[BreachExchange] GDPR 101: Keeping Data Safe Throughout the 'Supply Chain'

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 22 18:59:29 EDT 2018


While there has been a lot of chatter about the magnitude of penalties
organizations may find themselves hit with (up to €20 million in fines)
under the impending General Data Protection Regulation (GDPR), there isn't
nearly enough talk about how to avoid penalties in the first place.

Sure, there are conversations about pre-ticked opt-in boxes and breach
notification protocols ("You have 72 hours to report personal data breaches
to the appropriate authorities," for one). But businesses are failing to
address the root of the problem — the data itself.

To ensure compliance with GDPR, personal data must be kept only for as long
as necessary, an issue that clearly is up for debate, as length of time
varies by organization and industry. Then there is the "right to be
forgotten," which means that data subjects can request that their data be
deleted at any time.

But to understand how to identify, recall, and protect that data,
organizations must first understand the nature of the data itself. For
example, if I, Marc French, log in to your website, you need to keep track
of where I go — and in a timely manner. If I ask for you to remove my data
so the Googles and Facebooks of the world can't access bits and pieces of
my "identity," you're now obligated by law to destroy any trace of it. And,
if you don't know where that data is, you can't get rid of it.

Whether it's in the finance department's hands, the marketing department's
in-boxes, or even with your shipping company for deliveries, there are a
lot of different parties that are constantly using, holding, and updating
personal data. That's why it's important to look at the data custody
process in terms of tiers and outside forces — a supply chain, essentially.

Here are three examples of supply chain data you might not be considering
but that could have GDPR impacts:

1. Escalation personnel phone numbers of your European IT staff for the
cloud service to which you subscribe. Phone numbers are personal data, and
you need to ensure that they do not leave the cloud service to its
downstream partners without your consent.

2. The event registration data you collected for that big marketing
conference that includes dietary restrictions for attendees. Not only is
the attendee registration data considered personal data, but you are now
also collecting sensitive medical data by way of the dietary restrictions.
Because of this, you need to track what the caterer is doing with the
information that is provided.

3. Your building's security desk that signs in visitors to your office,
prints a badge, and gives it to the visitor, who later returns it upon
leaving. Not only is data on the badge likely personal, but how you dispose
of it, or how the security vendor handles it in its system, has GDPR

As you can see with data collection, retention, and processing, there are a
lot of moving pieces involved, and each of these parties comes into contact
with personal data at some point along the line. Because of this, there's
now a responsibility for both data processors (such as service providers)
and data controllers (such as your organization) to work together in the
case of a breach under GDPR.

According to the regulations, both parties might be liable for breaking the
law and are required to notify regulators, their customers, and end users,
and, ultimately, both parties are obligated to pay all fines and compensate
customers for damages. If anyone in your supply chain loses control of the
data, you too may also be responsible — and experience both pricey
financial and reputational costs.

Before you develop a plan for working with the different tiers, the first
step will be to consider how you classify the data. It's important that you
qualify the data you collect and determine its value/risk to the business
before doing anything else. For example: Is the data critical to your
revenue stream (credit card data), or would the loss of the data be
catastrophic to your intellectual property strategy (formula to your
specialty cola)? If so, you rate the risk/value high.

Next, you'll need to rank your vendors. Ask employees who are provisioning
new vendors what data they are collecting, and then rank the vendors based
on the data valuation you developed during step one. They'll typically be
split into two levels, which many organizations break down as:

Tier 1: Vendors that operate on the most sensitive data you have. You will
want to do a dive deep with these folks and conduct a thorough vendor
review, ensure contractual protections, and regularly review them for
compliance and security.

Tier 2:  These vendors may operate on less sensitive data. Keep track of
these folks in a central system on a regular schedule, so you can dust the
list off and sample your internal customers to see if they are using
additional services that might elevate them to tier 1. You may be surprised
that the tier 2 vendor you set up two years ago has become tier 1 as the
partnership has evolved.

With the GDPR deadline upon us, it is important to start work closely with
tier 1 and tier 2 vendors to guide your organization's data protection
strategy moving forward.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180522/aaa1973a/attachment.html>

More information about the BreachExchange mailing list