Joint Liability and EU GDPR: are you willing to take the flack for a breach?
By Rui Melo Biscaia, Director of Product Development at Watchful Software
The 25th May 2018 should be a date engraved upon the mind of any IT Security team and C-Level executive in organisations across Europe. On this date the long awaited European General Data Protection Regulation (EU GDPR) comes into effect and organisations will become more liable than ever before should they suffer a data breach.
The EU GDPR is one of the most significant pieces of data protection legislation in the past 20 years and will supersede local data privacy laws. With the threat of a significant fine of 4 per cent of global revenue or €20 million, whichever is greater, and the need to notify the regulators and individuals affected within 72 hours of a breach occurring, the onus is firmly placed upon organisations to get their security controls and policies in order.
As many organisations try to understand their responsibilities when it comes to the new regulations, and no organisation wanting to be the first to go down in history as being hit with a fine, questions are starting to be raised in boardrooms as to whether the right tools and resources have been allocated to address the requirements.
Who is liable?
Amongst many of the challenges posed by the upcoming regulations is that of joint liability. Under the GDPR, data controllers are defined as organisations who acquire EU citizens’ data, with data processors identified as those that manage, modify, store or analyse the data collected on behalf of the controllers. Under the new regulations, both the controllers and processors will be held jointly liable for a data breach.
Essentially this means that if a company has data stored or processed by a third party, such as cloud service providers, partners or suppliers, they will face full repercussions in the event of that third party being breached. This is a significant change compared to the current legislative requirements and it will have notable consequences for those organisations that rely on cloud services.
Why encryption is not enough
Unfortunately, whilst organisations are aware of the looming deadline, many are wholly unprepared. All too often, people think encryption will be the answer to their security problems, this is fundamentally wrong. Whilst encryption is a valuable security tool, it cannot be used in isolation. Instead, it should be utilised in tandem with data classification tools so that file level access encryption, whereby only the people that need to access, view, modify or share sensitive data are authorised to do so, can be enforced on all data that is created. This approach will play a vital role in protecting companies from being hit by breaches suffered by third parties that have access to their data.
So, what does this mean?
The combination of encryption and data classification means that it is possible to enforce the organisations’ data security policies and controls on all data. By deploying an automated data classification tool, all file types can be classified in line with corporate policies and labelled appropriately e.g. Confidential, Internal Only, Top Secret, without intervention by the user. This level of automation dramatically reduces the risk of human error when it comes to viewing and sharing data and ensures consistency across the organisation.
With these meta-data labels in place, specific access and usage rights on the files can be imposed so that only users that need access to the information for their job function have the required authorisation. As the classification is linked with corporate policies, alerts can then be raised when sensitive data is at risk of leaving the organisation and, if required, the sharing of it can be stopped and the access rights of a specific user withdrawn in real-time so they no longer pose a threat to the organisation.
Part of the regulation also notes that failure to have documented policies and controls in place becomes a second breach, so it is vital that organisations not only have documented processes, but can provide a full audit trail of who has had access to the data, where, when and how they did so, should a full forensic analysis be required.
With the risk of a fine being imposed if a third party suffers a breach that directly impacts on an organisations sensitive data, businesses need to proactively do all they can to ensure that its critical data is protected regardless of where it is stored. If a breach does occur, organisations need to be able to demonstrate that they have gone to the effort of implementing appropriate security controls, such as data classification and encryption, if they want to be looked on more favourably by the regulators. Whilst 2018 may sound far away, the reality is that organisations need to act now if they are to meet the GDPR deadline and improve the data security controls within their business.