The General Data Protection Regulation (GDPR) is a cyber security framework introduced by the European Union (EU) on May 25th, 2018. It is the most stringent privacy and security law imposed globally upon organizations that collect, store, and transmit data with the EU.
As of June 2022, the GDPR regulatory authorities have fined organizations a whopping 845 million euros for non-compliance with its data processing regulations. The second and third most common GDPR violations with the highest regulatory penalties were the insufficient legal basis for data processing and fulfillment of information obligations paid for by the non-compliant organizations.
With newer attack vectors emerging every day, it is vital for SMEs with close business ties with the EU to review their cyber security systems and gauge if they comply with the regulations put forth by the GDPR.
This article aims to provide such organizations with a simple way to understand their data privacy requirements and employ current best practices to ensure they accomplish and maintain GDPR compliance.
What is GDPR compliance?
The primary goal of the GDPR is to secure the data privacy and security of the people of the European Union by applying its rules to both domestic and extraterritorial businesses that handle EU-based data.
These companies must be careful, as GDPR non-compliance can subject them to steep penalties of up to 20 million euros. Ultimately, it is a standard that helps secure customers’ private lives and provides businesses with the security means to handle their data securely.
What is considered personal data in GDPR?
The GDPR protects personally identifiable customer names, appearances, locations, contact numbers, payment information, banking accounts, and transport registration numbers.
Additionally, any data relating to a customer’s biometrics, genetics, mental evaluations, health, and ethnic origins come under the security blanket of the GDPR. Its coverage also extends to philosophical beliefs, religious opinions, ideologies, and political inclinations.
Likewise, personal data can also include digital identifiers such as audio recordings, images, videos, and numeric & alphabetical communications that can identify a person.
To summarize, article 4 of the GDPR stipulates that any data directly connected to an individual residing in the EU is considered private.
To whom does the GDPR apply to?
Before you provide your products or services to the EU, you must recognize the importance of being GDPR compliant. Even if you don’t directly target European customers, the GDPR laws might apply to you.
Consider an instance where you are an online business owner that does not directly target European customers but instead has a geologically diverse customer base. You may not know or expect how many of these customers interact with your product or services from the EU, but the GDPR still requires you to adhere to their strict data protection laws.
In such cases, failing to secure GDPR compliance can expose you to significant security risks and sanctions. Instead, safeguard your business from such situations by accomplishing compliance as a protective measure.
Let us look into the two categories that act as a funnel for personal data but with varying degrees of responsibility towards its protection.
Data controllers
A Data controller is a legal or natural individual, agency, public authority, or other body that decides the means and objectives of processing confidential data and ensures that its treatment is fair, lawful, and transparent.
A controller identifies and selects data processors that are compliant with GDPR guidelines. Their primary function is to permanently protect the private data’s accuracy, storage constraints, and confidentiality.
Data processors
On the other hand, the data processor is a legal or natural individual, agency, public authority, or other body that processes private data at the behest of the data controller. They do not directly decide on data handling strategies but carry out the controller’s instructions.
Although data processor does not have the same legal obligations as data controllers, they have their unique compliance requirements that they must adhere to avoid breaches. Failure to achieve this could cause a processor to receive disciplinary action from regulatory authorities such as the information commissioner’s office (ICO).
The checklist to becoming GDPR compliant
This checklist will help organizations assess, identify and mitigate any issues in their current security posture and data handling methodologies. Let us dive right in and get one step closer to making your organization a GDPR complaint.
1. Analyze data collected by your business
The data controller must always know how private customer data flows internally through a company’s systems. The controller maps the data flow by answering the following seven questions:
- What is the data source?
- What confidential information was gathered from the source, as defined by article 4 of GDPR?
- Why was the data collected?
- Once the data is collected, what means did the organization employ to process it?
- Under what circumstances and when did the organization dispose of the data?
- Does the organization have the appropriate customer consent to collect, store and handle the data?
- Does the data have any confidential, personally identifiable information?
