GDPR: What Compliance Says vs. What DevOps Hears

The deadline for the General Data Protection Regulation (GDPR) is fast approaching, with May 25 marking the official day of reckoning. The updates to the data protection directive of 1995 (Directive 95/46/EC) are designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy rights, and to reshape the way organizations across the EU approach data privacy.

DevOps Connect:DevSecOps @ RSAC 2022

There’s a likelihood that Compliance has approached your DevOps team to get on board. But when Compliance talks, what do you hear? Are you truly understanding what’s required of you to become GDPR compliant? Let’s take a look at some of the possible gaps in knowledge below.

Compliance says: GDPR is an EU regulation with global reach.
DevOps hears: We’re a US organization, so GDPR doesn’t apply.

It’s an easy mistake to make: Why would a European regulation apply to a US organization? But GDPR’s scope is far reaching and is relevant to any organization that processes or stores the personal data of EU data subjects — regardless of location. The regulation applies to processing that is related to offering goods or services or monitoring a person’s behavior. So, even if you’re simply tracking the browsing behavior of a European visitor to your site, you’ll need to become GDPR compliant.

Compliance says: What PII are you storing?
DevOps hears: What email addresses and phone numbers are you storing?

With GDPR granting data subjects more rights over their personally identifiable information (PII), it’s important to understand exactly what PII is to be sure you’re protecting it appropriately. It’s true that non-sensitive data such as addresses, phone numbers, and emails, as well as sensitive financial information, make up the traditional definition of PII, but there’s so much more to it in this day and age! Advances in technology have extended the definition of PII to include:

  • IP addresses
  • Login IDs
  • Social media posts
  • Digital images and video
  • Biometric identifiers
  • Geolocation information
  • Customer loyalty data

In short, if a piece of data on its own can be linked to a specific individual, you’ll now need to identify, track, and protect it in order to meet GDPR compliance mandates.

Compliance says: Users have expanded rights over their PII.
DevOps hears: We need to get opt-in consent.

Now that you understand what PII comprises, you’ll need to get a handle on subjects’ new rights to that information under GDPR. Obtaining opt-in consent is only the first step, and it’s vital that your consent forms plainly spell out what data you will collect, how you will use it, and for how long you will keep it. This information must be clear and concise; lengthy legalese and soft opt-in consent will no longer cut it. While double opt-in consent isn’t mandatory under GDPR, it is certainly a best practice that moves you in the direction of compliance.

In addition, you need to be aware that the expanded rights covered by GDPR mandate the following:

  • The right to erasure, which specifies that data subjects can revoke their consent at any time and request that their data be deleted if they meet specific criteria
  • The right to access, which means that you will need to provide data subjects with an electronic copy of their personal data, free of charge, upon request

Compliance says: Data must be private by design.
DevOps hears: Protect data from external threats from the outset.

Yes, one important aspect of GDPR’s “privacy by design” requirement is that you build data security into your systems from the beginning rather than as an afterthought. However, you are not just responsible for protecting against external privacy breaches; you are responsible for keeping data private internally by enacting a policy of least privilege. Article 23 of GDPR calls for organizations to design their systems in a way to hold and process only the data that’s absolutely necessary to carrying out duties (data minimization), to limit access to that data to only the members of your organization who need it in order to process the data, and to only retain that data for as long as necessary.

Compliance says: Notification of a breach must happen quickly.
DevOps hears: Our security team can handle that.

Sure, your organization’s security team may be responsible for reporting a breach, but here’s the thing: When Compliance says, “quickly,” they mean quickly! GDPR stipulates that a personal data breach must be reported to the supervisory authorities or data subjects within 72 hours of an organization becoming aware, so it’s essential that the right alerting procedures be built into your systems from the get-go to ensure that this happens.

Final Words . . .

A comprehensive intrusion detection platform like Threat Stack’s Cloud Security Platform® can help you comply with GDPR-specific rules and provide real-time alert notifications, enabling you to comply with the new reporting requirements.

What other compliance terminology has been confusing to your DevOps team in the ramp up to GDPR? Contribute your ideas, and follow along on social media with the hashtag #ComplianceMeetsDevOps.

*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Lindsey Ullian. Read the original post at: