The deadline for the General Data Protection Regulation (GDPR) is fast approaching, with May 25 marking the official day of reckoning. The updates to the data protection directive of 1995 (Directive 95/46/EC) are designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy rights, and to reshape the way organizations across the EU approach data privacy.
There’s a likelihood that Compliance has approached your DevOps team to get on board. But when Compliance talks, what do you hear? Are you truly understanding what’s required of you to become GDPR compliant? Let’s take a look at some of the possible gaps in knowledge below.
It’s an easy mistake to make: Why would a European regulation apply to a US organization? But GDPR’s scope is far reaching and is relevant to any organization that processes or stores the personal data of EU data subjects — regardless of location. The regulation applies to processing that is related to offering goods or services or monitoring a person’s behavior. So, even if you’re simply tracking the browsing behavior of a European visitor to your site, you’ll need to become GDPR compliant.
With GDPR granting data subjects more rights over their personally identifiable information (PII), it’s important to understand exactly what PII is to be sure you’re protecting it appropriately. It’s true that non-sensitive data such as addresses, phone numbers, and emails, as well as sensitive financial information, make up the traditional definition of PII, but there’s so much more to it in this day and age! Advances in technology have extended the definition of PII to include:
In short, if a piece of data on its own can be linked to a specific individual, you’ll now need to identify, track, and protect it in order to meet GDPR compliance mandates.
Now that you understand what PII comprises, you’ll need to get a handle on subjects’ new rights to that information under GDPR. Obtaining opt-in consent is only the first step, and it’s vital that your consent forms plainly spell out what data you will collect, how you will use it, and for how long you will keep it. This information must be clear and concise; lengthy legalese and soft opt-in consent will no longer cut it. While double opt-in consent isn’t mandatory under GDPR, it is certainly a best practice that moves you in the direction of compliance.
In addition, you need to be aware that the expanded rights covered by GDPR mandate the following:
Yes, one important aspect of GDPR’s “privacy by design” requirement is that you build data security into your systems from the beginning rather than as an afterthought. However, you are not just responsible for protecting against external privacy breaches; you are responsible for keeping data private internally by enacting a policy of least privilege. Article 23 of GDPR calls for organizations to design their systems in a way to hold and process only the data that’s absolutely necessary to carrying out duties (data minimization), to limit access to that data to only the members of your organization who need it in order to process the data, and to only retain that data for as long as necessary.
Sure, your organization’s security team may be responsible for reporting a breach, but here’s the thing: When Compliance says, “quickly,” they mean quickly! GDPR stipulates that a personal data breach must be reported to the supervisory authorities or data subjects within 72 hours of an organization becoming aware, so it’s essential that the right alerting procedures be built into your systems from the get-go to ensure that this happens.
A comprehensive intrusion detection platform like Threat Stack’s Cloud Security Platform® can help you comply with GDPR-specific rules and provide real-time alert notifications, enabling you to comply with the new reporting requirements.
What other compliance terminology has been confusing to your DevOps team in the ramp up to GDPR? Contribute your ideas, and follow along on social media with the hashtag #ComplianceMeetsDevOps.
*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Lindsey Ullian. Read the original post at: https://www.threatstack.com/blog/gdpr-what-compliance-says-vs-what-devops-hears
Authors/Presenters: *Shradha Neupane, Grant Holmes, Elizabeth Wyss, Drew Davidson, Lorenzo De Carli Many thanks to USENIX for publishing their outstanding…
What really is cyber security and why doesn't the traditional CIA triad of confidentiality, integrity, and availability work? And what's…
The widespread adoption of cloud services has introduced cybersecurity challenges and compliance complexities due to various privacy regulations in different…
The RSA Conference 2024 is set to kick off on May 6. Known as the “Oscars of Cybersecurity”, RSAC Innovation…
Last week, we hosted Michael Tapia, Chief Technology Director at Clint ISD in Texas, and Kobe Brummet, Cybersecurity…
Authors/Presenters: Binbin Zhao, Shouling Ji, Xuhong Zhang, Yuan Tian, Qinying Wang, Yuwen Pu, Chenyang Lyu, Raheem Beyah Many thanks to…