if you work in the cybersecurity field or at least you have a website that you manage, then you have definitely heard about some DDOS attacks, so what is a ...
If you have a website or you are thinking about starting one, then you have definitely heard about the GDPR and you also heard that you will need to comply with it. So what is the meaning of GDPR?
GDPR “The General Data Protection Regulation” is a European regulation for data protection. All companies that process European residence personal data need to be compliant with this regulation. In this post, we are going to discuss the main parts that need to be implemented to comply with this regulation. In fact, we are also going to give you some realistic examples and scenarios about each one of them to better understand the regulation.
When the GDPR came into effect on the 25th of May 2018, it was the first major update to European data protection law for over 20 years. The regulation gives individuals known as data subjects, much greater control over how organizations process or controlled the processing of their personal data.
Before we dig dipper in the GDPR meaning we need to first understand what is a personal data. According to the GDPR definition, which says:
“personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” GDPR article 4
The gdpr meaning that any data that can be used to uniquely identify a human being is considered a personal data. Here are some examples of personal data:
The personal data can be transformed to anonymous data and not being subject to GDPR requirements, on condition that the anonymization process had to be irreversible.
The GDPR applies to ‘controllers’ and ‘processors’.
According to GDPR low, a controller is :
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. More
It means anyone who has the power to decide to process the personal data or not. However, a processor is the executor of the personal data processing actions.
Either you are a processor based on EU or outside the EU, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
If you are a controller, you will need to check your contracts to see if they comply with the GDPR processors, and you still responsible for the security of the data.
The GDPR does not apply to some activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
Let me give some examples to be able to know if this low apply to you :
Data controllers are responsible for and must demonstrate compliance with six data processing principles:
Failing to comply with the GDP’s requirements will leave organizations open to considerably higher penalties than they faced under the 1998 Data Protection Act, with:
To get compliant with the gdpr law, there is a very nice checklist put in place by the gdpr team to help organizations get easily compliant to GDPR. In this article we are going to focus on the data security part of the checklist. Unfortunately, this checklist very clear in how to put in place all this. So here we will give you some examples of how to put everything in place.
Thinking about security at each step of the development process is crucial, without even this law people need to start thinking about this and I keep telling this to all my clients … security is not a product you will buy and put at the end. No, security is a process that start from the very first step in the product development life cycle. For example, putting in place an S-SDLC is the best idea to be compliant to GDPR law. More
I think this point is very clear. Encryption is becoming something natural in the web, even Google is now forcing web and mobile developers to at least use SSL encryption in there communications with the backend. Using an end-to-end encryption to send and receive Email is also a good idea. It is also better to encrypt any personal data your process and store the encryption key in a safe place.
Here is a template of a security policy that you can use to build your own.
Now to build awareness about data protection, this is the most difficult thing. People are more likely to trust others. It is human nature, and it is up to you to make harden this natural behavior.
To do this you will need to perform periodic awareness campaign of:
data protection impact assessment is the process of identifying and reducing the data protection risks of a new project, that may affect your organization. I will not be able to dig deeper in this subject as it will make this post even longer so, here is a very good guide that describe in details this process.
If this subject interests you please leave a comment below and I will do my best to explain it in details.
Having a written process in place is a very important part of a good management. It will help your detection and respond team to quickly and efficiently react when a data breach is occurred and will help you also reduce the risk of any illegal reactions. According to the GDPR law, you have to inform the supervisor authority within time frame of 72h from the incident date. You are also required to quickly communicate data breaches to your data clients unless the breach is unlikely to put them at risk.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
todayNovember 1, 2022
Blockchain technology was indeed built with security in mind. This means that it is supposed to be very secure compared to other technologies. However, Blockchain technology suffers from some weaknesses [...]