error_outlineWEBSITE HACKED ? [email protected]

GDPR meaning and compliance steps

Cybersecurity + Laws + blog Z. Oualid today

Background
share close

If you have a website or you are thinking about starting one, then you have definitely heard about the GDPR and you also heard that you will need to comply with it. So what is the meaning of GDPR?

GDPR “The General Data Protection Regulation” is a European regulation for data protection. All companies that process European residence personal data need to be compliant with this regulation. In this post, we are going to discuss the main parts that need to be implemented to comply with this regulation. In fact, we are also going to give you some realistic examples and scenarios about each one of them to better understand the regulation.

When the GDPR came into effect on the 25th of May 2018, it was the first major update to European data protection law for over 20 years. The regulation gives individuals known as data subjects, much greater control over how organizations process or controlled the processing of their personal data.

Before we dig dipper in the GDPR meaning we need to first understand what is a personal data. According to the GDPR definition, which says:

“personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;” GDPR article 4

The gdpr meaning that any data that can be used to uniquely identify a human being is considered a personal data. Here are some examples of personal data:

  • a first and last name
  • a personal address
  • an e-mail address
  • an identity card number
  • location data (for example: the location function of a mobile phone)
  • an internet protocol (IP) address
  • a cookie
  • your phone’s advertising identifier
  • Data held by a hospital or doctor, which would uniquely identify a person.

Note:

The personal data can be transformed to anonymous data and not being subject to GDPR requirements, on condition that the anonymization process had to be irreversible.

Who does the GDPR apply to?

The GDPR applies to ‘controllers’ and ‘processors’.

According to GDPR low, a controller is :

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. More

It means anyone who has the power to decide to process the personal data or not. However, a processor is the executor of the personal data processing actions.

Either you are a processor based on EU or outside the EU, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

If you are a controller, you will need to check your contracts to see if they comply with the GDPR processors, and you still responsible for the security of the data.

The GDPR does not apply to some activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Let me give some examples to be able to know if this low apply to you :

The six data procession principles of GDPR

Data controllers are responsible for and must demonstrate compliance with six data processing principles:

  1. Personal data must be processed lawfully, fairly and in a transparent manner,
  2. Collected for specified, explicit and legitimate purposes,
  3. Adequate, relevant and limited to what is necessary,
  4. Accurate and where necessary. Kept up to date.
  5. Retained only for as long as necessary
  6. Processed in an appropriate manner to maintain security.

What happen if I don’t comply to GDPR law?

Failing to comply with the GDP’s requirements will leave organizations open to considerably higher penalties than they faced under the 1998 Data Protection Act, with:

  • Maximum fines of up to 20 million euros
  • %4 of annual global turnover
  • Loosing clients trust

How to get your security system compliant?

To get compliant with the gdpr law, there is a very nice checklist put in place by the gdpr team to help organizations get easily compliant to GDPR. In this article we are going to focus on the data security part of the checklist. Unfortunately, this checklist very clear in how to put in place all this. So here we will give you some examples of how to put everything in place.

  • “ Take data protection into account at all times, from the moment you begin developing a product to each time you process data.”

Thinking about security at each step of the development process is crucial, without even this law people need to start thinking about this and I keep telling this to all my clients … security is not a product you will buy and put at the end. No, security is a process that start from the very first step in the product development life cycle. For example, putting in place an S-SDLC is the best idea to be compliant to GDPR law. More

  • “Encrypt, pseudonymize, or anonymize personal data wherever possible”

I think this point is very clear. Encryption is becoming something natural in the web, even Google is now forcing web and mobile developers to at least use SSL encryption in there communications with the backend. Using an end-to-end encryption to send and receive Email is also a good idea. It is also better to encrypt any personal data your process and store the encryption key in a safe place.

  • “Create an internal security policy for your team members, and build awareness about data protection.”

Here is a template of a security policy that you can use to build your own.

Now to build awareness about data protection, this is the most difficult thing. People are more likely to trust others. It is human nature, and it is up to you to make harden this natural behavior.

To do this you will need to perform periodic awareness campaign of:

  1. Phishing Emails
  2. Red teaming exercises
  3. Data protection trainings
  4. Secure coding trainings
  • “Know when to conduct a data protection impact assessment, and have a process in place to carry it out”

data protection impact assessment is the process of identifying and reducing the data protection risks of a new project, that may affect your organization. I will not be able to dig deeper in this subject as it will make this post even longer so, here is a very good guide that describe in details this process.

If this subject interests you please leave a comment below and I will do my best to explain it in details.

  • “Have a process in place to notify the authorities and your data subjects in the event of a data breach.”

Having a written process in place is a very important part of a good management. It will help your detection and respond team to quickly and efficiently react when a data breach is occurred and will help you also reduce the risk of any illegal reactions. According to the GDPR law, you have to inform the supervisor authority within time frame of 72h from the incident date. You are also required to quickly communicate data breaches to your data clients unless the breach is unlikely to put them at risk.

Written by: Z. Oualid

Rate it
About the author
Avatar

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post
Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *