The Imperva Viewpoint on the EU General Data Protection Regulation
When it comes to doing business in Europe, there’s a topic that’s coming up with increasing frequency: compliance with the EU General Data Protection Regulation (GDPR), officially known as Regulation (EU) 2016/679. Although enforcement of the GDPR is not set to begin until the spring of 2018, companies worldwide are already making plans to meet the requirements of the GDPR.
As with most laws, poring over and making sense of regulatory requirements that span dozens of pages can be a mind-numbing exercise.
Here, we do our best to distill it down to some of the most salient points so you can better understand what you need to do to be in compliance come 2018. For those organizations adopting cloud apps such as Microsoft Office 365 and Dropbox, for example, we also provide some practical advice on how CASBs can help support GDPR initiatives related to cloud data.
The raison d’etre of the GDPR
For those that need a refresher on the GDPR, it’s the new regulation on data protection for the European Union (EU). It aims to unify the various data protection laws in the EU, while at the same time, simplifying and modernizing the regulatory environment for companies doing business in Europe. The GDPR provides guidance on how personal data can be processed and shared as well as the financial penalties for non-compliance.
Supersedes the Data Protection Directive
The GDPR wields a “bigger stick” than its predecessor, the Data Protection Directive (95/46/EC), in that the GDPR trumps the individual EU member states’ national data protection laws. The challenge with the previous Directive was that it was just that, only a directive, and required each member state to adopt laws to implement the principles contained in the Directive. The GDPR provides rules in the form of a Regulation, which allow for uniformity and predictability lacking in the Directive.
Doesn’t just apply to European companies
If you’re a non-European company reading this, don’t think the GDPR doesn’t apply to you. It does apply if you do business in Europe that necessarily involves the personal data of EU residents or visitors.
Bring-your-own-device (BYOD) proliferation, cloud app adoption, and an increasingly mobile workforce make the GDPR that much more applicable and relevant beyond European borders. That means anyone doing business in Europe, regardless of where they’re based, must comply with the provisions of the GDPR.
When you look at the definitions section of the GDPR, there are a few definitions that will shape the security and compliance strategies of companies doing business in Europe.
Personal data – The heart of what the GDPR is designed to protect. It covers essentially any information related to a “data subject.”
Data subject – Any natural person that can be identified (directly or indirectly) by reference to an identifier, i.e., an identification number, location data, an online identifier, or by reference to some other factor that points to the “physical, physiological, genetic, mental, economic, cultural or social” identity of that person. Basically, this is any human and could be someone like you or me that works at, say, a small security software company.
Controller – A “person, public authority, agency or any other body which, alone or jointly with others, determines the purposes, conditions, and means of the processing of personal data” – an example would be that same small security software company referenced above that must use some of its employees’ personal data to pay them and chooses to outsource its payroll operations to a cloud-based service provider.
Processor – A “person, public authority, agency or any other body which processes personal data on behalf of the controller” – an example would be the cloud-based payroll services provider referenced above.
Tips to remain compliant with the GDPR
Because IT infrastructures can be quite complex and amounts of data are growing exponentially, you should be thinking of how to meet the compliance requirements of the GDPR sooner rather than later, even though full enforcement isn’t set to begin until 2018. Here are some items to consider:
Know where your data is stored
As more business processes are moving to the cloud, it’s becoming more challenging to pinpoint exactly where your data is being stored, especially given the distributed nature of the cloud.
For instance, apps like Office 365 and Dropbox are built on a worldwide infrastructure and may use service locations in countries you hadn’t expected – meaning the data uploaded by individuals may end up outside the country, creating a situation of potential non-compliance with the GDPR.
If you’re a controller, you should take steps to understand where the processor (e.g., the cloud service provider that handles your payroll processing) is storing your data and if the processor has the necessary security policies and procedures in place to protect your data.
Sample questions to ask of your processors to see how well-conceived and executed their security policies, procedures, and systems are, include:
- Who owns the data – you or me?
- What kind of data are you collecting (e.g., just the metadata, full site traffic, etc.)?
- How long are you holding my data?
- Are you using encryption, data masking, or some other technique to meet my specific compliance and security requirements?
- Can I choose or control where my data is stored in the cloud, whether by country, region, or cloud app?
- Who owns the data when I stop using your cloud service? Is it immediately destroyed? Or do you continue to “hold” my data?
Ensure the appropriate security measures are in place
Both controllers and processors have an obligation to adopt security measures to protect personal data. There are a number of measures that can fall into this category:
- Enforcement of real-time data loss prevention policies
- Enforcement of multi-factor authentication as an additional security layer
- Enforcement of granular access policies (i.e., for managed devices or BYOD) to prevent proliferation of personal data
- Regular scanning of processor repositories to identify personal data
Understand all your compliance requirements
In addition to the GDPR, you should see if your processor meets compliance requirements (e.g., PCI, SOC-2 Type I, ISO 27001) that impact whether you remain GDPR-compliant yourself. The bottom line is you should walk away with a clear understanding of what security and compliance certifications your processors have attained.
Evaluate Cloud Access Security Brokers (CASBs) to help with GDPR compliance
CASBs, such as Imperva Skyfence, provide IT organizations with visibility and control over both sanctioned and unsanctioned cloud applications. Some CASBs offer detailed visibility over where the cloud service provider is storing your data within their application, provide information on their compliance posture, and can also enforce fine-grained controls over access to data from endpoints in locations that would run afoul of the GDPR. Additionally, Imperva Skyfence has established data center operations in Germany to host services within the EU to help customers meet GDPR requirements.
Only the beginning…
Undoubtedly, best practices will emerge as GDPR compliance builds more of a track record. In the meantime, though, it’s not too early for companies across all industries to start strategizing and planning for GDPR compliance.
Stay tuned to www.imperva.com for more data protection tips and GDPR strategies.