The industry seems to have found a new threat that is worthy of special attention. The threat is not a nation state nor a criminal gang targeting specific companies. It is not a new crypto-locker campaign exploiting un-patched OSs for the purpose of mass extortion. It is the General Data Protection Regulations coming in May 2018. Also known as GDPR.
Take a moment, let the panic subside and let’s try to dispel some of the myths about compliance.
In the consumer world, marketers know that sex sells. For businesses, marketers use risk. The official documentation around GDPR is extensive, as would be expected for legislation with so much impact. Still, some cyber security vendors are adding their own take on how to prepare for the legislation. These vendor pronouncements generally highlight the maximum possible fine and security requirements. In the face of this deluge of information, all organizations would be remiss for not acting. No one wants to be the one who falls foul of compliance.
administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher
GDPR Regulation (EU) 2016/679 (1)
Such large figures can cripple organizations, grab headlines but also justify the cost of a new security initiative. Some vendors have gone a step further by using GDPR for lead generation through ‘How to Prepare’ whitepapers or even associating compliance with their products or services.
You cannot buy GDPR compliance.
Purchasers and in-house security professionals need to take stock, look past the vendor FUD and get to grips with the legislation in the way it applies to their organization. Rather than sacrificing contact details to access a vendor’s interpretation of GDPR, go directly to the source. The UK’s Information Commissioner’s Office (ICO) has provided everything an organization should need and without focusing on the threat of fines.
Issuing fines has always been and will continue to be, a last resort.
Elizabeth Denham - UK Information Commissioner (2)
While there is certainly a high potential impact, the probability appears to be low. The ICO has tried to allay fears of maximum rate fines becoming the norm or that it will make examples of minor infringements.
With an accurate view on the risk, what should cyber security professionals be looking out for? An overall understanding of GDPR and its national implementation is needed but it is only Article 32 that primarily deals with security. It has some basic direction on what will be required for managing the data to create privacy by design and by default. However the main argument is broad enough to allow organizations to assess their own requirements based on the state of the art, the costs of implementation and the nature, scope, context and purpose of processing.
the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (3)
This flexibility allows for the variety of data and data processing that differing organizations will have but could be seen as creating some uncertainty. What level of security will regulators view as compliant? To help clarify this, the legislation includes a proposed code of conduct (4) and certification scheme (5) that will remove uncertainty and allow organizations to show that the risk has been mitigated.
In terms of cyber security, the legislators have provided fairly clear instructions, a method to assess compliance and, in each locality, reassurance that excessive fines will not be levied. So take another look at vendors before committing budget to an additional service or product based around GDPR compliance or the risk of noncompliance.
1) Official Journal of the European Union ‘REGULATION (EU) 2016/679 Article 32’ http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 2016 p51
2) Elizabeth Denham ‘GDPR – sorting the fact from the fiction’ https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/2017
3) Official Journal of the European Union ‘REGULATION (EU) 2016/679 Article 32’ http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 2016 p51
4) Official Journal of the European Union ‘REGULATION (EU) 2016/679 Article 40’ http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 2016 p56
5) Official Journal of the European Union ‘REGULATION (EU) 2016/679 Article 42’ http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN 2016 p58