General Data Protection Regulation (GDPR): Getting Started with Data Privacy
The European Union General Data Protection Regulation (GDPR) will fundamentally change the way European Union private data is collected and protected. The EU has demonstrated a will to enforce exorbitant fines of up to 4 percent of the company annual revenues or 20 million Euros. The potentially debilitating penalties combined with the high probability of brand damage will ensure that risk-adverse companies will take comprehensive measures to comply in a timely fashion.
In addition to the organizational process requirements, the GDPR includes a number of specific technical requirements for protecting private data and the time limits for reporting data breaches.
Our goal here is to help companies successfully navigate the data privacy and security requirements outlined in the GDPR. The following timeline is a guideline for smooth adoption of data protection and compliance technologies.
- Stage 1: 0-6 months
- Stage 2: 6-12 months
- Stage 3: 12-24 months
The web content will be updated frequently and expanded over the next 24 months to reflect the transition through each stage. Imperva products and solutions are featured to highlight the specific technologies that can help address individual GDPR requirements.
WHERE ARE THE TECHNICAL DATA SECURITY REQUIREMENTS FOR GDPR?
Buried deep within the 88 pages and 99 articles that comprise the GDPR are several direct references to the technology requirements and other less direct language that will require the use of technology to achieve compliance. The following articles contain, or refer to most of the new rules relating to data security:
- Article 25: Data protection by design and by default
- Article 32: Security of processing
- Articles 33 and 34: Breach notification
- Article 35: Data protection impact assessment
WHY SHOULD YOU START YOUR GDPR PROJECT NOW?
The GDPR has both a “carrot” and a “stick” to facilitate the adoption of the new regulation. For those that successfully meet the requirements, there is the optional benefit of a certification that can be used competitively to position your company favorably. For the laggards, there is the risk of warnings, penalties, negative press and loss of customer confidence and market share.
Article 25 introduces the framework for this incentive model, “Data protection by design and by default.” It stipulates that data minimization and data protection both should be planned for and executed on a continual basis through the implementation of organizational and technical measures to meet the requirements of the regulation and avoid fines. It then goes on to provide an optional mechanism for certification of compliance to help companies achieve a competitive advantage.
CURRENT CHALLENGES AND TECHNOLOGIES TO CONSIDER
The project timeline for your GDPR project will naturally begin with an assessment of your company’s current data environment, including the following:
- Data discovery and inventory of known and unknown data repositories
- Data flow and touchpoints including sub-processors
- Data security and compliance technology inventory and gap analysis
The data inventory will facilitate the classification of data, which is an underlying requirement of Article 35. Conducting the database discovery, sensitive data inventory and classification of the data manually is not feasible for most companies with heterogeneous or large database environments. For this reason, one of the first technologies you should investigate is data discovery and classification.
The dynamic nature of data within an organization dictates that data discovery and classification occur on a regular basis with actionable results captured for audit and compliance reporting. Automation and integration of this functionality within the larger technology stack will simplify the transition from discovery and classification to policy application, activity monitoring and user rights management, all requirements of Article 32.
Data discovery + Data classification + Data minimization + Data monitoring =
Reduced risk + Faster response
With an effective implementation of layered security, companies can significantly reduce the volume of private data they manage and minimize the risk of a data breach. The same security stack should simplify and facilitate a rapid incident response and reporting process to ensure compliance with the breach notification requirements.
Data breach notification without undue delay and in most cases within 72 hours of becoming aware of the breach represents the core requirement of Article 33. The notification requirement is one of the most talked about aspects of GDPR since the breach reports, and associated fines will fuel headlines and potential for negative press coverage across Europe.
TECHNOLOGY GAP ANALYSIS
While the security technology stack at companies is often broad, it is not always even or deep. Most risk-averse companies will already have deployed some form of data backup, user access management, web application firewall and network protection solutions, but a large number lack a dedicated data security solution that is designed specifically to protect data.
The core technologies required to enable protection of the data and facilitate timely notification include:
- Data discovery
- User rights management
- Data activity monitoring with blocking
- Data classification
- Data masking
- User monitoring
- Incident analysis and reporting