[BreachExchange] Top 6 Quickest Ways to Draw a GDPR Fine

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 16 14:15:52 EDT 2018


https://securityboulevard.com/2018/03/top-6-quickest-ways-
to-draw-a-gdpr-fine/

Recent surveys reveal businesses around the world don’t know if they’re
compliant with the EU’s General Data Protection Regulation (GDPR),
regardless of the fact that the deadline is less than two months away. If
this continues, there will be no shortage of GDPR compliance violations and
fines.

GDPR or Bust

If your organization would like to avoid being on the GDPR naughty list,
you must avoid these six pitfalls.

Ignore that whole data privacy thing

Yes, it would be easier if you just had to protect your EU customers’
personally identifiable information (PII). Traditionally, data security has
been the priority; who had access it or where it’s stored were secondary.
But GDPR isn’t a data security regulation, it’s a data privacy regulation.
By requiring corporations to surrender EU customer data it to its rightful
owner or delete it altogether, the corporation must know where this data
sits on the network, who has access to it and what’s being done with it.
Ultimately, businesses won’t get partial credit for demonstrating EU
citizens’ PII is secure. It must also be private.

I can’t really forget you

Even if you haven’t used your mother’s china in years, you wouldn’t throw
it out, would you? Similarly, businesses are hesitant to permanently delete
any data, most notably customer records. Nevertheless, under GDPR, an EU
citizen can request to have their records deleted (remember, GDPR is about
data privacy) and the business holding those records must comply.
Sometimes, however, this Right of Erasure or Right to be Forgotten
contradicts existing laws. For example, EU banks must keep customer data
for seven years. There are also certain situations (i.e., not laws) that
could require a business to keep customer data despite the customer’s
request to delete it. These include scientific or historical research that
benefit public health or the common good. But these are exceptions to the
rule. If a business can’t be bothered with locating and deleting a
customer’s records and tries to use one of these loopholes as an excuse,
its lawyers better be able to convince a judge of this need. Otherwise,
it’s fine time.

Actually, I forgot you, but then found you again

So, you think you have the process around forgetting someone figured out.
But what happens if that person comes into your system via another channel?
Consider a business that has an EU citizen’s PII in a CRM system. What if
that person registered for a company newsletter? Or posted a picture of
themselves on the company’s Facebook page? Email addresses and photos
qualify as PII, and while they should be deleted to accommodate a Right of
Erasure request, they are likely to get overlooked. Ultimately, a business
will have to look in lots of different systems for PII that needs to be
deleted; limiting the search to the usual systems like a CRM or ERP
database won’t suffice.

Being selective (or cavalier) in the customer data you choose to segregate
or delete

Data that qualifies as PII under GDPR may surprise you. Of course, a
customer’s name, email address, credit card number, Social Security number
or passport number all count. But so does genetic or biometric data that
can uniquely identify a person, including photos, fingerprints, voice
recordings or even signatures. Even a social media post or description of
an EU citizen qualifies as PII. If businesses don’t know what data to
classify as PII (and a recent survey revealed most don’t), they certainly
won’t be able to locate, isolate, or delete it.

Failure to accommodate an EU citizen’s Right to Portability

Similar to the Right to Erasure, EU citizens can request and receive all of
their personal data from a business. The data must be delivered “without
hindrance,” free of charge, and in a format that is easy for the them to
access and use. Typically, the reason for this request is because the
customer is terminating their relationship with one business, e.g., a
doctor or bank, and needs to transfer their files to a new business. Before
GDPR, a business might not make this request a high priority and in some
industries, it’s common for the business to charge the customer for this
service. With GDPR, however, the business must comply or risk a compliance
violation.

Don’t report a breach within 72 hours

Public outcry over data breaches is typically split between the fact that a
breach occurred at all, and that the business waited weeks—even months—to
report it. Identifying, patching and disclosing a breach involves input
from lots of parties: cybersecurity and forensic consultants, lawyers, the
board of directors and crisis communications professionals. Unless a plan
is already in place, this process can easily take several weeks. This
reasoning however won’t find a sympathetic audience among the Supervisory
Authorities, who are tasked with enforcing GDPR. Once again, GDPR is about
data privacy, so if an EU citizen’s privacy has been compromised, they have
a right to be notified as soon as possible. For a business to disclose a
breach within 72 hours, it must have a high degree of confidence customer
data has or has not been impacted.

The key to avoiding these GDPR pitfalls is knowing where your customers’
data resides in your network. The easier it is to locate your customers’
PII, the faster you can respond to a request to hand over the data or
permanently delete it. And, in the event of a data breach, knowing where
your customer data is stored will provide you with valuable insight into
which records may have been exposed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180316/a82bb950/attachment.html>


More information about the BreachExchange mailing list