Coming into effect in May 2018, the General Data Protection Regulation will give EU data protection legislation a much-needed update and simplify data protection routines for businesses operating in the EU. For some companies, preparing for GDPR compliance entails a review of security practices, while others need to completely realign their focus and begin by putting security first. In this blog post, we explain what the GDPR means for your business and how Detectify can help you start working with security.
Legislation for a digital world
Unlike tech innovation, the wheels of legislation move slowly. The current Data Protection Directive that will be replaced by the GDPR came into force all the way back in 1995 – that’s right, the year Windows 95 was brand new and the movie Hackers (Detectify team’s all-time favourite) was released. Although the Data Protection Directive was updated with an amendment in 2003, it could not keep up with the developments in the tech world. To the delight of journalists and the horror of courts throughout Europe, there was a growing number of disputes that existing legislation simply couldn’t handle. One particularly well-known example is the Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González case from 2010, when a Spanish citizen requested that Google remove his personal data. Legal issues in a digital world clearly needed laws drafted with modern technology in mind.
Enter the GDPR, developed to bring EU legislation up to date with the increasing digitalisation of data. Introducing novelties like the right to be forgotten and Data Protection Officers, the regulation will unify data protection practices in EU member states and establish a greater focus on security and privacy.
Adopted by the European Parliament in April 2016, the new legislation will come into force on the 25th of May, 2018. Sofia Gunnarsson, founding partner of Sharp Cookie Advisors, a Swedish law firm specialising in tech law, says: “This regulation is already law and is valid, in contrast to a directive that requires national implementation processes in order to take effect. The EU legislation on data protection is set. There is, however, some room for interpretation that is left by the legislator to the national supervisory authority, but I do not expect to see national variations. We can expect to receive complementary guidelines for interpretation from the EU as we come closer to 2018.”
What does it mean for businesses?
One of the leading principles behind the GDPR is to protect European citizens’ rights by keeping their personal data safe, but what about businesses? Regardless of the sector, a unified data protection regulation offers a streamlined way of working with data throughout the EU, but it also brings a whole new set of challenges. Companies need to evaluate their data processing and security practices to ensure they comply with the GDPR when it comes into effect. For those who have been working with security on a daily basis, this will require some additional work to ensure appropriate measures are in place, which might mean restructuring their existing security workflow and perhaps adding to it. However, for companies that have never prioritised security before, the next two years could prove nothing short of stressful as failure to comply with the regulation can result in considerable fines.
While preparing for compliance can be overwhelming, Sofia Gunnarsson emphasises staying focused: “From my work as a data protection specialist advising data-driven companies, the greatest challenge is, and has been, to think small. By thinking small, I mean to clarify a unified management led strategy in your company on privacy and privacy engineering while focusing on very specific issues.”
The GDPR outlines a range of measures companies working with data ought to adopt and many of these measures are, in fact, best practices that do not only help protect businesses from non-compliance fines, but also improve their overall web security. Hopefully, the new legislation will encourage more companies to take a step towards a safer internet and make security a priority by incorporating security best practices.
“Under the GDPR, the company will be required to demonstrate its compliance, which can be met with certain internal processes such as maintaining a register of data processing, to have a process to delete all data, ensure data portability and information security, and report data breaches. Many companies will also be required to appoint a data protection officer, a professional within data protection that acts as an advisor and performs data protection audits on behalf of the company,” explains Sofia Gunnarsson.
“The first question every organisation should ask themselves is – do we keep records on each processing of data we perform? A register is a basic tool to keep track of what personal data your organisation collects, process, share, store, delete etc. You use this one register to assess where in the organisation you should focus any further analysis and compliance activities.”
Security breach notification
The GDPR introduces a new security breach notification framework for all organisations working with data, including third-party data centres. The framework aims to make data controllers and processors accountable for data privacy breaches and is one of the bigger changes this legislation brings. To protect data, companies are required to implement “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” (Regulation (EU) 2016/679) However, even preventive measures do not guarantee perfect security as attackers are constantly developing new ways to access sensitive information.
In case of a security breach that puts personal data at risk, authorities need to be notified within 72 hours. The affected company has to provide detailed documentation informing the authorities about the nature of the breach, a risk assessment, and an account of the steps taken to resolve the situation. If the data that has been exposed is highly sensitive, the organisation also needs to communicate the breach to all data subjects affected.
