Discover How NetFort Can Help with GDPR ComplianceNetFort LANGuardian can help you comply with GDPR around 4 pillars:
- Reporting & Audit Trail
May 25, 2018 saw the introduction of the General Data Protection Regulation (GDPR) into law across the European Union (EU).
As a Regulation of the European Parliament, the GDPR automatically becomes enforceable in all EU Member States without the need for further discussion or adoption at a national level.
Given that the GDPR will govern issues related to data protection for anyone located in the EU, it is important for organisations and groups to understand what exactly the GDPR is and how it works.
In this comprehensive article, we’ll explain what GDPR is, what the main GDPR Data Security Requirements are, and how you can start your compliance process.
The GDPR is an EU law which was put in place to uphold the rights and freedoms of people within the EU by solidifying existing privacy legislation and adding additional protective measures.
By offering greater protection, control, and access for people in the EU in terms of their data and how it can be used, the GDPR aims to ensure that individuals are more aware of what information they have provided to third parties; and seeks to afford them greater confidence in the systems that secure their data.
The GDPR is very broad in terms of the subjects it covers and the geographic regions concerned – even companies located outside of the EU may find themselves subject to its rules.
To put it succinctly, the GDPR will affect instances where either the person (known as the data subject), the organisation (the data controller), or a service provider (the data processor) is located in the EU.
As such, it is easy to imagine that it will affect a vast amount of groups, including those located internationally.
Increased globalisation is likely to lead to more and more companies being required to comply with the GDPR.
Compliance will not always be easy; different businesses will find themselves confronted with different issues.
In this article we will try to give a detailed account of the most important areas for groups to consider when they are tasked with bringing themselves into line with the GDPR.
As many companies collect data in more than one EU country, they will find that keeping their processing activities compliant will actually become simpler thanks to the GDPR.
This is because the GDPR lays down one law that is common to all EU Member States. Therefore, organizations will, for the most part, be able to use a common approach to data management to deal with data from different areas, which may formerly have been subject to different legal requirements.
The GDPR also introduces much higher penalties for violations. Inappropriate treatment, processing, or collection of data from individuals located in the EU or by EU based organizations could lead to severe fines.
The maximum sanctions can amount to the higher figure of either €20 million or 4% of a company’s worldwide annual revenue.
The GDPR was enacted for two main reasons: to enhance data security for people in the EU; and to give individuals more say in the ways in which their data can be processed or used.
This means that companies that gather, store, or treat data must now do so much more carefully and under increased scrutiny.
Everything should be recorded to allow people to :
Any company or group that carries out data collection or processing activities will therefore need to have procedures that track how data is treated.
This will include documenting the processing that is done, as well as tracing where data is stored and copied on different servers so that it can be erased or copied should the data subject request.
For the purposes of GDPR compliance; when we talk about data, we mean personal data; and when we talk about personal data, we mean the GDPR’s definition of personal data which is given in Article 4:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
This definition is incredibly broad and, as such, it should be assumed that practically any data could be considered as personal data under the GDPR.
If there is even a remote chance that the information could lead to the data subject being identified, then this information must be protected to the level established in the GDPR.
It is important to note that some data such as sexual orientation or religious affiliation should also be protected as it could be considered as relating to someone’s social or cultural identity.
While the GDPR is about increased data security, there are few specific measures that must be taken that are mentioned in the text of the law itself.
Being in compliance will then depend on an organization’s activities and it will undoubtedly evolve over time.
Throughout the different sections of the law, the GDPR calls for “appropriate technical and organisational measures” to be taken to meet the required level of data security.
Central to determining what may be considered an “appropriate” security measure is the concept of risk.
If the processing represents a higher level of risk to the rights and freedoms of the data subject, then it must be secured to a higher standard.
At a minimum, servers and IT infrastructure should be configured to help them withstand and defend against attacks, exploits, and hacks to a reasonable degree.
Action should also be taken to protect against unforeseeable events and accidents.
Such occurrences should not result in long downtimes or loss of data.
Section 2 of the GDPR deals with security of personal data. As a staple of modern IT security, encryption is mentioned as a possible method to be included when designing data protection procedures, but it is not obligatory.
Steps to dissociate or disguise the identity of the data subject, such as pseudonymisation, are also noted, but again the law only states this should be implemented “as appropriate”.
As the GDPR data security requirements are dependent to such a degree on the risk that is presented by the data type and the processing activity, a crucial first step for any organisation looking to comply with the GDPR should be a comprehensive audit to capture and understand all the information that they store and treat.
By identifying the types of data being held and the conditions it is being processed under, a more complete risk profile can be created.
Any vulnerabilities that could be exploited by hackers or oversights that could cause data loss can then be identified and addressed.
Even with the absence of specific security requirements, there are areas where the GDPR is very clear in its expectations of how organisations should act.
The documentation of activities called for by the GDPR is perhaps unprecedented in the level of detail necessary to be in full compliance.
Each individual piece of data will need to be supported by valid consent and have a record of how it has been collected, how it has been processed, and who has accessed or tried to access it.
Article 30, Records of Processing Activities, gives greater detail of the level of granularity required by the GDPR for each item of data. It assigns responsibilities to data controllers and their representatives to ensure that the appropriate information is tracked and recorded. The necessary information required includes:
All of this must readily available or easily retrievable in order to satisfy supervisory authorities should they carry out investigations or data protection audits.
Given that organisations are likely to have vast databases containing information concerning thousands or even millions of data subjects, some sort of structure which can efficiently track and link the necessary records in a rapid or automatic manner would be pivotal in speeding up audits and aiding compliance.
Another key component of data security is the appointment of a Data Protection Officer (DPO) in cases where “the processing is carried out by a public authority or body” other than a court.
Entities subject to the GDPR due to the nature of their processing activities, such as by processing sensitive data as described in Articles 9 and 10 of the GDPR will also need to retain the services of a DPO.
The DPO is responsible for ensuring that the controller or processor is respecting the relevant national and EU data protection provisions, as well as to advise on security audits, procedures, and awareness and training.
As such, the DPO should be someone with a comprehensive understanding of the GDPR, as well as proven experience in dealing with privacy laws.
The DPO can be hired externally, promoted or trained internally, or even contracted out to specialist consultant firms.
While we will discuss this in greater detail below, a useful system would allow for data retrieval, categorisation, and classification.
It is likely that the GDPR will have an impact on businesses in nearly every sector, even if industries where data processing is prevalent will be affected to a greater degree.
Large scale retailers that profile customers or cloud storage operators will obviously see a big change on how they conduct their operations.
While many GDPR articles and consultants shine a huge spotlight on these types of company, it should not be forgotten that smaller or less personal data-heavy enterprises must also adapt to this new reality.
Processing of personal data may not traditionally be a principal step for all of these businesses, but they should still be prepared for GDPR compliance.
Some overlooked sectors include:
As mentioned above, the GDPR regulates how personal data must be dealt with in cases where one or more of either the data subject, the data controller, or the data processor is located in the EU.
This means that if a company in Singapore has contracted its data processing to an agency in Poland, the Singaporean company, as the data controller, must make sure that Polish processor is applying the GDPR standards as necessary.
Some structures are exempt from the GDPR. This is explained as part of Article 30. Small and medium enterprises who only employ up to 250 people do not have to comply with the regulations except in certain circumstances.
If the company is involved in systematic processing, or if the small amount of processing they perform leads to a high risk to the rights and freedoms of the data subjects, then they must also follow the GDPR.
To illustrate: a large garden centre with 100 members of staff would normally be exempt from the regulations; a recruitment firm with 40 employees or a medical laboratory with 25 staff would be subject to the regulations.
The recruitment firm systematically processes data and the medical laboratory is involved in the processing of sensitive genetic or health related data.
Unless the garden centre engages in some form of intensive processing of customer data, it should not be affected by the GDPR.
An important note for those organisations that are subject to the GDPR is that the personal data of members of staff must also be afforded the same level of protection as other personal data under the GDPR.
More detailed national laws may be put into place by Member States as provided for in Article 88, Processing in the context of employment.
To ensure that all internal employee data is being treated correctly, Human Resource (HR) departments must:
Any data that is no longer needed or that is not covered by consent must be deleted.
Having spent so much time discussing the impact and the restrictions resulting from the introduction of the GDPR, it may seem like it is illegal to use any data at all.
While compliance may seem overwhelming and confusing at first, there are actually some very clear rules outlining how and when data can be used lawfully.
These include in situations where:
Where data needs to be processed in order to protect a legitimate interest, processors and controllers should try to find other viable reasons under which the data could be treated.
Legitimate interest means proving that the interest and the necessity outweigh other rights or freedoms. As this may be difficult to achieve, other justifications are preferable.
A data subject’s reasonable expectations concerning the use of their data can be used to justify processing, if the processing is in line with these expectations.
This may occur where processing is required to continue providing a service that the data subject has consented to for example, but would not apply in cases where the data might be processed to offer unrelated services.
A key concern for many businesses is the applicability of the GDPR to sales and direct marketing communication material.
This type of contact may be permitted under legitimate interest, but it would be better to review what the data customer consented to being used and what purposes it was collected for. We will discuss this in more detail below. To avoid doubt, consent should be re-sought when possible.
When the legitimate interests of the controller are being used as the basis for the processing of personal data, it should be ensured that all elements relating to consent and data collection are thoroughly reviewed beforehand.
Two guiding principles should be applied with respect to all legal data processing:
It is clearly stated in the text of the GDPR that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
As we noted above, however, it is desirable to have a record of data subjects explicitly consenting to this use of data.
Should data controllers be unable to provide evidence that they have consent from data subjects to process personal data, keeping in mind that this means informed, active, and freely given consent, then the processing of this data would constitute a violation of the GDPR.
Consent should be re-obtained prior to using the data. If consent cannot be acquired, the data mus be deleted.
Another legitimate reason to process personal data within the confines of the GDPR is “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations”.
This may include uses such as providing defence in a court case, investigating public health trends, or other similar reasons.
The GDPR does not apply to the data of deceased individuals, however this may be governed by other local laws.
Processing for “public interest” reasons does not negate the need to take sufficient safeguards to ensure the rights and freedoms of the data subjects are respected.
This justification must also be supported by a relevant national or EU regulation. It may therefore have different requirements depending on the relevant legislation.
Of the utmost importance, and as is a common theme when dealing with issues of the GDPR, everything should be recorded and tracked to allow for compliance to be audited and demonstrated.
A system to support and facilitate GDPR compliance should probably include some or all of the following features:
Both data controllers and data processors should be able to provide these types of records to the supervisory authority on request.
Indexation of data could allow all data gathered at the same time to be shown at once, or all data relating to a single data subject – which would make providing copies of data or deleting information easier following such requests, for example.
Coupling this with access logs can identify what departments or devices are using the data – which can help ensure only authorised processing is being carried out.
The access logs can also help identify when an unauthorised party or user uses or tries to view data.
The idea system would allow for unusual activity to be flagged for further review so that it is not lost among the records of normal and legitimate business.
It can also help to identify which data subjects may have had their data compromised in the event of a breach – something which is necessary to comply with Article 33 of the GDPR.
The ability to quickly generate reports can also help controllers prove that their operations are being carried out with respect to the necessary standards.
NetFort’s LANGuardian is a network traffic and security monitoring solution.
As part of its functions, LANGuardian monitors internal and external network activity at the user and application level by recording IP and MAC addresses or Active Directory user names.
When doing so, it also checks the associated shared data. This activity meets several critical requirements.
By recording real time access and use, as well as storing historical data, LANGuardian captures the trail of every device, user, and application on the network.
This trail is continuously analysed, and it is possible to retain and extract information to a highly granular level of detail for a long period of time.
This can in aid in demonstrating compliance.
LANGuardian extracts application specific information on every internal and external transaction and also builds up an inventory of devices, including the servers on the network.
Real time, customisable dashboards allow you to track what is actually happening across your network and stores this granular metadata or audit trail in its built in database.
As a result, LANGuardian is a valuable tool in assisting with GDPR compliance by addressing the following basic requirements:
LANGuardian incorporates all of these features, which can facilitate compliance with, for example, stipulations of Articles 24, 31, 32, and 33.
We will examine each of these in more detail below.
Article 24 states that “the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
Part of this for many organisations will be the ability to demonstrate that data has only been accessed by authorised individuals and has only been processed for the reasons required or consented to.
LANGuardian can achieve this through its application recognition engine (that recognises over 1000 applications) which can be customised to recognise proprietary applications.
LANGuardian purposefully does NOT retain every single data packet, but does retain application specific metadata and details on every transaction (including every file access and SQL query).
This results in a highly detailed audit trail of access to data on servers and databases, but with a huge data reduction; 400:1 over full packet capture, creating a very cost effective long-life database.
The GDPR’s Article 30 requires data controllers to keep a record of processing activities which includes “the categories of recipients to whom the personal data have been or will be disclosed”.
It also obliges data processors to “maintain a record of all categories of processing activities carried out on behalf of a controller”.
These records must be available for supervisory authorities to review.
LANGuardian’s whitelists and tracking features can serve as testaments to compliance with these requirements and can provide the records for review.
Article 32, which we mentioned briefly above, calls on organisations to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
The Article suggests that organisations consider measures which allow “the ability to ensure the ongoing confidentiality [and] integrity […] of processing systems”.
Steps to address the risk of data destruction, loss, or alteration are also required to be taken.
As LANGuardian maintains a record of all device and user activity very cost effectively in its database, it can be used to extract granular metadata on all activity from network traffic and it can generate alerts.
These features can prevent and track attempts by unauthorised users to access files, helping to keep the data confidential.
It can also trace any attempts to delete or modify data, and can identify the last time an alteration took place.
This means the date of modification could be pinpointed and an uncorrupted version of the file could potentially be restored from an archive.
We previously noted the 72 hour window to report data breaches and mentioned that the victims should be identified.
Data breach notifications should include, by Article 33, “the categories and approximate number of data subjects concerned”, as well as the approximate number of records concerned.
The data stored by LANGuardian can be searched by time period, by IP address, by user name, by file name, or by domain.
