GDPR: A Brief Overview

GDPR: A Brief Overview

Over a year ago the GDPR (General Data Protection Regulation of April 27th 2016) was approved and will become mandatory to the European Union members starting May 25, 2018.

That leaves a little less than a year to become compliant with the regulation, so I wanted to take the opportunity to write an overview about what this regulation is and what its main objectives are.

Let’s start by having a look at how this regulation defines personal data. “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address,” according to the European Commission.

Here are the main principles the regulation lays out, for collecting data:

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Collected for specified, explicit and legitimate purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  • Accurate and kept up to date
  • Kept in a form that permits identification of data subjects for no longer than is necessary
  • Processed in a manner that ensures appropriate security including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage

Let’s have a look at the scope of the regulation, which organizations are obliged to adhere to. The regulation defines two figures around the data protection:

  1. The data controller (the organization that is collecting data from EU residents)
  2. The processor (the organization that processes data on behalf of data controller).

The regulation applies if either the controller or the processor are based in the EU or if they collect or process personal data of EU residents.

Let’s review now some of the main changes that the GDPR will effect:

  • It expands the notice requirements to include the retention time and the contact information for the data protection officer
  • Valid consent must be explicit for the data collected and the purposes of said data. Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn
  • People will have the right to question and fight decisions affecting them that have been made automatically by using algorithms
  • Implementing measures must be designed into the development of business processes for product and services which meet the principles of data protection by design and data protection by default
  • Will be the responsibility of the data controller to implement and demonstrate the compliance even when the processing is carried out by a third party

The new regulation also obliges organizations to appoint a Data Protection Officer for all public authorities or when the core activities of the data controller or processor consist of operations that require regular and systematic monitoring of data subjects on a large scale, as well as when they need to process personal data on a large scale.

Another significant aspect of the new regulation is the notification of a personal data breach to the data subject when the breach is likely to result in a high risk to their rights and freedoms. The notification will need to describe in clear and plain language the nature of the breach and the likely consequences of the breach as well as the measures taken or proposed to address it.

This notification can be avoided if the controller has implemented appropriate technical and organizational protection measures, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.

Finally, let’s have a look at administrative fines, since it’s also a major change. It’s important to know that infringements of the regulation can be subject to administrative fines up to 20 million Euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In order to determine the quantity, the nature, gravity and duration of the infringement will be taken into account. Regulators will also take into account the nature, scope and purpose of the situations as well as the number of data subjects affected and the level of damage suffered by them.

Also, the intentional or negligent character of the infringement, the technical and organizational measures implemented, as well as any action taken by the controller or processor to mitigate the damage suffered by data subjects is considered. Also considered are previous infringements, the degree of cooperation in order to remedy it and mitigate the possible adverse effects. These instances will become known to the supervisory authority.

In any case, 20 million Euros or up to 4% of the total turnover is a really respectable amount that I’m sure will be good motivation for those companies that manage sensitive personal data to invest on being compliant with the GDPR and implement the needed technical and organizational controls to decrease the risk of having a personal data breach.

What about your company? Is it already working on implementing those controls and moving forward to get compliant with the GDPR?

Link to the law: http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679#d1e6226-1-1

The Cyber Pressure Model

The Cyber Pressure Model

Nearly every organization and government entity around the world has a media arm to promote its activities. Today’s terrorist organizations are no exception. Top targets such as Al-Qaeda, ISIS and Al-shabaab all have elaborate media mechanisms to promote and recruit for their organizations.

In my role as an Army Officer at US Central Command, I was privileged to support the fight against radical terror and particularly the effort to stop ISIS from creating and publishing videos of their gruesome acts. We also fought to put a stop to magazines that promoted radicalism and the spread of information on how to create IEDs and counter coalition tactics.

Our efforts centered on identifying the Islamic terrorist media apparatus from  producers, disseminators and leaders and putting ‘pressure’ to all the places that would impact their operations.

This same pressure model can be used to fight cyber terrorists and criminals. By adopting an end-to-end look across the kill chain or lifecycle of a cyber attack, actions  can be taken at specific stages to have the greatest impact in degrading the attacker’s ability to be successful in their objectives or get to the next phase of the kill chain. Organizations must build a “’pressure’ model based on their infrastructure, their tools, their goals and business requirements.

To build this pressure model, you have to  look at what can be done to identify attacker recon efforts and degrade or deter the attackers recon operations as well as what can be done to keep them from moving further along the kill chain. Even if the ‘pressure’ placed during recon is not enough, then the organization must move to put pressure on the attacker’s ability to build tools against your specific infrastructure.

This may require purpose placed defense, active hunting, active intelligence collection identifying and stopping delivery of  tools or malware and so on for every step of the attackers kill chain, from reconnaissance, design and build, delivery, installation, exploitation, command and control, all the way to combatting their final intended actions of theft, denial of service or ransom. Place enough “pressure” along each step, and attackers will lose interest or at least move on to weaker and less resource intensive targets.

Kudelski Security built its Cyber Fusion Center around the concept of putting pressure at each stage of the kill chain. We take a nonlinear approach to the traditional phases of the kill chain which enables us to identify patterns and disrupt adversary movements throughout the stages of an attack. This results in reduced time to detection, contextualization of the threat and minimizing of the overall impact when an attacker does penetrate border defense.

It starts with information gathering. We collect, enrich and analyze threat data within the context of the environment. This gives our analysts insight on threats and the tactics, techniques, and procedures of adversaries.

Armed with this intelligence, we can help configure and managed defenses to thwart attackers’ advances throughout the kill chain.   Should an attacker reach their intended target, virtual tripwires and decoys can stop them from achieving their objectives.

You can read more about the services provided by our Cyber Fusion Center here.