GDPR

The General Data Protection Regulation (GDPR) provides a single set of rules for protecting the personal data of all European Union (EU) residents and visitors. Replacing both the 1995 Data Protection Directive and any data privacy laws enacted by individual EU member states, the GDPR’s primary objectives are to:

  • Establish personal data protection as a fundamental human right, including the individual’s right to access, correct, erase, or port his or her personal data.
  • Strengthen baseline requirements and responsibilities for ensuring personal data protection.
  • Provide standardized application of data protection rules across the EU, thereby facilitating the legitimate flow of personal data within and beyond the EU and European Economic Area (EEA).

Territorial Scope

The GDPR, which goes into effect on May 25, 2018, applies to any organization that provides goods and services to or monitors individuals in the EU, whether or not the organization has a physical presence in the EU/EEA. Non-compliance can result in fines up to €20,000,000 or 4% of an organization’s total global revenues.

Key Terms

The GDPR defines various roles and activities essential for implementing its requirements, including:

Key Term Definition
Data Controller Entity determining the purposes and means of processing of personal data.

Examples: A manufacturing company collecting personal data from its employees. A cloud service provider offering data storage. An ISP requiring user payments.

Data Processor Entity that processes data on behalf of the data controller.

Examples: A payroll company processing employee paychecks on behalf of a manufacturing company. A cloud service provider storing personal data. A bank collecting ISP payments.

Data Processing Any automated or partially-automated operation performed on personal data.

Examples: Adapting, altering, collecting, combining, consulting, destroying, disseminating, erasing, organizing, recording, restricting, retrieving, storing, structuring, or using.

Data Subject A natural person whose personal data is processed by a controller or processor.

Example: An employee of a manufacturing company.

Personal Data Any information that can directly or indirectly identify a specific Data Subject.

Examples:  

  • Biometric data, including physical characteristics such as height or weight; physiological characteristics such as DNA, fingerprints, or facial recognition images; and behavioral characteristics such as gait or voice.
  • Genetic characteristics acquired at birth, such as ethnic or racial characteristics.
  • Health data, including records of physical/mental conditions and healthcare codes.
  • Other data, including online identifiers such as IP addresses, cookies, geolocation, or radio frequency tags; device identifiers such as MAC addresses; personal identifying information (PII) such as name, employee number, medical record number, or social security number;  emails, instant messages, photos, cultural, economic, or social data.
Profiling Any data processing intended to evaluate, analyze, or predict Data Subject behavior.

Examples: Performance at work, economic situation, health, personal preferences, interests, reliability, consumer behavior, location/movements.

Compliance Requirements

The GDPR contains 99 articles describing data protection and enforcement rules. The following are the most relevant from a data security perspective.

Article 25 — Data protection by design and default. The Data Controller must implement technical and organizational measures that ensure:

  • Personal data cannot be attributed to an identified or identifiable Data Subject.
  • Only the personal data necessary for a specific purpose can be processed.

Article 32 — Security of data processing. Both Data Controllers and Data Processors must implement technical and organizational measures that allow:

  • Pseudonymizing or encrypting personal data.
  • Maintaining ongoing confidentiality, integrity, availability, access, and resilience of processing systems and services.
  • Restoring availability and access to personal data, in the event of a physical or technical security breach.
  • Testing and evaluating the effectiveness of technical and organization measures.

Article 33 — Notification of a personal data breach to supervisory authority. There are several key provisions of this article:

  • Data Controllers must notify the appropriate supervisory authority within 72 hours of becoming aware of a personal data breach. If unable to make the notification within 72 hours, the Data Controller must provide a reason for the delay.
  • Data Processors must notify the appropriate Data Controller immediately upon discovering a personal data breach.
  • Notification, at a minimum, must describe the nature and consequences of the data breach, type and approximate number of affected Data Subjects and data records, remedial actions taken or proposed, and the name and contact information of person who can provide additional information.
  • If it’s not possible to provide all the required information at the same time, information can be provided in phases as it becomes available.

Article 34 — Communication of a personal data breach to the data subject. If a data breach risks the rights and freedoms of the affected Data Subjects, then the Data Controller must, without undue delay, notify each affected person. The notification must use clear, plain language to communicate the same information required in Article 33.

Article 35 — Data protection impact assessment. Data Controllers must perform a Data Protection Impact Assessment (DPIA) whenever a new processing operation — either a process or processing technology — is proposed. The DPIA, at a minimum, must include the following:

  • A description of the new processing operation, its purpose, and necessity relative to the stated purpose.
  • An assessment of the potential risks to the rights and freedoms of Data Subjects.
  • A description of proposed measures to mitigate risks, including safeguards and security measures.

Article 44 — General principle for transfers. The transfer of personal data beyond the EU/EEA is prohibited unless certain data protection conditions are met by both the Data Controller and Data Processor. Details are provided in the GDPR — Article 44 post.

Compliance Methods

The GDPR is deliberately vague on specific technological measures to implement, recognizing that there are a variety of ways to safeguard personal data. However, there are several data-centric security measures that can effectively protect data at rest and in transit across networks, servers, applications, or endpoints.

 

GDPR Article
Method 25 32 33 34 35 44
Change management

Monitors, logs, and reports on data structure changes. Shows compliance auditors that changes to the database can be traced to accepted change tickets.

Data access across borders management

Limits which data can be accessed by users outside defined borders.

Data discovery and classification

Discovers and provides visibility into the location, volume, and context of data on premises, in the cloud, and in legacy databases. Classifies the discovered data according to its personal information data type (credit card number, email address, medical records, etc.) and its security risk level.

Data loss prevention

Monitors and protects data in motion on networks, at rest in data storage, or in use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests, and unusual activity to prevent data theft.

Data masking

Anonymizes data via encryption/hashing, generalization, perturbation, etc.

Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational and statistical accuracy.

Data protection

Ensures data integrity and confidentiality through change control reconciliation, data-across-borders controls, query whitelisting, etc.

Ethical walls

Maintains strict separation between business groups to comply with M&A requirements, government clearance, etc.

Privileged user monitoring

Monitors privileged user database access and activities. Blocks access or activity, if necessary.

Secure audit trail archiving

Secures the audit trail from tampering, modification, or deletion, and provides forensic visibility.

Sensitive data access auditing

Monitors access to and changes of data protected by law, compliance regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an audit trail for forensics.

User rights management

Identifies excessive, inappropriate, and unused privileges.

User tracking

Maps the web application end user to the shared application/database user and then to the final data accessed.

VIP data privacy

Maintains strict access control on highly sensitive data, including data stored in multi-tier enterprise applications such as SAP and PeopleSoft.

 

Learn how Imperva data security and data masking solutions can help meet compliance requirements.

You might be interested in:

Privileged User Monitoring

Privileged users — typically DBAs, network engineers, security practitioners, cloud custodians — require unrestricted access to servers, networks,…

Learn More

Insider Threats

Insider threats, as the name suggests, originate with an organization’s insiders — its current or past employees, business…

Learn More
Live Chat Agents Unavailable