EU General Data Protection Act (GDPR)
DownloadGDPR came into force in 2018. It has since become the model for other new data privacy laws cropping up around the world, such as:
- The California Consumer Privacy Act (CCPA)
- Brazil’s General Law for Protection of Privacy (LGPD)
- Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
- Japan’s Act on Protection of Personal Information
- Australia’s Privacy Act
All of these laws work from the premise that personal data belongs to the individual, so companies collecting that data must meet certain duties of care to protect it. Chief among those duties is keeping the data secure from unauthorized access or processing— including from hackers that might exploit weaknesses in mission-critical applications to reach PII in your company’s control.
The European Union’s General Data Protection Regulation (GDPR) is a far-reaching law that provides a set of privacy rights for all EU citizens. Any business working in the EU, as well as any business anywhere in the world that collects personal data about EU citizens, must comply with those GDPR standards or risk severe financial penalties. Some of these GDPR guarantees include:
- Right of access: an individual has the right to see all personal data a company has collected about him or her, upon request;
- Right of rectification; an individual can demand that inaccurate personal data about him or her be corrected, which the company must do within 30 days;
- Right of erasure: an individual can also request that personal data a company has collected about him or her be deleted.
GDPR doesn’t specify how a company must fulfill these rights; it only requires that a company covered by GDPR fulfill those rights somehow.
Likewise, the GDPR mandate does not expressly say that businesses must encrypt the personal data they collect about individuals. Instead, GDPR repeatedly cites encryption and pseudonymization as examples of the “appropriate technical and organizational measures” a company must take to assure the security of personal data it collects.
GDPR has also become a model for other privacy laws, such as the California Consumer Privacy Act. While CCPA and GDPR aren’t identical, both are rooted in the principle that personal data belongs to the person, rather than to the company collecting the data. As such, the company must meet certain standards of care while personal data is in its possession—such as keeping the data secure.
The Role of Cybersecurity in GDPR Compliance
Article 5 of the GDPR mandate states that personal data must be protected against “unlawful or unauthorized processing; and against accidental loss, destruction, or damage.” This is where cybersecurity enters the GDPR compliance picture. The data must be protected from unlawful or unauthorized manipulation.
Part of that challenge is to keep unauthorized users away (PII) resides. Another part, however, is to protect data itself, at the data and infrastructure layers.
That is, hackers could target a misconfiguration or vulnerability in the company’s mission-critical applications, and gain access to personal data without using business applications or leaving an audit trail. Even with strong internal controls and audits at the infrastructure or database levels, weaknesses in the application layer can still leave personal data exposed to unauthorized manipulation—and leave the company violating GDPR.
The potential fines for violating GDPR are substantial; to €20 million or 4% of an organization’s global revenue, whichever is greater.
Steps to Take
- Understand the security nuances of GDPR compliance. CISOs may not understand the details of GDPR compliance, while internal audit and compliance teams, as well as the Data Protection Officer (DPO) may not grasp all the attack vectors that could create GDPR risk. You need a thorough assessment of GDPR risk.
- Develop a security strategy for mission-critical applications that encompasses GDPR compliance. That strategy should address configuration management, log management, custom application development, patches, continuous monitoring and more.
- Find the right tools to do the job. Security teams, in conjunction with internal audit and compliance, need to identify weaknesses that jeopardize GDPR compliance and seal those gaps. With modern ERP systems supporting mission-critical applications, that’s not easy. Using the right technology is crucial to success.
Learn how Onapsis can help identify security and compliance risks and streamline your audit processes. https://onapsis.com/request-a-demo/