[BreachExchange] Impact of Data Protection Legislation

Audrey McNeil audrey at riskbasedsecurity.com
Thu Feb 15 18:50:43 EST 2018


2018 will usher in a new era of data protection as the European Union
General Data Protection Regulation (GDPR) comes into effect on May 25. How
does this impact a business based in North America?

The GDPR legislation took a broader, more encompassing view of data
protection and focused regulations on the results and outcomes rather than
outlining a specific cookbook for data protection. This modern shift in
view on data protection practices means that any business that collects
information about an EU citizen must comply with the GDPR regulations. A
secondary desired outcome is that organizations will develop security
practices to protect all the company's important data, understanding that
protecting personal data is just the tip of the iceberg. This also means
that the regulations on security expand beyond the IT department and
encompass the entire organization, with significant impact on the world of
communications technology.

Many organizations still focus their sales and business interactions to
North America, which of course means they may not be affected. But wait,
other governments like Canada and some U.S. states are following suit and
have started drafting parallel data protection legislation, some that will
come into effect later in 2018. Most security experts are expecting that
over the next three to 10 years, data protection legislation is going to
get tighter as poor security practices continue to have greater
consequences and negative impacts.

Getting Ahead of Compliance & Security
Businesses can play the wait-and-see game, and risk potential fines and
business failures; or they can get ahead of this shift in the security
landscape and start taking a holistic approach to addressing data
protection within the organization. Getting out in front of the issue will
certainly reduce the compliance risk for the organization, but it can also
have other business benefits like allowing the organization to do a better
job of protecting key assets (e.g. intellectual property); reducing the
risk of a security breach and negative PR, remediation costs, and liability
that accompanies the breach; and better protect the company's revenue

Too many businesses today take a very narrow view of security and do not
take a holistic approach. Businesses are going to have to start looking at
security through data protection glasses. A piecemeal approach is more
costly, as management and operations become more difficult. Organizations
need to follow the "bit train" of data as it moves through and outside the
organization. They need to consider what data is collected; how the data is
collected, used, shared, stored, and controlled; and whether the data
should be collected or stored at all.

Specifically with GDPR, EU Parliament wants businesses to shift from
security as an afterthought to protecting all important data by default and
by design. Data protection by design, that is aligned with the GDPR's 99
required outcomes (articles) and 173 guiding principles (recitals),
requires businesses to:

- Obtain consent to collect data about the individual (data subjects)
- Provide them with the ability to see what data that has been collected
(Right of Access)
- Allow the data to be transferred to another provider of services (Right
of Data Portability)
- Allow the data to be deleted upon request (Right of Erasure)
- Allow the individual to know how their data is being used (Right of
- Allow them to challenge how the data is being used (Right to Object)

Businesses will need to provide breach notice to data protection regulators
within 72 hours of discovery, as well as notify individuals involved in the
breach (fines for failure to comply are as high as €20 million or 4% of
revenue, whichever is higher). Businesses will also be required to be able
to discover breaches in a timely manner. Incident detection and response
will challenge many businesses -- hackers have automated many of their
attacks so detection is a round-the-clock activity. Businesses will need to
have intelligent systems and operational processes that can:

1. Log and analyze security events or indicators
2. Identify and react to attacks
3. React, report, and remediate breaches or incidents

Communications at the Center

Breach detection and response requires businesses to clearly understand the
data they need, collect, and process so they can manage the security of the
data whether it is in transit or at rest (stored).

This brings communications technology right to the center of the data
protection world, as it is one of the primary methods of collecting this
information and using the data to provide services. Most people immediately
think of the call center and CRM systems (see "GDPR: What U.S. Contact
Centers Need to Know"). These are in scope, but so are other systems like
voice, IVR, chatbots, team collaboration systems, messaging apps, social
media, and networks that these systems operate -- any place personal data
is collected, stored, or transmitted. Modern communications tools are
evolving to team collaboration tools that tend to automate the collection
and storage of data. People may switch communications tools over the course
of a conversation, and while the channel may change, the compliance
requirements do not. Although most people are focusing on customer data and
communications, this also significantly impacts employee data and

Of particular interest to the communications industry, artificial
intelligence (AI) and machine learning (ML) are becoming established in
communications processes and are making decisions automatically. The GDPR
grants individuals the right to know when a decision was made automatically
regarding their personal data and requires their rights to be maintained.

Many businesses have shifted communications technology to hosted or
cloud-based systems. Many believe this also transfers the responsibility
for security and data protection. Although the cloud or hosted system
provider does have responsibility as the "Processor" of the data, the
business still is responsible for the collection and management of the data
as the "Controller." The Data Controller is responsible for coordinating
with the Data Processor to ensure the data is being processed, stored, and
monitored in a way that maintains the protection of the data.

These data protection legislation changes are going to impact businesses
with EU citizens as clients, but also the business' supplier ecosystems and
internal company operations. Eventually most companies will need to abide
by the new data protection standards, so don't put off getting in the know
on what your organization needs to do to be compliant.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180215/ecc8d4c1/attachment.html>

More information about the BreachExchange mailing list