The new European Union (EU) Regulation 2016/679 GDPR (General Data Protection Regulation) have gone into effect May 25, 2018. This will have a far-reaching effect and identify many possible repercussions for any organization collecting, processing, and/or storing any EU citizen’s information. Your company need not be located in any of the EU countries; rather if your company collects any EU citizen’s information, your company must adhere to and be complaint to the new regulation.
The essential characteristics of the regulation are to protect personal data as a fundamental right and that privacy is to be respected as an expectation of the GDPR. The GDPR creates a greater level of harmonization across the EU for the sharing and exchange of data. Implementation of the GDPR requirements necessitates a greater level of protection of a person’s digital identity. The reason for such an increased worldwide emphasis on compliance is due to the imposed fines that can be applied if you fail to manage the privacy data appropriately. Fines are set at 4% of the noncompliant organization’s global revenue
Who is Responsible for GDPR?
There are two specific roles that are defined in the regulations, the first is the data controller and the other position is the data processor. A data controller is the collector of the data for internal or outsourced processing. The expectation is that an individual’s consent is required to collect the information. This role is responsible for documenting the format of how the data is to be utilized throughout its lifecycle within the organization, privacy policies, and the ability to process requests for data portability, rectification, objection, etc. The duties that are required for this role include compliance to protect the data subject’s rights. Examples of data controllers include social media organizations, education institutions, health organizations, banks, etc. If your organization determines how the data is to be processed and the purpose of that processing, this indicates a data controller.
A data processor is a natural or legal person, public authority, agency or other body responsible for managing and storing data on behalf of the controller. Specific clauses within the regulation require the same technical and organizational measures to be applied to the controller as well as the processor. An example would be an outsourced payroll company; the data controller tells the payroll organization who to pay and what amount. If you are not making these decisions and just acting on a request, this indicates a data processor. The required liability flows through the chain of data processing. Specifically, the data controller has liability if a data processor fails to fulfill his obligations.
What data is in scope?
Article 4(1) states: “‘personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” Elements of data types could include IP addresses, cookie data, or a photograph associated to an account. In many cases, personal customer data will be in multiple formats and forms in CRMs (Customer Relationship Management systems), contracts, sales contact databases, etc.
How CIS can help
Specific to the data controller and the data processor roles, responsibilities are to “implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the regulation.” CIS offers a multitude of best practices and cybersecurity solutions to help organizations on the path to GDPR compliance.
A strong starting point is to utilize a CIS SecureSuite Membership, which includes access to tools such as CIS-CAT Pro and remediation kits, to assess and harden systems. “Hardening” is the process of limiting vulnerabilities in a system to reduce cyber threats. Hardening systems to the CIS Benchmarks™, secure configuration guidelines for over 150 technologies, provides a platform for compliance and is a recognized foundation to build your remaining data infrastructure. Measure system conformance to the CIS Benchmarks with CIS-CAT Pro Assessor, our configuration assessment tool which provides assurance that the target system is hardened to the standard. It is not sufficient to simply state compliance to a particular benchmark – measure and prove it with the dynamic reporting features of CIS-CAT Pro Dashboard.
If you are working in the cloud, the CIS controls offer pre-hardened virtual machines on the Microsoft Azure Marketplace and Google Cloud Platform (GCP), and Amazon Machine Images (AMIs) on Amazon Web Services in the AWS Marketplace, including the AWS GovCloud (US) region and IC region. CIS Hardened Images conform to the applicable security standards of the CIS Benchmarks, bringing on-demand security to cloud computing environments.
The CIS Controls are a prioritized set of cybersecurity best practices to help organizations improve their security posture. Version 7 of the CIS Controls was released in March 2018 and contains following guidance that can be applied to GDPR compliance. The CIS Controls can serve both as a measurement process to encourage compliance as well as for implementing a security control framework within your organization. In many cases, the entire CIS Controls can be applicable to implement a structured and measured approach to compliance and security for the organization. GDPR will require a complete understanding and visualization of the data flows for personal information throughout your enterprise. The regulation extends to data controllers and processors. It may seem challenging at first, but with due diligence, documented plans, and help from the cybersecurity resources available from CIS, the road to compliance is achievable.
Why is this applicable to companies in the United States?
Why is this applicable to companies in the United States if your company is not doing any business with EU countries? California will soon be implementing the California Consumer Protection Act (CCPA) in July of 2020. California’s CCPA mirrors the EU Regulation 2016/679 for GDPR. Companies in New York doing business with companies in California and collecting consumer data will be required to meet the CCPA. Companies need to move forward and begin the process on GDPR compliance. Here are three key areas in which to move ahead with compliance readiness:
Analyze, develop, and execute GDPR programs across your organization’s systems, processes, people, and policies
Make it a team effort - Get all of your relevant teams working together
Ensure buy-in from your management to stay on top of GDPR compliance
GDPR will ultimately lead to companies gathering just enough data from individuals in order to complete any type of conversion, transaction, or order agreement. But the optimistic viewpoint is that with greater clarity of data protection and privacy controls, consumers will become more comfortable with emerging digital practices, and when working with companies, will be able to form trust with these companies to hold their personal information in high regard.
Doug Stewart is a Senior Sales Manager. Doug brings a wealth of experience and is focused on sales and business development activities. Doug strives to help businesses meet the demands of their on-going cybersecurity requirements and helps them be adequately protected against cyber intrusions.
Doug is located in Colorado where he majored in Music and played hockey at Denver University. He played in a highly competitive hockey league for 24 years post college, and coached his children’s soccer and hockey teams for 12 years. Music is still a strong passion which he pursues professionally with his band. He and his wife are the proud grandparents to three grand kids.