GDPR: Data Controllers Be Prepared

As we delve deeper into the digital world of communication, from the perspective of privacy, the impact of personal data changes in proportion to the way we examine security. As organizations chime in this world, the normal methods that were employed to protect data have now become obsolete. This forces the security professionals to shift their thinking from protecting the infrastructure to protecting the actual data.

Also, the magnitude at which we are engaged in digital business makes the traditional security tools outdated. Security teams must be equipped with real-time visibility to fathom what’s happening all the way up at the web application layer. It is a constant challenge to map all the connections we are building and the personal data that is spreading literally everywhere. This challenge must be addressed not just from the technical standpoint but also from the legal and legislative context.

With the arrival of new General Data Protection Regulation (GDPR) legislation, security professionals must become data-centric. As a result, they no longer rely on traditional practices to monitor and protect data along with the web applications that act as a front door to the user’s personal data. GDPR is the beginning of wisdom when it comes to data governance and has far-reaching implications than one might think of. It has been predicted that by the end of 2018, more than 50% of the organizations affected by GDPR, will not be in full compliance with its requirements.

What is GDPR?

As on May 25, 2018, the European Union’s (EU’s) GDPR will come into play. A single supervisory authority will be used, rather than a separate one for each EU member state. It will provide a well-needed framework that will govern the way the personal data is gathered, stored and used.

The gathering, storing and usage of data are collectively referred to as data processing. Essentially, it refers to anything concerning the user’s personal data. This is regardless of whether the personal data is stored on a paper or electronically, GDPR legalities apply.

Personal data is a broad term, which could refer to an email address, gender of the person, first/last name or even the user’s Hypertext Transfer Protocol (HTTP) cookies. Any business that has control over personal data, be it social media to information or IoT data device driven information, must now run on a compliance basis by May 25th.

Who needs it?

The legislation sanctions control to the users over their personal data by introducing a new regulatory environment, unifying the regulation within the EU. GDPR applies only to data about “EU data subjects”, irrelevant who is processing the data, or where the data is stored. Data subjects are an identifiable natural person that can be identified directly or indirectly based on a number of defined characteristics.

It applies irrespective of organization types and locations, and forces legislation to business conducting in or with the EU, even if they are not located in the EU. This includes the UK regardless of Brexit.

What are its components?

The GDPR consists of 7 key components:

1. Right to Access: The data subjects must have the right to know and access free of charge if where and for what purpose their personal data is being processed.
2. Breach Notification: As also discussed later, now the GDPR sets a clock, which evaluates the time frame within which the breach happened and the time window for the data controller to report on that breach.
3. Right to be Forgotten: The data subjects have the right to notify the data controller to delete their personal data.
4. Data Portability: Upon request, the data subjects can authorize the data controller to transmit their personal data to another company.
5. Privacy by Design (PbD): From the onset, data protection mechanism must be included in the design of systems from the beginning and not added later. All processes must be designed with privacy in mind from the start.
6. Consent: A “statement or clear affirmative action” is required that signals the agreement of transferring the personal data. Data controllers should only collect personal data they require along with the consent of the customer for that particular data set.
7. Data Protection Officers: A DPO may be required under certain circumstances, be it for the scale of the processing or the type of data being processed, such as data relating to criminal convictions and offenses.

What are the implications?

GDPR adds an additional layer of pressure to the organization as it leaps one-step further by introducing legality. This results in fines to the organizations that are unable to comply with the new regulation. Organizations could potentially incur fines up to 4% of the annual turnover or over 20 million dollars.

We always seem to be in a downward state when it comes to the introduction of new implied technologies. The introduction of a particular technology may certainly boost value; however, it is only a single piece of the puzzle. The other components of the puzzle are often overlooked.

For example, if you implement a new style of the web application, could you do so without upgrading its security tool set? Certainly not, but we still do. It is similar to the era of data collection and the old regulations that governed what data controllers could do with personal data.

