Beruflich Dokumente
Kultur Dokumente
securityiq.infosecinstitute.com
Executive Summary Table of Contents
Scheduled to come into effect May 25, 2018, the General What is the General Data Protection Regulation? 1
Data Protection Regulation (GDPR) has struck fear into What Kind of Data Does the GDPR Cover? 1
compliance officers around the world. Much confusion
The GDPR & Personal Data Rights 2
surrounds this new regulation as organizations everywhere
How the GDPR Impacts European Businesses 2
work to understand its new requirements and adjust
business processes accordingly. This paper will define How the GDPR Impacts Businesses Working with
GDPR, review key requirements and explain the impact European Customers or Staff 4
GDPR will have on organizations across the world. Where Does the GDPR Differ From the DPD? 4
Six Steps to Becoming GDPR Compliant 6
Consequences of Noncompliance 6
The Importance of Training for GDPR Compliance 7
Staying Compliant with SecurityIQ 8
Conclusion 8
About InfoSec Institute 9
Sources 10
Comprehensive Security Education
»» Secure LMS with interactive, »» Includes over 200 threat templates »» Dedicated Client Success Manager for
gamified learning, quizzes for in multiple languages, continually white-glove support, from installation
reinforcement and key summaries updated for just-in-time reporting to day-to-day management
»» Over 130 frequently updated modules, »» Programmed for progressive »» A 12-month delivery plan,
driven by science-backed educational degrees of difficulty (automated supplemented with posters,
methods selected for high performance or manual configuration) newsletters, employee handbooks,
»» Customizable content for all audiences: »» Simulates a variety of attack employee and executive
General, role-based, language, types, including phishing, spear- communications and event plans
compliance, time constrained, phishing, data entry, attachment, »» Actionable performance analytics for
industry and level of expertise macros and USB planting program evaluation, and “boardroom-
ready” performance reports for public
reporting, filings and risk evaluations
»» Security posture scorecarding for
benchmarking security risks by
organization, department and learner
The General Data Protection Regulation (GDPR) evolved from its predecessor, the
Data Protection Directive 95/46/EC. When the Data Protection Directive (DPD)
was enacted in 1995, it was one of the most comprehensive data privacy directives
in the world. Cloud computing and the Internet of
Things did not exist at this time, and the “big-data” era
we now live in existed only in concept. The GDPR is
The GDPR is the EU’s response to today’s rapidly the European Union’s (EU) response to today’s rapidly
changing technology environment and the growing changing technology environment and the growing need
to keep personal data secure.
need to keep personal data secure.
The GDPR is a fully fledged regulation for modern, cloud-
based data transactions. It mandates specific controls
over how personal data of EU citizens is handled and
unifies privacy laws across EU states. With a primary focus on protecting individuals’
personal data (referred to in the regulation as the “data subject”), the GDPR:
The GDPR covers two types of data, specified in the regulation as:
1. Personal Data
Sensitive personal data under the GDPR are special categories of personal
data that require stronger protections. Sensitive personal data includes
genetic data, biometric data and other data types that can reveal information
such as religion, race or ethnic origin.
The GDPR, perhaps more than any other privacy directive, gives individuals much
more control over their personal data. The GDPR requires EU citizens have certain
personal data rights, including:
1. Consent for personal data to be shared and processed. The GDPR requires
organizations to gain consent from individuals prior to data sharing and
processing. Consent must be given in the form of a “clear affirmative act,”
meaning consent must be expressly collected and demonstrated. Opt-
out buttons are no longer allowed, and organizations must implement a
mechanism to manage users’ revocations of consent.
2. Access to personal data. Individuals must be allowed to easily access their
data collected and stored by organizations. The GDPR specifically states the
“data subject should have the right of access to personal data which have
been collected concerning him or her, and to exercise that right easily.”
3. Right to be forgotten. This is one of the most difficult-to-manage
requirements of the GDPR. Under this directive, individuals must be able to
remove all traces of their personal data from an organization if they wish.
This would apply, for example, if the user removes consent to share.
4. Right to portability. The data subject must be allowed to transfer their data
easily between controllers.
5. Right to rectification. The data subject must have the right to have
inaccurate data rectified.
GDPR regulations apply to both data processors and controllers in the EU. These
are defined in the GDPR as:
Some organizations may be exempt from the DPO requirement if they do not handle
personal data. Smaller organizations may also work with a consultant to remain in
compliance without adding significantly to overhead.
This must include the entire lifecycle of data collection, storage, management,
processing and data deletion/archival.
This will ensure staff members are aware of the various GDPR rules around
data processing and breach notifications.
This step will ensure the organization knows what data is collected and how
it is processed at all times.
