Security experts weigh in on GDPR checklists

Ahead of the compliance deadline for the EU General Data Protection Regulation (GDPR) and the new Data Protection Act, which implements the regulation in UK law, security experts have shared their top tips on what organisations should be focusing on at the start of a new data protection era.

For organisations that feel they are “behind” in their GDPR implementations, Martin Jartelius, chief security officer at security firm Outpost24, said they should ensure that they have:

• Enumerated all sub-processors.
• Performed data privacy impact assessments.
• Equipped websites and any other means of communications where data processing occurs to gather consent in a compliant way and to log this process.
• Informed users clearly about how to execute their right of erasure.
• Informed staff about not emailing or instant messaging personal data, or using new platforms without legal approval, as there will be sub-processing without consent.

Next, Jartelius said organisations should plan how they will deal with any communication that might come in from individuals or inspectors. 

“Understand that if something happens, transparency and clear communications to affected users is key to avoiding fines as well as staying on the right side of the law – transparency will be key to avoiding disaster. Once those are in place, you can work to catch up and get back on track with the rest of your implementation,” he said.

Tomáš Mičo, senior data protection and licensing lawyer at Eset, said the GDPR was about to change the way organisations think about personal data processing, as well as the protection of data subjects’ rights, and that organisations should perform checks in five key areas:

1. Principles: Comprehensive analysis and following validation are required when it comes to principles stipulated by GDPR which are the most important part of GDPR compliance. “Lawfulness, together with fairness and transparency, purpose and storage limitation, data minimisation, accuracy and integrity with confidentiality must be present in every stage of data processing,” said Mičo.
2. Accountability: After embedding principles into data processing activities, it is important to check the organisation’s ability to demonstrate that they are working as intended. “Data controllers have to be able to provide solid evidence to support the claim of compliance in an investigation by data protection authorities,” said Mičo.
3. Data processor arrangements: All former contracts with data processors need to be revised and amended to ensure compliance with requirements of GDPR.
4. Data subjects’ rights: The controller should prepare and test the worst case scenario of data subjects’ requests, just to be sure that appropriate answers can be given within the period required by GDPR.
5. Data protection officer: In the case of data controllers with a legal obligation to appoint a DPO, the selection process should have been already finished, or at least started.

Gavin Millard, technical director at Tenable, said it is important to remember good security is not measured by the number of zeros on a purchase order, but by how well technology is operationalised in the environment. “A well-configured £10,000 security technology can be far more effective than a poorly deployed £100,000 one,” he said.

Adrian Bisaz, European vice-president at CyberProof, said one of the top items on organisations’ checklists should be the “right to be forgotten” as it is one of the more difficult requirements for companies to implement in time. “Alternatives such as change of code or change of application are tactical solutions which don’t scale. An innovative approach is needed to help companies accelerate their ability to adhere to this requirement effectively,” he said.

Terry Ray, chief technology officer at Imperva, said there were two common mistakes companies continued to make with regards to data regulation. The first is failure to ensure they know where all of the regulation-relevant data is stored in their environment and that they know when that data is viewed or modified.

“This seems easy until a customer realises that most auditors will not accept a simple list of locations where private data is supposed to be. Instead, knowledgeable auditors expect a company to demonstrate that relevant data only exists in the locations where it’s supposed to be, and not where it isn’t. 

“More importantly, the company needs to demonstrate that private data does ‘not’ exist elsewhere within the organisation and that it is not shared without knowledge outside the organisation. This changes the process for many organisations from making a simple inventory of known locations where private data is supposed to reside, to a fully proactive review of all data storage systems looking for private data that doesn’t belong, or fell outside of private reporting procedures which may have left such locations off of a data privacy list.

“Post-breach, answering a data governance body with ‘I didn’t know that department had copied private data to another server’ is not an appropriate defence,” he said.

Second, organisations tend to fail to audit access to private data, which is often related to the first failure of not knowing where personal data is stored. “Assuming, however, that an organisation does have an effective data classification process and knows where all of its data is, it needs to ensure it is auditing access to it,” said Ray.

“Most auditors are looking for proof that a company knows the basics: Who viewed the data? How did they access it? When did it happen? Where did they come from and where was the data located? Most importantly, and yet often missed, is what was accessed, how much was accessed and should it have been accessed? These last three questions have been asked by post-breach investigators for years, and have now made their way to regulatory audits, because of the failure of companies to effectively answer them during a data loss situation,” he said.

Companies should fully expect to have secondary, deeper questions asked around the location of private data and whether private data is being accessed appropriately, warned Ray. “These both require a level of diligence that many companies, even today with such a short time to go, still cannot answer. Time will tell whether GDPR softens [auditors’] language to pass more failing companies or whether they make examples of some companies to get others into compliance,” he said.