Today’s digital world offers umpteen new approaches to data collection as compared to the previous data protection regulations. Previous data protection regulations were scanty for the new social media technologies such as Facebook. Therefore, such worn-out security tools do not stand a chance to protect today’s web applications and servers.

GDPR & Web Sites

Almost all the websites transmit some kind of user’s personal information via inquiry forms or other forms to website interaction. So, where and how is the data being stored is of significant importance. More importantly, are we in compliance that covers component 2 of GDPR legislation – “Breach Notification”?

GDPR article 31 outlines a new requirement that organizations must notify data authorities within a 72-hour time frame after a breach of personal data has been discovered. If history is something to retrospect, oodles of data breaches have had been unnoticed for days if not months.

More recently, data breaches can be carried out with SQL injection techniques where the Domain Name System (DNS) resolution process is used to retrieve malicious SQL query results. This technique is especially useful for fast and low-under the radar data retrieval that is not easily detectable. SQL injection techniques along with exploitations in the DNS resolution process enables bad actors to smuggle data out of your administrative domain.

This signifies that the right security tools are not in place to effectively detect and provide visibility of the breach in real time.

Policy creation along with the following steps will put organizations on the right road to meet the GDPR legislative components:

1. Conduct an information audit of customers personal data. For example, where do we store the data, where is the source, how long can we keep the data and how often is the data accessed to name a few.
2. The organization should map out data flows that are external to the organization. Does customer data flow outside of the EU and if so, why?
3. Staff is the centerpiece of any organization. They must be fully aware of GDPR rules and trained accordingly as it may affect their day to day operations.
4. Administrators must quickly be notified if a personal data breach has occurred. This involves actively scanning web pages and API’s in real-time in order to catch the breach on-time.
5. Upon breach notification, pre-established steps must be carried out such as notifying the correct external authorities. As already mentioned, notifying the customer within the 72-hour period.
6. Automated vulnerability scanning must be incorporated into the software development life cycle ensuring the “Privacy of Design” component of GDPR is fulfilled.
7. Consumers have the “Right to Access” their data within a certain period of time. If the data controllers network infrastructure or application architecture is getting hit by a DDoS, customer data will be unavailable if required. The data controller must make sure they have appropriate DDoS detection, mitigation, and notification mechanisms in place.

Integrating with Acunetix features sets will make sure you have fulfilled the mentioned steps. A variety of scans can be automated with the results provided to the right people at the right time with zero false positives.

Especially, with GDPR on our footstep, the focus needs to be shifted from fending off attacks as they happen, to having proper tools that can identify the vulnerabilities. GDPR stretches out to cover the privacy policies on websites. This ensures that adequate cybersecurity measures are in place, which will reciprocate how your website and web applications are designed and monitored.

However, this does not symbolize that the website only needs a Secure Sockets Layer (SSL) certificate to be compliant. It boils down to how secure the data is while it is being stored, and if the database is encrypted.

Breaches

When there is a breach of personal data, an attacker will look for the weakest link. The hawk’s predator gaze has always been at the web server and web application. Bad actors will always look for the weakest parts of the website to penetrate, compromising personal data and breaching GDPR regulations.

It could be as simple as a contact form submission that has been saved in your website’s database but the database is not encrypted. There are so many angles to be scrutinized. One simple and trusted way is to not get breached in the first place.

This does not mean that you should only design your website and web applications that are GDPR compliant. This is the first crucial step but since it is a new legislation, the organizations will lag and this is a fact. Why not go one-step further and ensure that your data is not breached in the first place? Hardening your web application, which acts as the front door for hackers, will negate the pains involved in becoming GDPR compliant.

Summary

GDPR is on our doorstep and there is no getting away from it. Some call it doomsday while others are busy in preparation. When the unknown is lurking the best plan of action is to tighten all areas of the infrastructure, especially at the web application level as this is the most common path of entry. Component 2 of GDPR adds a clock to breach notification. If you can’t see what’s happening in real-time you certainly can not alert in time to be in compliant with GDPR regulations.