What is General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) provides a single set of rules for protecting the personal data of all European Union (EU) residents and visitors. GDPR data privacy provisions replace both the 1995 Data Protection Directive and any data privacy laws enacted by individual EU member states, the GDPR regulation’s primary objectives are to:
- Establish personal data protection as a fundamental human right, including the individual’s right to access, correct, erase, or port his or her personal data.
- Strengthen baseline requirements and responsibilities for ensuring personal data protection.
- Provide standardized application of data protection rules across the EU, thereby facilitating the legitimate flow of personal data within and beyond the EU and European Economic Area (EEA).
GDPR Personal Data Definition
GDPR’s personal data definition includes any information that can directly or indirectly identify a specific Data Subject. Examples:
- Biometric data, including physical characteristics such as height or weight; physiological characteristics such as DNA, fingerprints, or facial recognition images; and behavioral characteristics such as gait or voice.
- Genetic characteristics acquired at birth, such as ethnic or racial characteristics.
- Health data, including records of physical/mental conditions and healthcare codes.
- Other data, including online identifiers such as IP addresses, cookies, geolocation, or radio frequency tags; device identifiers such as MAC addresses; personal identifying information (PII) such as name, employee number, medical record number, or social security number; emails, instant messages, photos, cultural, economic, or social data.
GDPR rules, which went into effect on May 25, 2018, apply to any organization that provides goods and services to or monitors individuals in the EU, whether or not the organization has a physical presence in the EU/EEA. Non-compliance can result in fines up to €20,000,000 or 4% of an organization’s total global revenues.
Which Companies Does the GDPR Affect?
The GDPR guidelines affect any company that stores or processes personal data, as defined above, about European Union citizens. Importantly, this includes companies that do not operate or have offices in the EU.
A company is covered by GDPR data protection rules if it meets one of the following criteria:
- Has a business presence in an EU country
- Does not have a presence in an EU country, but processes personal data from European residents.
- Has over 250 employees
- Has less than 250 employees, but regularly processes data in a way that may impact the rights of European data subjects, or contains sensitive personal data, as defined in the GDPR legislation
Who is Responsible for GDPR Compliance in the Organization?
According to article 39 of the legislation, an organization must recruit a GDPR Data Protection Officer (DPO), who is responsible for overseeing the organization’s GDPR compliance, including the data protection strategy and implementation.
The duties of the data protection officer are as follows:
- Conducting training for employees about their compliance obligations under the GDPR
- Assessing and auditing the organization to ensure it is in compliance with GDPR
- Records data processing activities performed by the company
- Serves as a point of contact between the company and the relevant GDPR authority
- Respond to data subject inquiries and informs them how personal data is used and protected
- Receives data subject requests to view or delete their personal data
The GDPR defines various roles and activities essential for implementing its requirements, including:
|Data Controller||Entity determining the purposes and means of processing of personal data. Examples: A manufacturing company collecting personal data from its employees. A cloud service provider offering data storage. An ISP requiring user payments.|
|Data Processor||Entity that processes data on behalf of the data controller. Examples: A payroll company processing employee paychecks on behalf of a manufacturing company. A cloud service provider storing personal data. A bank collecting ISP payments.|
|Data Processing||Any automated or partially-automated operation performed on personal data. Examples: Adapting, altering, collecting, combining, consulting, destroying, disseminating, erasing, organizing, recording, restricting, retrieving, storing, structuring, or using.|
|Data Subject||A natural person whose personal data is processed by a controller or processor. Example: An employee of a manufacturing company.|
|Profiling||Any data processing intended to evaluate, analyze, or predict Data Subject behavior. Examples: Performance at work, economic situation, health, personal preferences, interests, reliability, consumer behavior, location/movements.|
GDPR Rights: What are a Data Subject’s Rights?
In order to comply with GDPR, it is important to understand the rights the legislator has set out to protect. The GDPR grants data subjects the following basic rights:
- The right to be informed about how companies collect their personal data, how long they will retain it, how they will use it, and who they will share it to.
- The right of access to the personal information collected by companies, including the ability to request a copy of the data.
- The right to rectification (correction) of data when it is incomplete or inaccurate.
- The right to erasure of personal data by a company, including the “right to be forgotten”. There are some exceptions, including when companies need the data to comply with legal obligations.
- The right to restrict processing of personal data by data controllers, even if the individual cannot request erasure.
- The right to data portability, meaning that data subjects can obtain and use their personal data, and request that companies send it electronically to third parties.
- The right to object to the processing of personal data, for example for scientific research, but companies can demonstrate use of data is legitimate.
- The right to not be subject to automated decision making and request a human review, including the right to be informed when a decision is made by an algorithm.
The GDPR contains 99 articles describing data protection and enforcement rules. The following are the main GDPR data security requirements.
Article 25 — Data protection by design and default. The Data Controller must implement technical and organizational measures that ensure:
- Personal data cannot be attributed to an identified or identifiable Data Subject.
- Only the personal data necessary for a specific purpose can be processed.
Article 32 — Security of data processing. Both Data Controllers and Data Processors must implement technical and organizational measures that allow:
- Pseudonymizing or encrypting personal data.
- Maintaining ongoing confidentiality, integrity, availability, access, and resilience of processing systems and services.