The GDPR was born in the EU, but its reach is far and wide. The framework
protects EU citizens from whomever they deal with, in whichever country. In a
highly connected, global economy, the net effect of the GDPR is far reaching. If you
process individuals’ data or collect any user behavioral data, you will need to do so
under the watch of the GDPR.
In addition, the GDPR isn’t just about consumer data. The GDPR also applies to
human resources information. If a U.S. company employs EU citizens, but employee
data is processed in the U.S., the company must still comply with the GDPR when
handling these records.
Consent Consent from a data subject The GDPR requires much more stringent
to share and process personal terms around data sharing consent, requiring
data unambiguous consent to be taken.
The GDPR also has specific consent requirements
where children are concerned.
Fines Fines for various GDPR fines are larger than DPD fines and
noncompliance follow a tiered approach based on severity of
noncompliance.
Data categories Various categories that The GDPR includes two new categories:
describe personal data biometric and genetic data.
Right to restrict processing Grants individuals the right to Both GDPR and DPD include this right, but the
block processing of personal GDPR defines it in more detail and has more
data stringent requirements.
Right to be forgotten Allows individuals to Both have provision for this, but the GDPR goes
decide if their stored data several steps further, including stipulations that
should be erased in specific if data is public, controllers must inform other
circumstances controllers of data erasure requests.
Supervisory authority Cross-border processing by a The GDPR has much more detailed rules on a
controller or processor supervisory authority.
Data transfer outside the EU The scope of data protection The GDPR provides more explicit direction on
across borders this issue, mandating data can only be transferred
to companies outside the EU and EEA when
adequate protection of data is guaranteed.
Liabilities Defines what liability lies with The GDPR defines liabilities for both controllers
which authority and processors, whereas DPD specifies liabilities
for controllers only.
Data Protection Officer An independent person that A DPO is mandatory only in the GDPR.
(DPO) oversees data protection
strategy and implementation
of GDPR
Data Protection Impact An audit of privacy A DPIA is mandatory for GDPR compliance.
Assessment (DPIA) procedures
Data breach notification Rules around when and how Under the GDPR, breach notifications must
organizations must report a be announced within 72 hours. It also includes
data breach notification requirements based on the type of
breach.
Data portability The ability for individuals This is explicitly defined in the GDPR.
to move data from one
controller to another
Becoming GDPR compliant starts with understanding the new requirements and
determining what business processes are impacted from the policy changes. Here
are six steps to help you evaluate the GDPR’s impact on your organization.
Po
licy es
Chang Consequences of Noncompliance
An area that has significantly changed in the new ruling is in the level of fine
applicable for noncompliance. There are now two levels of fines:
1. Cost of rectification. Data has intrinsic value to everyone. This includes your
organization, your customers and cybercriminals. The Ponemon Institute
values the average cost of rectification following a breach as $141 per
record.
2. Damaged company reputation. If your company suffers a breach, you must
notify supervisory authorities within 72 hours. If the breach is deemed high
risk, you must also inform those impacted (your customers).
3. Lost consumer trust. Compensation claims and customer attrition could well
outstrip noncompliance fines.
4. Declining share value. A study by Oxford Economics found share value can
drop by 1.8 percent after a cyberattack.
GDPR does not include specific requirements for security training design, however,
Article 37 tasks Data Protection Officers with “awareness raising and training of
staff involved in the processing operations.” Also, one of the requirements under
Article 43 is to provide “the appropriate data protection training to personnel
having permanent or regular access to personal data.”
Depending on the role of the employee, your training program should include the
following topics:
InfoSec Institute’s SecurityIQ platform can help your organization fulfill the
personnel training requirements under GDPR. It includes several interactive training
modules related to privacy and data security, including a comprehensive “Privacy
and EU GDPR” module. The GDPR-specific training module covers key topics from
the list above, as well as best practices for protecting sensitive data throughout its
lifecycle.
Conclusion
Written to help organizations achieve privacy and security by design, the GDPR
establishes new regulations for companies collecting and processing EU citizen data.
Compliance under GDPR is achieved in three key steps: meeting data collection and
processing requirements, raising security awareness and training staff involved in
processing operations. With the right training and level of security awareness in
place, your organization can achieve GDPR compliance and more importantly, keep
its sensitive data secure.
infosecinstitute.com
1. Regulation (EU) 2016 of the European Parliament and of the Council, Council of the European Union
3. Study: GDPR’s global reach to require at least 75,000 DPOs worldwide, International Association of Privacy
Professionals
4. Should Your Company Appoint a Data Protection Officer (DPO) under the EU GDPR?, DPO Network Europe