GDPR is about protecting the rights and freedoms of data subjects or individuals pertaining to their personal data and right to privacy. In other words, GDPR is about information security. Just like any other information security regulation or best practice (i.e. PCI DSS, HIPAA, or ISO 27001:2013), some of the requirements set forth are applicable to any organization that processes information as part of its daily operations. One of the areas GDPR differentiates itself from other information security regulations or best practices is the fact that it is industry agnostic.
There is a belief that, if done appropriately, GDPR will strength the trust between your organization and its data subjects.
You may be asking yourself, what can a regulation originating in Europe teach me about information security as US based organization? GDPR has a very broad scope and perhaps, your organization does not fall within that scope. But, understanding the requirements would prove beneficial to any organization. There are lessons to be learned from GDPR, especially since US Senator Edward Marky introduced a new bill called the “CONSENT Act” with the purpose of “requiring the Federal Trade Commission to establish privacy protections for customers of online edge providers, and for other purposes.” It would be foolish to think that we will not see additional regulations at the State and/or Federal level that will be aimed at protecting the privacy of US Citizens similar to how GDPR is protecting the privacy of EU/EEA Citizens.An organization can learn from the GDPR regulation and use it as a reference point to either begin its journey of implementing information security best practices or validating/improving on what it currently has in place. Requirements like privacy notices, data protection by design and by default, contracts with data processors, and 72-hour breach notification could apply to any organization in any industry. Let's break down these items to provide more detail.
GDPR requires data controllers to provide privacy notices and it gives some stipulations and details regarding what should be included. The regulation states that a data controller shall provide information relating to processing of the data subject that is:
- Easily accessible form, using clear and plain language.
- The grounds for processing (i.e. consent, performance of a contract, a legal obligation, vital interest of the data subject, public interest, or legitimate interest of the controller)
- The purposes of the processing
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
- From which source the personal data originate, and if applicable, whether it came from publicly accessible sources (Article 14 only).
Data Protection by Design and by Default
Article 25 of GDPR is about data protection by design and by default. It states that data controllers have an obligation to implement appropriate technical and organizational measure designed to implement data-protection principles and by default only process data necessary for each specific purpose. This applies to:
- The amount of personal data collected
- The extent of the processing
- The period of the storage
- The accessibility to the data
Contracts with Third-Party Vendors
GDPR requires data controllers to have contracts in place with any external processor relating to the processing activities. The regulation states that these contracts should include certain stipulations. Many of these stipulations are GDPR-centric, but there are a couple that could be applied to any contract your organization has with its vendors such as:
- The ability to ensure the ongoing confidentiality, integrity, and availability of information systems
- A process for regularly testing, assessing, and evaluating the effectiveness of technical and organization controls
- The ability to restore availability and access to personal data when an incident occurs.
72-Hour Breach Notification
GDPR states that in the event of a personal data breach, data controllers have an obligation to report this breach no later than 72-hour after having become aware of it. In the US, we have our own laws that govern data breach notifications, most of which do not require a maximum limit of 72-hours except for the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies regulation. This regulation went into effect March 1, 2017 and all “Covered Entities” must be compliant by March 1, 2019.
Depending on the nature of your business and the type of data you process as part of your business you may be required, by law, to report a data breach within a certain amount of time. It is important to understand the requirement, but it is equally if not more important to understand what your organization will do in the event of a personal data breach.
A formalized cyber incident response plan is a fundamental aspect of any regulation and would help your organization recover quickly from such an event. Looking at best practices and guidance such as the National Institute of Standards and Technology’s “Computer Security Incident Handling Guide” is a great place to start to understand what this plan should include from a people, process, and technology standpoint.
Your organization may have no obligation to comply with the requirements of GDPR but that does not mean you should not educate yourself on the requirements and what the regulation means. It would not be illogical to view this as a precursor to what is it come around privacy law in the U.S. GDPR is more than just a privacy regulation it should be viewed as a best practice and something you can learn from.