A good practice could be establishing the above points as a framework and mandating controllers to map and document the answers clearly for each data source.
2. Appoint a Data protection officer
The GDPR stipulates that organizations must appoint a Data Protection Officer (DPO) to supervise the data protection strategy.
The DPO is required to be present on-premises whenever organizations store private data centrally. Their primary function is to oversee the security of the collected information when it undergoes processing by a public authority; systematic monitoring; large-scale processing; and customer profiling.
When appointing a DPO, consider a candidate knowledgeable of all GDPR rules and regulations.
An excellent DPO should be capable of employing penetration testing and other attack surface monitoring solutions to quickly identify and mitigate any threats or vulnerabilities endangering customer data. They should be able to provide strategic counsel to controllers and processors about the best practices to accomplish GDPR compliance.
Article 39 of the GDPR clearly states the tasks and duties that a competent DPO must perform on behalf of the organization. It specifies that a DPOs primary function should be to supervise data handling by conducting periodical Data Protection Impact Assessments to identify and minimize any data protection risks that may arise due to a project.
Following the assessments, they should be able to provide controllers and processors with actionable insights and recommendations that can eliminate any compliance issues.
When GDPR compliance scrutiny arises from regulators and data processing inquiries, the DPO must be the primary point of contact representing the organization.
Finally, it is paramount for the DPO to have an in-depth understanding of all the processing operations and their potential risk exposure to the organization.
3. Create a GDPR diary
Once you identify all your data sources, an excellent practice is to compile a comprehensive record of the organizational GDPR compliance practices. This documented register is a GDPR diary and is instrumental in passing audits by providing the relevant authority with a map of how the data flows through your organization.
During the unfortunate occurrence of a data leak, a GDPR acts as definitive proof that your organization employed all means necessary to try and enhance its data security. Please don’t take the importance of your data register lightly, and include as much information as possible to improve its robustness.
Remember to have all the essentials of your information security portfolio in your GDPR diary to protect your confidential data effectively.
4. Evaluate your data collection requirements
GDPR compliance requires organizations to justify collecting a customer’s sensitive data. Before your organization can evaluate if it is GDPR compliant and handling sensitive data the way it’s supposed to, it must first define what it should consider as ‘sensitive’ data.
Here is a list of customer information that can be regarded as highly sensitive that organizations should include in the scope of any assessments aimed at evaluating its data collection requirements:
- When your organization tracks the location and the behavior of your customers
- When your data consists of information on minors
- When you leverage data to automate decision making
- When you are collecting data from zones accessible to the general public
- When your organization is engaging in emerging technology
- When your organization deals with a customer’s data pertaining to their biometrics, ethnicity, religious views, political opinions, genetics, memberships, health records, sexual orientations, philosophical perspectives, and religious beliefs.
Collecting data without the appropriate justification can lead to scrutiny and audits from the relevant supervisory authorities. In such instances, you need to prove why data collection is essential.
To avoid this, engage a Data Protection Impact Assessment (DPIA) to detect and minimize any risks from processing sensitive customer data before any substantial damage occurs.
Additionally, conduct Privacy Impact Assessments (PIA) to analyze how your organization handles its personally identifiable information (PII) and if it complies with the regulation requirements. This assessment helps identify privacy risks associated with the organization’s information systems and can gauge the effectiveness of any tactics proposed to reduce them.
Successfully passing these assessments proves that your organization is GDPR-compliant and capable of handling sensitive data.
5. Instantly report data breaches
GDPR compliance dictates that organizations must follow an immediate data breach notification protocol. Article 33 of the GDPR stipulates that controllers and processors must report any data breaches to the appropriate supervisory authority within 72 hours of the security event’s occurrence.
The immediate breach notification protocol must follow a clear set of structured reporting in case of a breach. By this protocol, the processor must report the infringement to the controller, who must immediately intimate the jurisdictional regulatory authority, such as the Data Protection Association (DPA).
A controller or processor may be subject to heavy non-compliance penalties if they fail to adhere to these instructions.
