What do Linux system administrators need to know about the GDPR?

Introduction

The General Data Protection Regulation (GDPR) is a European Union law that applies not only to EU companies, but also to all companies collecting and processing the personal data of EU residents. The sanctions for breaching the GDPR are enormous (up to $24 million or 4% of the annual global turnover, whichever is greater). It is not a coincidence that the U.S. top 500 companies are expected to spend $7.8 billion to comply with the GDPR.

In this article, we will provide a brief overview of the GDPR in the context of Linux system administration and discuss six steps Linux system administrators may take to comply with the GDPR.

A brief overview of the GDPR

The GDPR imposes strict obligations on organizations processing personal data. Those obligations include, but are not limited to:

  • Proving a legitimate basis for processing personal data
  • Sending timely notifications to data protection authorities in case of security breaches
  • Providing individuals with the right to access, manage and delete their data
  • Designing systems with proper security protocols (privacy by design)
  • Appointing data protection officers

The GDPR is technology-neutral. This means that it applies equally to users of Linux systems and users of systems using proprietary software. It contains broad terms which require system administrators not only to apply the law, but also to interpret it. For example, Article 1(f) of the GDPR states that personal data must be processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Terms such as “appropriate security of the personal data” and “appropriate technical and organisational measures” may be appropriate in the culinary arts (e.g., season to your taste with salt), but (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Daniel Dimov. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/eYTxqt9hgAs/