Where Does Cybersecurity Fit into GDPR?
By Heather Engel, Sera-Brynn Chief Strategy Officer
By now most everyone has heard of GDPR, or at the very least been bombarded by pop-up messages asking you to accept cookies and confirm access to your data as you surf the web. But if you are responsible for the security of a network, a website, or work at a company that is a data controller or processor, what responsibilities do you have? In other words, where does cybersecurity fit into GDPR?
In short, GDPR is about privacy, the rights of data owners to reasonably control what happens with their data, and how data is used. As a CISO, security engineer, or analyst our jobs are to protect the data. Doing that effectively requires knowing what data is stored, processed or transmitted on a company network, which aligns nicely with GDPR. While much of the principles and lawful basis for processing under GDPR is the purview of lawyers and data owners to understand how information is being used and for what purpose; much of the individual rights, accountability and governance, and security will fall to the cybersecurity team. The good news is that much of what needs to be done for GDPR supports overall risk management anyway.
Cyber professionals should know there is no specific set of security requirements required by GDPR. Other compliance frameworks, including PCI DSS, NIST 800-53 or NIST 800-171, Cyber Essentials, the CIS 20, and ISO all provide a solid starting point, so if you have to comply with one of those you have a head start on GDPR. Remember an auditor isn’t necessarily looking for perfection – they will look for a baseline, measurable improvement from the last audit, and a plan for continuous improvement.
This checklist provided by the UK’s Information Commissioner’s Office describes broadly the concept of information security, particularly related to data integrity and confidentiality. When evaluating measures that are appropriate to protecting data, standard INFOSEC best practices will work for GDPR:
• minimize data storage and retention,
• ensure policy and processes are in use and known to affected parties, and
• respond to breaches.
Minimize Data Storage
In the event of a breach, less data will minimize the impact. Having a data retention policy and following it keeps active data storage from getting to unwieldy. Minimizing storage doesn’t mean getting rid of data – moving it offline or to a segmented archive is also effective. GDPR specifically requires that data is not kept for longer than necessary. “Necessary” is defined internally but driven by other compliance mandates and business needs.
Policy and Process
Every cybersecurity professional is familiar with policy and process documentation. Developing it takes time, maintenance can be onerous, and if personnel haven’t been trained, the implementation will quickly break down. GDPR implementation will require new documentation or perhaps tweaking existing docs to incorporate the language of GDPR, but in a reasonably cyber-mature organization many policies will effectively support the intent of GDPR.
In the event of a breach, the GDPR requires notification within 72 hours to the supervisory authority. The time from breach to detecting the breach is typically six months or more and in response, compliance requirements have evolved to not only require breach detection and response capabilities, but rapid notification. Behavior-focused SIEM and analytics tools, change management tools, and global threat intelligence feeds all contribute to active breach detection. Your organization will choose tools that are appropriate based on risk, industry, budget, and compliance mandates.
While it’s highly unlikely that a company responding to a breach will have all the information ready to report within 72 hours (this isn’t a TV show remember…) you must report the information available. Again, best practices for incident response planning, exercising the plan and training responsible personnel will ease the burden on cybersecurity teams when a breach occurs.
What About Erasure?
One outlier that is not typically addressed with other compliance frameworks is the right to erasure and the right to data portability. Individuals may request that their information be removed, also known as the right to be forgotten, and there must be an appropriate method in place to erase information upon request. Remember in this case, information often exists in multiple places (backups, downloads, spreadsheets) so any process should address these variables.
Data portability means individuals may reuse data and should be able to easily move, copy, or transfer personal data from one environment to another in a secure way. This means data must be structured and there must be a method to transmit personal data in a secure way. Does this mean encryption is required? No, but it would be one viable option.
Protecting a network, handling other compliance regulations, and implementing GDPR are not mutually exclusive; there is plenty of overlap. As with any compliance framework, the key is understanding the requirements, assessing gaps, and implementing security measures based on risk.