In May 2018, a European privacy law is due to take effect that will require big changes, and potentially significant investments, by organizations worldwide. The General Data Protection Regulation (GDPR) is an initiative by which the European Union intends to give citizens regain control over personal data, and privacy.
The purpose is also to harmonize the current data protection laws across the EU member states. It is a “regulation” rather than a “directive” meaning it will be law directly applicable to all EU member states, essentially taking precedence over existing national regulations.
Under GDPR organizations that store, archive and otherwise handle personal data will be held accountable to same confidentiality, privacy and security across the EU. This applies to all organizations and entities public or private, regardless of jurisdiction, that handle data pertaining to EU citizens and residents.
Compliance under GDPR is strict and sanctions that could result in case of non-compliance or data breaches are severe. However, according to a DMA (Direct Marketing Association) survey, 68% of companies think today that they won’t be compliant in time.
With the generalization and ever expanding use of mobile applications and governments changing data privacy rules and regulations, the security box will no longer be an option for mobile applications but a necessity.
GDPR articles 25, 32, 33, 34 and 35 focus on practicable elements for application security as they emphasize testing, preventing and handling data breaches.
The new regulation stipulates that one of the first compliance steps consists of an audit. This is to determine how a company currently protects and handles private data, and is compliant with GDPR. If an audit reveals it’s not the case, a curative plan is required.
Recommendation #1: Executing security diagnostics at the application level will reveal vulnerabilities and hidden behaviors, and validate or invalidate compliance.
This is one of the most important aspects of GDPR. On the one hand, it is expected companies will include data privacy protection as part of their development process. On the other hand, they must apply the appropriate technical means and methods and organizational processes to ensure only relevant data collection, processing and storage.
Recommendation #2: In an application development context, this means building security and confidentiality as core to the initial development steps. To do so, developers can resort to a security testing API that is integrated in their work platforms to audit application security levels during the whole development process.
GDPR asks companies to guarantee users security that is commensurate to risk levels. Organizations must put in place procedures to regularly test, analyze and evaluate security practices, to fully ensure processes for data confidentiality and integrity.
Recommendation #3: This security level can include personal data encryption, pseudonymizing or a self-protection SDK integrated in applications’ source codes. This must protect them against threats on devices where other applications co-reside or may be installed and established or impending network connections.
When a breach is detected, the company must notify the competent regulator within 72 hours. If the breach carries a high risk for some users, the company must also warn them.
It is also asked to companies to retain internal reports of all data breach incidents that could compromise data privacy, as well as remediation steps taken and resulting outcomes.
Data breaches can lead to a fine of up to 20 million of euros, or 4% of the company’s global annual revenue (whichever is the highest amount). For example, Tesco Bank would have been liable for 2.2 billion euros fine following a breach at the end of 2016, if the new regulation had already been enforced.
Recommendation #4: Companies have to use monitoring tools to track their web and mobile activities – which are the main sources of attacks. Setting up and updating SOC (Security Operating Center) or SIEM (Security Information and Event Management) platforms will provide analysis and investigation materials in case of a data leakage. It’s also advised to anticipate data breach notification procedures to be more reactive if the time comes.
Every companies whose practices are not GDPR compliant starting in May 2018 risk up to a fine of 10 million of euros or 2% of the company’s global annual revenue (whichever is the highest amount).
On top of the penalty, non-compliant companies will need to confront customers and prospective customer’s reactions with regards to data breaches/theft and assume reputational risk for their brand.
Recommendation #5: GDPR asks for transparency, aligning now will allow to improve current security measures and will ensure a total compliance readiness on time.
To conclude, GDPR requirements are more security guidelines to protect European citizens and their information assets. They are not entirely new or problematic for Pradeo, as data protection is our core activity since day one. Our technology and our tools are compliant with the new regulation and are available today to help your company smoothly transition to GDPR compliance.