May of this year marked the third anniversary of one of the most
important legislative implementations of the last decade: The General
Data Protection Regulation (GDPR). In Fluid Attacks, we have
talked a little about what GDPR is, but today
we want to dedicate a particular blog post to talk about what it has
achieved, why it is essential and, above all, how it has affected you
directly.

What is the GDPR?

The GDPR “is
the backbone of the EU’s data protection and privacy legislation.” Its
main objective is to strengthen privacy laws across the European Union
to fit the digital age. This legislation updated and unified data
privacy laws, by replacing the 1995 EU Data Protection Directive, a
policy designed for the last millennium.

The law was published in the European Parliament legislative
act 679
on 27 April 2016. Its main premise is that “the protection of natural
persons in relation to the processing of personal data is a fundamental
right.” Before its creation, the running data protection standard law
was the 1995 EU Data Protection Directive. Rules established there did
not have a global or general range, but they must be “ implemented
through national
legislation.”
Previously, personal information management legislation was not
standardized, though there were some guidelines. Before the 2000s,
personal information used to be stored on massive shelves full of
documents. Today most of that information is digital. Therefore, it is
urgent to establish rules of the game for large companies that privately
store data.

As we shared in our GDPR Compliance section,
this policy was approved by the European Parliament on 14 April 2016 and
went into effect on 25
May 2018.
Almost the entire approach revolves around a set of rules designed to
protect personal information from
unnecessary risks by specifying how companies should store, handle and
share such data. It was approved by the European Union (EU) and the
European Economic Area (EEA). The regulation
applies to companies that have operations
in the EU and that process personal data. Besides, it doesn’t matter if
the holding company activities take place in the Union or not. Any
company in the world with customers or employees in the EU must comply
with GDPR.

GDPR requires organizations to understand better what data their
businesses have and how it is stored. In another blog post, we talked
about this when we explained the controversy over the opening of the
Apple Data Center in Guizhou, China. The
point is that this increased
understanding proactively helps
streamline detection and response in the event of a costly security
incident (like a data breach). Of course, beyond the legal need to
comply with the standards called for by the GDPR, there is a necessity
to make companies safer from cybersecurity breaches.

GDPR compliance

A company committed to GDPR compliance proactively identifies
vulnerabilities and prepares autonomously to validate the security of
their trade of personal data. One of the ways in which companies would
fulfil the GDPR’s privacy requirements would be by reducing the amount
of unneeded information. In this sense, companies “shouldn’t hold data
they don’t need for longer than they
need.” This strengthens the company’s
security and reduces storage costs, as there is less data to store.

Along with these commitments, the company must
(a) identify personal data and evaluate their access permission, (b)
corroborate that they are asking for explicit consent to use others
information, and (c) be sure to process data following legal support.
Besides, they must strengthen security, reduce risks of attacks, and
transmit trust. One such situation is the regulation of passwords.
Nowhere in the document is a rule that explains what kind of security
filters a password should have.

However, that doesn’t mean it’s a minor issue or that you can’t
establish a rule of your own that is in line with what the GDPR
requires. The Hacker
News,
for example, recently published a list of recommendations that should be
considered “to create a GDPR compliant password policy.” Their most
important recommendations are (a) avoid secret questions, (b) consider
implementing multi-factor authentication (MFA), and (c) “use a 3-rd
party tool to help your password policy reach your entire end-user
directory.”

Fluid Attacks’s GDPR compliance

For example, we at Fluid Attacks use
Okta as our
identity management platform. It allows us to give access to
applications without disclosing credentials and maintaining the least
privileged approach. It is a very comprehensive tool because it supports
MFA by using a one-time password (OTP). Every half minute, it
generates a new OTP. You can also send push notifications to your
trusted device (usually your phone) through its Okta Verify app.
Finally, because you must use your phone to sign in to the Okta Verify
app, it enforces biometric MFA for both face and fingerprint (if the
device supports it).

In Fluid Attacks we recognize the difficulty many companies have to be
up-to-date with every standard. It is not because they don’t want to be
updated, but because those standards are always evolving and adapting to
new day’s challenges. That’s why, when we offer security alternatives,
we always offer services to determine if your company complies with this
type of security requirements. To achieve this, not only do we care to
fully understand the core points of standards such as GDPR, but we
strive to disseminate them and explain them to our customers, and to the
general public.

Problems with GDPR?

Finally, it should be noted that GDPR has not been exempt from
controversy. On 1 July, Johannes Caspar, a leading German regulator
who worked for more than ten years at the helm of the Hamburg data
protection commission, stepped
down.
His disillusionment with the EU’s General Data Protection Regulation
stemmed from the fact that the policies allow, precisely, security
weaknesses and flaws.

In a Bloomberg report, Caspar said:

“The basic model of the procedure set up by GDPR has massive flaws and
it just can’t work. You can’t accept this in the long term. The
problem is what use are these laws to the people if they’re not being
applied?”

His criticism is based in two situations. First, companies that did not
comply with GDPR policies had been estimated to have penalties. These
were set out in article 83 (5). It
states that infringements shall be subject to administrative purposes
“up to 4% of the total worldwide annual turnover.” But to date, no
company has come close to paying that penalty. Second, GDPR gives
regulators lots of room for
interpretation”
of the rules. Which makes it onerous to verify law enforcement.

Precisely, to fulfill the GDPR purpose, a change in the appropriation of
individuals and companies of these policies is required. They should not
be seen as an imposition but as guidelines to preserve data security and
privacy. That is why you should take GDPR seriously as a guide to
strengthen your security and save money.

At Fluid Attacks, we are specialized in cybersecurity through
Pentesting and Ethical
Hacking.
For more information, don’t hesitate to Contact
us!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Zárate. Read the original post at: https://fluidattacks.com/blog/gdpr-compliance/