraging innovation." The Commission claims that by having one authority for the entire EU, it should make it a simpler and cheaper process for businesses operating within the region. This will be done by products and technologies providing, what is, essentially, "data protection by design and by default" (Art. 25).
The GDPR and Citizens
One of the biggest changes brought by the GDPR is how citizens are now armed with the right to know when their data has been breached. Organizations will be required by law to notify the designated and relevant national organizations as soon as a breach is detected to help ensure that their customers' data is not being abused. Furthermore, customers will now have a more transparent view of how their data is processed.
It really feels like many organizations have already been making some steps towards that transparency between them and their customers. I, for one, have already started receiving emails from companies giving me much more information on how my data is used. Additionally, many organizations have been contacting customers to see whether or not they still want to be part of their database, making it as easy as ever for a customer to opt-out of being on mailing lists.
Finally, the GDPR is, at last, bringing up the much-talked-about 'right to be forgotten' process' (Art. 17). This process allows citizens who no longer want their data to be processed and to exist and flow through systems to have it deleted (once they've proved there are no grounds for the company to keep it).
The GDPR and Data Breaches
As mentioned earlier in this blog post, once the GDPR comes into effect, it will introduce a new set of rules all organizations must follow when it comes to a data breach. For starters, organizations are obligated to report any breach or unauthorized occurrence revolving around the personal data of its customers. If a name, address, health record, bank detail, or any other bit of private data is breached or accessed by a malicious party, the organization is obliged to tell those affected and must report it to the relevant regulatory body so that the vastness of the damage can be restricted.
When a data breach occurs, the breach must be reported to the relevant regulatory body within 72 hours of the organization being made aware. At the same time, if the breach calls for customers to be notified, the GDPR rules that customers must be informed to handle the damage 'as soon as possible.'
When a breach occurs, the organization must let affected customers know via a breach notification (Art. 33) directly sent to the victims. Meaning, a press release or a notice on the company website does not cover the organization's obligation to let its customers know. The notification must be one-on-one.
Fines and Penalties
The GDPR does not mess around. Failure to comply with GDPR has come serious financial repercussions and will depend on the severity of the data breach along with if the organization seems to have taken the compliance and security regulations seriously. Fines range from 10 million Euros to 4% of the organization's annual global turnover (meaning, for some companies, billions of Euros). There is a maximum fine of 20 million Euros (or if a greater number - 4% of annual global turnover) for violations of data owners, not giving the customers access when requesting their data, illegal or unauthorized international transfer of personal data, and failure to put the necessary GDPR procedures in place.
The GDPR and AppSec
I recommend reviewing the following Articles to learn more about the application security requirements in the GDPR (click the number to jump to the Article): 25, 32, 33, 34, and 35. These articles recap what organizations need when securing the data flowing through their applications in addition to what needs to be done if there is a data breach. Here are some notable takeaways:
- As mentioned earlier in this blog post (but I'm emphasizing it again here), organizations must follow the 'privacy/security by design' rule to ensure data is secured from attackers by default. The idea is that data security and privacy must be considered during the product's planning phase as opposed to during development (or even further down along the line).
- For existing operations, organizations must work to discover any weak points in how the data flowing through is processed and handled by performing a gap analysis to find what works and what needs to be worked on or removed.
- Organizations should make a habit of 'spring cleaning' to remove any data that is no longer needed.
I hope this blog post has shed some light on what is to come with the GDPR. So, is your organization GDPR ready?
Published at DZone with permission of Arden Rubens , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.