This means that if a suspect user or IP address is identified, or if an authorised user is compromised but only for a defined period, all files that were affected can be identified and examined quickly and easily.
Storage of historical network events and comprehensive analytical capabilities make LANGuardian the ideal solution for GDPR incident response and network forensics requirements.
When investigating an incident or responding to a request for information on data or files, LANGuardian is the single reference point for all the detail needed.
Another of LANGuardian’s key strengths is its ability to monitor data ‘access patterns’, and to continuously report on inventory and servers, including internal file shares and databases.
It also records who is accessing what data, and what they are doing with it. Every device and server on the network leaves a traffic trail.
LANGuardian captures and analyses this trial to ensure an accurate and up-to-date picture of data movements on the network, with minimum implementation costs.
This can help prevent breaches by potentially flagging and alerting suspicious activity, allowing administrators to shut down access or monitor the activity in real time.
“A security strategy that incorporates vigilant and detailed insight into the network makes a huge difference. LANGuardian makes this difference a reality.”
– Shawn, IT analyst, Oil and Gas processor
The initial costs of bringing an organisation up to the GDPR’s standards are likely to be relatively high.
If we consider the steps we have mentioned in this article – reviewing contracts, auditing data, hiring a DPO if necessary – we can already see that many hours and perhaps some external expert assistance will be required.
Add to this a comprehensive review of procedures, the potential implementation of new IT systems, and staff training, and it may seem like the GDPR will lead to prohibitive costs.
It must be remembered, however, that all of your competitors will be subject to the same regulations and must make the same financial and workload commitments.
GDPR compliance is now a cost of doing business and innovative solutions are available to make the task as easy as possible. It must also not be forgotten that the penalties for violating the GDPR are substantial – potentially €20 million or more.
Consider the fictional case of Stay-a-night Inc., a company with 300 employees.
They provide accommodation to professionals and private individuals. Data processing is not their main business, but they do process quite a lot of client data and must comply with the GDPR.
|General GDPR Consulting||€20,000|
|New IT system implementation||€15,000|
|Staff costs (HR data)||€11,000|
|Outsourced Data Protection Officer (DPO)||€15,000|
|GDPR Staff Training||€9,000|
They hold a large amount of data so they bring in outside consultants for two weeks to ensure everything is audited properly for a cost of €20,000.
They then implement a more robust IT system with greater data protection for €15,000.
They need a DPO as they regularly and systematically process data; they subcontract this service for €15,000.
Reviewing each employee’s contract and consent to data processing for 300 staff members, estimating 2 hours per contract, could take one HR staff about 15 weeks. Calling it five weeks for three HR staff, the cost is around €11,000 in wages and associated charges.
Finally, training for staff on the new procedures and their duties could easily amount to €9,000.
This gives us an overall up-front cost for this business of €80,000. Yearly recurring costs relating to maintaining systems, periodic audits, the DPO, and refresher training could come to €20,000.
This cost could then be offset somewhat by efficiency gains. As the GDPR will be EU wide, the rules for processing the data relating to customers booking in different regions should be the same.
Stay-a-night Inc. operates in many EU countries and deals with people from many backgrounds so this is a great advantage.
All GDPR compliance processes should start with a comprehensive data audit.
This will point the way for what security requirements are needed and what procedures need to be changed or introduced based on the risks identified.
Data that is found to be incorrect or lacking sufficient consent should be rectified or erased.
Addressing and reducing risks it very important. If companies cannot adequately mitigate risks, they should consult with the relevant supervisory authority.
As noted above, a system to aid data retrieval and indexing should be introduced.
The same or a compatible system should be put into place to track access and use of data.
Careful attention should be paid to the deletion deadlines. Deleting data under the GDPR is actually positive as it means that you have extracted the useful information from the data and data breaches will impact fewer individuals.
If a DPO is required for your company’s processing activities, someone with the necessary knowledge of the GDPR and experience in data protection should be hired or the duty should be contracted out to a suitable party.
New security and data protection procedures should the be designed (with the DPO if applicable) and any necessary IT systems should be introduced.
Staff should then be trained in how their roles have changed and how they will work in compliance with the GDPR.
It is critical to take the time to correctly execute these preliminary activities, despite the costs, as they will form the foundation of your GDPR compliance programme both now and in the future.
Proper preparation can lead to more efficient activities and confidence in the security of your data.
It is worth being reminded here that non-compliance or violations could lead to financial penalties of either €20 million or 4% of global annual revenue, whichever is higher.
No organisation can afford to find itself subject to such a fine. Not only would this result in less money being immediately available to reinvest in the company to finance growth, it could also have knock-on effects on the organisation’s image among both stock holders and potential customers.
A company without customers is doomed to fail and a company which has scared away investors will certainly find it hard to rebound or find credit to stimulate development.