- Restoring availability and access to personal data, in the event of a physical or technical security breach.
- Testing and evaluating the effectiveness of technical and organization measures.
Article 33 — Notification of a personal data breach to supervisory authority. There are several key provisions of this article:
- Data Controllers must notify the appropriate supervisory authority within 72 hours of becoming aware of a personal data breach. If unable to make the notification within 72 hours, the Data Controller must provide a reason for the delay.
- Data Processors must notify the appropriate Data Controller immediately upon discovering a personal data breach.
- Notification, at a minimum, must describe the nature and consequences of the data breach, type and approximate number of affected Data Subjects and data records, remedial actions taken or proposed, and the name and contact information of person who can provide additional information.
- If it’s not possible to provide all the required information at the same time, information can be provided in phases as it becomes available.
Article 34 — Communication of a personal data breach to the data subject. If a data breach risks the rights and freedoms of the affected Data Subjects, then the Data Controller must, without undue delay, notify each affected person. The notification must use clear, plain language to communicate the same information required in Article 33.
Article 35 — Data protection impact assessment. Data Controllers must perform a Data Protection Impact Assessment (DPIA) whenever a new processing operation — either a process or processing technology — is proposed. The DPIA, at a minimum, must include the following:
- A description of the new processing operation, its purpose, and necessity relative to the stated purpose.
- An assessment of the potential risks to the rights and freedoms of Data Subjects.
- A description of proposed measures to mitigate risks, including safeguards and security measures.
Article 44 — General principle for transfers. The transfer of personal data beyond the EU/EEA is prohibited unless certain data protection conditions are met by both the Data Controller and Data Processor. Details are provided in the GDPR — Article 44 post.
What is a GDPR Data Breach Notification?
When data breaches occur at an organization covered by the GDPR, the company is required to report the breach. This applies to data breaches which:
- Resulted in loss or exposure of personal data to unauthorized parties
- Is likely to result in economic or social loss to data subjects (such as reputation damage, financial losses, exposure of confidential information, etc.)
The GDPR requires notification of the breach to the supervisory authority within 72 hours. In addition, in some cases the organization must personally notify individuals affected by the breach. Failure to report a breach can, in extreme cases, result in the maximal fine under the GDPR of €10 million or 2% of revenues.
GDPR Compliance Checklist
The GDPR is deliberately vague on specific technological measures to implement, recognizing that there are a variety of ways to safeguard personal data. However, there are several data-centric security measures that can effectively protect data at rest and in transit across networks, servers, applications, or endpoints.
|Change management Monitors, logs, and reports on data structure changes. Shows compliance auditors that changes to the database can be traced to accepted change tickets.||✓||✓||✓|
|Data access across borders management Limits which data can be accessed by users outside defined borders.||✓|
|Data discovery and classification Discovers and provides visibility into the location, volume, and context of data on premises, in the cloud, and in legacy databases. Classifies the discovered data according to its personal information data type (credit card number, email address, medical records, etc.) and its security risk level.||✓||✓||✓|
|Data loss prevention Monitors and protects data in motion on networks, at rest in data storage, or in use on endpoint devices. Blocks attacks, privilege abuse, unauthorized access, malicious web requests, and unusual activity to prevent data theft.||✓||✓||✓|
|Data masking Anonymizes data via encryption/hashing, generalization, perturbation, etc. Pseudonymizes data by replacing sensitive data with realistic fictional data that maintains operational and statistical accuracy.||✓||✓|
|Data protection Ensures data integrity and confidentiality through change control reconciliation, data-across-borders controls, query whitelisting, etc.||✓||✓||✓||✓|
|Ethical walls Maintains strict separation between business groups to comply with M&A requirements, government clearance, etc.||✓||✓|
|Privileged user monitoring Monitors privileged user database access and activities. Blocks access or activity, if necessary.||✓||✓|
|Secure audit trail archiving Secures the audit trail from tampering, modification, or deletion, and provides forensic visibility.||✓||✓||✓|
|Sensitive data access auditing Monitors access to and changes of data protected by law, compliance regulations, and contractual agreements. Triggers alarms for unauthorized access or changes. Creates an audit trail for forensics.||✓||✓||✓|
|User rights management Identifies excessive, inappropriate, and unused privileges.||✓||✓|
|User tracking Maps the web application end user to the shared application/database user and then to the final data accessed.||✓||✓||✓||✓|
|VIP data privacy Maintains strict access control on highly sensitive data, including data stored in multi-tier enterprise applications such as SAP and PeopleSoft.||✓||✓||✓|
Imperva GDPR Solutions
Imperva protects all cloud-based data stores to ensure compliance with GDPR and other standards, and preserve the agility and cost benefits you get from your cloud investments
Cloud Data Security – Simplify securing your cloud databases to catch up and keep up with DevOps. Imperva’s solution enables cloud-managed services users to rapidly gain visibility and control of cloud data.
Database Security – Imperva delivers analytics, protection and response across your data assets, on-premise and in the cloud – giving you the risk visibility to prevent data breaches and avoid compliance incidents. Integrate with any database to gain instant visibility, implement universal policies, and speed time to value.
Data Risk Analysis – Automate the detection of non-compliant, risky, or malicious data access behavior across all of your databases enterprise-wide to accelerate remediation.