To prepare for compliance from a system level, Sofia Gunnarsson advises to “begin with the critical IT-systems, regarding system sensitivity, prone to cyber-attacks, geographic location, third party dependent. If you’d rather start your sensitivity analysis from the categories of data – which different categories of data and personal data do our systems use, which types of data are needed, any sensitive data.”
Data protection by design and default
Alongside the obligation to report breaches, companies also need to be able to show that they are constantly working with data protection principles and incorporating “data protection by design” into their routines. This makes it necessary for companies to implement: “appropriate technical and organisational measures /…/ which are designed to implement data-protection principles /…/ in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” (Regulation (EU) 2016/679) Policies can range from regular security audits to up-to-date best practices and organisation-wide data protection education. In short, this is a way for organisations to illustrate their compliance with the GDPR in their everyday work.
Sofia Gunnarsson points out that companies will need to rethink why they work with data: “The principles of data minimization and privacy by default will mean that companies will be required to have a clear purpose of their use of data before collection. By contrast, it is not an uncommon practice to collect available data and let the business development and analytics later decide how to use such data. Given that many companies have a strategy to increasingly leverage end user data, the development of these new systems and processes have stakeholders across the organisation. As such, the area of data protection and security will require top management commitment and effort spanning much of the organisation.”
National data protection authorities will continue their work as supervisory authorities, supporting citizens, advising organisations, and investigating compliance. A few actions supervisory authorities have the power to take are issuing warnings, ordering organisations to notify data subjects of personal data breaches, imposing a ban on data processing, and imposing administrative fines. Fines can be as high as 10 000 000 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year.
How Detectify can help you implement security measures
May 2018 might seem far away, but it is important to keep in mind that preparing for GDPR compliance could entail structural changes, educating the staff, and updating your entire way of working with data. What needs to be done depends on every organisation’s existing level of security measures, as well as the nature of the data that is being processed. Detectify can be a valuable piece of the data protection plan puzzle, helping you deploy safer code with automated security audits and encouraging an ongoing security dialogue. Our scanner is updated bi-weekly to keep up with the latest vulnerabilities and enable you to make your web application more secure.
We aim to educate developers about web security and give them the tools and knowledge to take security matters into their own hands. With our extensive knowledge base, detailed scan reports, newsletters, alerts, and regular blog posts, we wish to inspire companies to adopt a security-oriented way of thinking. Making your website safer doesn’t have to be complicated, intimidating, and costly, but it is a long-term team effort that requires an awareness of risks as well as remediation knowledge.
The GDPR is bringing great changes to the way businesses work with data protection and web security. Introducing a focus on security into your workflow with Detectify is just one of many parts of the compliance transition, but it can be a good place to start. There are plenty of companies and law firms that specialise in digital matters and can advise you on the GDPR to ensure your business complies with the new legislation.
Sofia Gunnarsson’s final piece of advice is not to lose sight of your business goals: “Do not forget to focus on the business while being compliant! Much of the available advice of the GDPR comes from compliance advisors, experts in many areas, but with a low interest of the sales side of your company. Embrace the opportunity to design your digital services and IT-systems with, e.g., the data protection legislation’s constraints (and opportunities) in mind. Too little has been told about the strategic value that the product owner and business development have over data compliance issues. At Sharp Cookie Advisors, we guide our clients to adopt a sales-focused strategy. In some cases, the strategy has led to the client’s decision to realign its product and service portfolio, creating new services or remarketing existing services with clearer purpose and expectations in relation to the end users.”
In the meantime, Detectify can help you get on the right track by prioritising security, so why not sign up for a free trial? We are ready to guide you towards a more secure website, one vulnerability at a time!
For more advice on working with security, read our CEO’s article on why security matters and learn how you can incorporate security into your daily routine in 7 steps.
There are several good guidelines of how to prepare for the GDPR, for example this one from the Swedish Data Protection Authority (in Swedish). To learn more about internal processes companies will need for GDPR compliance, read Sofia Gunnarsson’s article on the topic (in English).
If you have any questions, don’t hesitate to reach out at hello[at]detectify.com.
About Sofia Gunnarsson:
Founding Partner of law firm Sharp Cookie Advisors, Sofia Gunnarsson is an experienced lawyer in internet law, data protection, and international commercial law.