The General Data Protection Regulation (GDPR) provides a single set of rules for protecting the personal data of all European Union (EU) residents and visitors. Replacing both the 1995 Data Protection Directive and any data privacy laws enacted by individual EU member states, the GDPR’s primary objectives are to:
- Establish personal data protection as a fundamental human right, including the individual’s right to access, correct, erase, or port his or her personal data.
- Strengthen baseline requirements and responsibilities for ensuring personal data protection.
- Provide standardized application of data protection rules across the EU, thereby facilitating the legitimate flow of personal data within and beyond the EU and European Economic Area (EEA).
The GDPR, which goes into effect on May 25, 2018, applies to any organization that provides goods and services to or monitors individuals in the EU, whether or not the organization has a physical presence in the EU/EEA. Non-compliance can result in fines up to €20,000,000 or 4% of an organization’s total global revenues.
The GDPR defines various roles and activities essential for implementing its requirements, including:
|Data Controller||Entity determining the purposes and means of processing of personal data.
Examples: A manufacturing company collecting personal data from its employees. A cloud service provider offering data storage. An ISP requiring user payments.
|Data Processor||Entity that processes data on behalf of the data controller.
Examples: A payroll company processing employee paychecks on behalf of a manufacturing company. A cloud service provider storing personal data. A bank collecting ISP payments.
|Data Processing||Any automated or partially-automated operation performed on personal data.
Examples: Adapting, altering, collecting, combining, consulting, destroying, disseminating, erasing, organizing, recording, restricting, retrieving, storing, structuring, or using.
|Data Subject||A natural person whose personal data is processed by a controller or processor.
Example: An employee of a manufacturing company.
|Personal Data||Any information that can directly or indirectly identify a specific Data Subject.
|Profiling||Any data processing intended to evaluate, analyze, or predict Data Subject behavior.
Examples: Performance at work, economic situation, health, personal preferences, interests, reliability, consumer behavior, location/movements.
The GDPR contains 99 articles describing data protection and enforcement rules. The following are the most relevant from a data security perspective.
Article 25 — Data protection by design and default. The Data Controller must implement technical and organizational measures that ensure:
- Personal data cannot be attributed to an identified or identifiable Data Subject.
- Only the personal data necessary for a specific purpose can be processed.
Article 32 — Security of data processing. Both Data Controllers and Data Processors must implement technical and organizational measures that allow:
- Pseudonymizing or encrypting personal data.
- Maintaining ongoing confidentiality, integrity, availability, access, and resilience of processing systems and services.
- Restoring availability and access to personal data, in the event of a physical or technical security breach.
- Testing and evaluating the effectiveness of technical and organization measures.
Article 33 — Notification of a personal data breach to supervisory authority. There are several key provisions of this article:
- Data Controllers must notify the appropriate supervisory authority within 72 hours of becoming aware of a personal data breach. If unable to make the notification within 72 hours, the Data Controller must provide a reason for the delay.
- Data Processors must notify the appropriate Data Controller immediately upon discovering a personal data breach.
- Notification, at a minimum, must describe the nature and consequences of the data breach, type and approximate number of affected Data Subjects and data records, remedial actions taken or proposed, and the name and contact information of person who can provide additional information.
- If it’s not possible to provide all the required information at the same time, information can be provided in phases as it becomes available.
Article 34 — Communication of a personal data breach to the data subject. If a data breach risks the rights and freedoms of the affected Data Subjects, then the Data Controller must, without undue delay, notify each affected person. The notification must use clear, plain language to communicate the same information required in Article 33.
Article 35 — Data protection impact assessment. Data Controllers must perform a Data Protection Impact Assessment (DPIA) whenever a new processing operation — either a process or processing technology — is proposed. The DPIA, at a minimum, must include the following:
- A description of the new processing operation, its purpose, and necessity relative to the stated purpose.
- An assessment of the potential risks to the rights and freedoms of Data Subjects.
- A description of proposed measures to mitigate risks, including safeguards and security measures.
Article 44 — General principle for transfers. The transfer of personal data beyond the EU/EEA is prohibited unless certain data protection conditions are met by both the Data Controller and Data Processor. Details are provided in the GDPR — Article 44 post.
The GDPR is deliberately vague on specific technological measures to implement, recognizing that there are a variety of ways to safeguard personal data. However, there are several data-centric security measures that can effectively protect data at rest and in transit across networks, servers, applications, or endpoints.
Monitors, logs, and reports on data structure changes. Shows compliance auditors that changes to the database can be traced to accepted change tickets.
|Data access across borders management
Limits which data can be accessed by users outside defined borders.
|Data discovery and classification
Discovers and provides visibility into the location, volume, and context of data on premises, in the cloud, and in legacy databases. Classifies the discovered data according to its personal information data type (credit card number, email address, medical records, etc.) and its security risk level.
|Data loss prevention
Monitors and protects data in motion on networks, at rest in data storage, or in use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests, and unusual activity to prevent data theft.
Anonymizes data via encryption/hashing, generalization, perturbation, etc.
Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational and statistical accuracy.
Ensures data integrity and confidentiality through change control reconciliation, data-across-borders controls, query whitelisting, etc.
Maintains strict separation between business groups to comply with M&A requirements, government clearance, etc.
|Privileged user monitoring
Monitors privileged user database access and activities. Blocks access or activity, if necessary.
|Secure audit trail archiving
Secures the audit trail from tampering, modification, or deletion, and provides forensic visibility.
|Sensitive data access auditing
Monitors access to and changes of data protected by law, compliance regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an audit trail for forensics.
|User rights management
Identifies excessive, inappropriate, and unused privileges.
Maps the web application end user to the shared application/database user and then to the final data accessed.
|VIP data privacy
Maintains strict access control on highly sensitive data, including data stored in multi-tier enterprise applications such as SAP and PeopleSoft.