6. Always be transparent about why data is being collected
It is mandatory to place data collection acknowledgments clearly on every point of contact with the customer where your organization harvests their information. Collecting data unbeknownst to the customer can subject an organization to heavy fines.
Here are some of the most common instances where organizations collect customer data:
Cookie Collection
According to the GDPR, when an organization requires collecting personal information via cookies, it first needs to acquire customer consent before it is collected and used. GDPR mandates that the organization inform customers how it will use the cookies.
There must be no usage restrictions or repercussions for customers who decline to provide the organization with cookie consent.
Note that it is essential that the organization record and stores any acquired permission. Even if a customer initially provides cookie access, the website must have clear means to revoke access at any juncture they see fit.
Website forms
Like cookie notifications, website forms must clearly inform customers how the organization plans to use their data. The organization must precisely relay this information to the customer, and under no circumstances should it be masked in technical jargon.
The consent checkboxes on website forms must be left unchecked for the customer to tick only if they agree to the entirety of the data collection terms. GDPR compliance dictates that there should be no boxes where consent is pre-approved.
7. Verify the age of users who are consenting to data collection
GDPR mandates that organizations require consent from the parents or legal guardians of individuals below 16 before collecting their data. This legal requirement is why organizations must integrate a robust age verification process into their websites to prevent unlawful data collection from underaged customers.
8. Include a double opt-in for all new email list sign-ups
On the next step, employ means to double check if your customers have, in fact, deliberately opted in to be on your mailing list.
By including a double opt-in system, the customer first provides consent upon entering their email id into the website form and then provides final permission by clicking the consent approval link, which is sent automatically to their email inbox.
Although a double opt-in isn’t mandatory for organizations, it is a highly revered best practice to accomplish complete GDPR compliance that shows the authorities that protecting customer data is your top priority.
9. Keep your privacy policy updated
A privacy policy dictates how an organization handles the customer’s private data collected during its operations. Always making an up-to-date version of the organization’s privacy policy readily available to customers on the official website is essential.
Updating the website to reflect the latest policy changes is critical. A good practice is to employ appropriate legal counsel when devising your organization’s privacy policy to eliminate any inaccuracies and errors that may expose you to problematic legal ramifications.
10. Regularly assess all third-party risks
An essential requirement the GDPR places on organizations is to constantly stay vigilant of any security risks and have the appropriate countermeasures to mitigate them. To do this, it is a good practice to regularly assess all risks posed by third-party stakeholders with direct or indirect access to your sensitive data.
Classify and categorize the results of the GDPR risk assessments in grades ranging from low, medium, to high risk, with each carrying an increasing risk impact weightage to the organization. By doing this, the organization can mitigate risks based on the propensity of the risk to create harm.
Here, solving high-risk problems come first before descending to medium and low. The goal is to create a system where the organization stays prevalent when facing varying degrees of external breaches.
In conclusion, while GDPR compliance may be one of the most stringent and challenging standards to enforce, it is necessary to avoid the ramifications of an impending data breach.
Following this robust checklist makes accomplishing compliance easier. If you need additional help to achieve compliance, an external service provider can employ the latest penetration testing and attack surface monitoring solutions to identify vulnerabilities and thoroughly assess your data protection strategies to get you closer to achieving total GDPR compliance.
Remain compliant with stringent penetration tests
Securelayer7’s continuous penetration tests help you scan, review and isolate all web services and configurations that are GDPR non-compliant to keep your information security optimally protected.
We help customers that have close ties with the EU to spot risky web service authentication, authorization, and logic vulnerabilities that may result in sensitive data breaches that may otherwise cost them hefty penalties.
Our PTaaS services include web application testing, mobile app penetration testing, thick client penetration testing, and VOIP penetration testing. Through our stringent pen tests, secure your GDPR compliance and always remain protected against all new and emerging attack vectors. With our platform, accomplishing and maintaining GDPR compliance has never been easier.
Contact us now to find out more.