GDPR- And It’s Impact on Cyber security
General Data Protection Regulation (GDPR) is a replacement for the European Data Protection Legislation. On May 25th, 2018, after 20 years, GDPR denoted a first such major overhaul to the Data protection act of the European Union.
It effectively replaces all the varying implementations of EU Data Protection directive across Europe, giving all organizations today as a standard set of regulations and expectations when concerned with managing personally identifiable data of users, employees, clients or any other subjects.
So under GDPR, businesses are supposed to explicitly request permission from an EU citizen to collect their specific data. If any business’s activities involve the usage of personal data, require DPO assistance.
Any form of GDPR violation could result in you paying a fine of 4% of your business’s annual profit or twenty million pounds, whichever is greater. There might be a prevalent misconception that GDPR won’t affect businesses operating outside the EU, but in fact, any business that collects data of EU citizens has to be GDPR compliant.
On a serious note, GDPR is something that businesses need to take seriously, to be precise, they also need to look at how it might change their cybersecurity plans.
The 5 clauses in GDPR that concerns Cyber Security
For any Cybersecurity professional, the need for protecting the data and information management is not, but with the introduction of GDPR, the professionals need to impose high-security measures and enable data breach notifications.
Following are the five individual clauses concerning Cybersecurity in GDPR summarized-
- Protection measures for unauthorized & unlawful access and loss or damage of information.
- The process of ensuring and demonstrating data protection.
- Steps for protection against unlawful access, loss, and external threats.
- Steps for protection against insider abuse.
- Notify breaches under 72 hours with full disclosure and detail.
Definition of Personal Data
Implications of GDPR also mean that there’s a change in the general definition of what identifies as personal data. “Personal Data” itself is a broad term, but under GDRP, it expands a little more.
Following data constitutes as Personal Data under GDPR-
- Email Address
- Phone Number
- Postal Code
- Driver’s License
- Bank Account Numbers and Information
- Credit and Debit Card Numbers
- IP Addresses
- Union Membership Numbers
- Workplace Information
- Social factors
Explicit permissions for each of such data is needed. Moreover, clarification on usage of the information collected written in unambiguous language has to be provided to the user. Plus, the right to withdraw their consent at any moment.
Restrictive Data Collection and Storage
GDPR enforced many websites to introduce new practices to tighten Cybersecurity. Gone are the days when anyone that visits a website grants permission to use their data. Explicit permission for every data and simplified terms of usage makes data collection restrictive.
Increased Cybersecurity with Multi-layer Protection
All devices and pieces of equipment in this tech-era are connected or enabled via the internet, thus leaving it vulnerable to attacks. In such cases, cybersecurity professionals need to make websites opt for multi-layer security as firewall itself won’t be enough. Technologies that could encrypt unstructured data, compress it and enforce safe file transfers.
Reporting and Assessment of Security Breaches and Risks
Data leaks and routine checks are part of the business framework. Social media, website, emails, or any other of online engagement are susceptible to breaches. Under GDPR, businesses are supposed to inform users under 72 hours in case of any data breach. Hence data processing must be systematically monitored.
Critical Data Processing and Data Processing Officer (DPO)
Under GDPR, protection of data is in two parts-
First is the controller, mainly the owner of the business who collects information from users/customers and decides how to use it.
Second is the processors, employees, who follow the directives provided by the controller.
Post-GDPR, many businesses are still figuring out on how to use while still staying compliant with GDPR, in such cases companies appoint DPO who educates employees and owners of all parameters helping them to understand the accountability when dealing with data under this new regulation. In short, DPO becomes the point of contact for all data processing activities of the company.
Complying with data protection regulations ensures the trust of consumers. Also, with GDPR, collection, and storing specific data of consumers becomes a severe priority of all companies dealing with EU citizens.
Hopefully, this article provides a clear what GDPR is and its affects on Cybersecurity. For more detailed information, you can also read this white paper from Secureworks.
(Image Credit: Pixabay)