GDPR has been in place since May 25th, 2018 and has already been used in legal actions against companies, with over 200,000 cases reported within this first year. The law is expected to make a notable impact on companies, as it has considerable fines and penalties. Even when compared to HIPAA and FISMA, GDPR has the most threatening teeth of any law to date. Even without GDPR being in full force, information security infractions have been getting more attention from multiple angles. There have been some examples of how expensive this can get, as seen with Alphabet and its $9.4bn in fines, over the past 3 years. It would appear by these recent historical events that information security is rising to a point of serious contemplation for businesses world-wide.
However, this should not be a news flash by any means. The implementation of a serious data protection law by the European Union has been in development for some time now (starting in 1995). Most notably, the now infamous “Right to be forgotten” was generating news and conversation on this very topic. Even still, as noted above, companies seem to be caught flat footed and have had to pay dearly for infractions.
GDPR drives the idea, at least in part, that information is a business asset, and as such, businesses are obligated to manage that asset in a manner that will not bring harm to its customers and employees. The public has voiced its concerns numerous times, indicating that loss of privacy has a legitimate ability to cause harm to an individual. GDPR gives those voices traction to hold organizations accountable for lack of proper management, security, and ultimately privacy of their Personally Identifiable Information (PII).
So, how can a company successfully meet the requirements of GDPR? Let’s take a look to explore the best viable answer to that question.
As a general principle of information security, evidence is the best method to prove how an organization deploys security controls. GDPR is no exception, as it calls out repeatedly, the requirement to be able to “demonstrate compliance”, as seen in Chapter 2, Article 5 of the regulation, where the principles of processing personal data are addressed. To be clear, evidence, also known as ‘audit artifacts’ or ‘audit trails’ within other compliance frameworks and in general among the audit community. Not surprisingly, within the United States, the requirement for audit artifacts is also seen in regulation, namely HIPAA and FISMA, both of which use the NIST standards to achieve security. The HIPAA focused security controls are seen in NIST SP 800-66, with FISMA using NIST SP 800-53, tying in the NIST Cyber Security framework to round out an information security program. Both regulations then use the NIST security control base, which in turn, supports privacy for IT systems and data.
Which brings us to the next important question, “What about privacy, isn’t that part of the GDPR?” Excellent point. Here again, NIST shows strength as a framework, as SP 800-53, rev 4, includes privacy controls, in appendix J. When held up against the extensive GDPR requirements, it is clear that these privacy controls can easily be leveraged to support the goals of GDPR. Some examples from NIST:
Naturally, this leads our conversation to “where do I need to apply these controls?” The data that is identified to be protected by GDPR and NIST is broadly understood as Personally Identifiable Information (PII) and both regulations have similar descriptions, only GDPR calls it “Personal Data”. GDPR appears to be the broader of the two definitions, as seen below:
GDPR PII: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;GDPR (article 4, Definitions, paragraph 1)
NIST PII: (Personally Identifiable Information): Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).
For any company system, these are the data sets that you want to ‘tag’ or search for to ensure that the proper protections are in place. Once that footprint is well understood, you now have the starting point for deploying not only your security controls, but also to check to be sure the privacy controls are in place. In the case of GDPR, the privacy controls repeat the requirement that signed consent be obtained from the data subject (much like HIPAA), with a number of notable exceptions – so be certain to review them for a full understanding. When considering how to tackle the requirements of not only GDPR, but FISMA, HIPAA or any other information security law or concern, the best place to look is NIST, in my opinion. NIST not only offers the most complete, thorough and well researched controls, it is also the framework recognized by the US government and federal courts. Putting NIST controls in place puts any company in an advantageous position, not only for the potential of being able to understand the requirements of a government contract, but for also showing the positive actions that a company takes regarding information security if ever questioned in court.
GDPR can offer some insight on how the overall public is viewing information security, and how that scope is more expansive than one might initially think. Interestingly, GDPR addresses an area that came as a surprise to me, which is centered around the use of ‘junk mail’ and spam. Both are addressed within the regulation, which in turn, will reduce the amount of unwanted traffic across your inbox, as well as your mailbox (if you reside in the EU).
Overall, from not only review of the regulation and associated writings on the subject, but from knowledge of the federal level protections, GDPR is very much in line with the principles of FISMA, if not directly in line with some of its stated requirements. To date, there is no officially identified framework to address the GDPR requirements, and based on my assessment, it makes the most sense to look to the NIST framework to address this shark-toothed law. Not to mention, if you have any federally sourced data on your system, FISMA is in play within your organization already, which requires NIST protections be in place. As an added bonus, if you have no other data privacy or security concerns past GDPR, and you are based within the U.S., deploying NIST puts you in alignment for the only law within the country (currently). As several people have already stated, the introduction of GDPR will most likely result in some sort of similar, if not more robust, new regulation within the United States. So, if you’re based in the U.S., buckle up, the ride is most likely not over.
In the end, the ability to address GDPR is not insurmountable – it simply is an area that requires a well thought-out, managed, approach and plan; as is true for many areas in business. Consider these items to start that process:
SynerComm can assist you with assessing your security or privacy controls status to address any framework, including PCI-DSS, FISMA or HIPAA. Contact us today for assistance on your information security needs!