March 21, 2018
GDPR: Chip away at the stone
Written by
TrustedSec
Privacy & GDPR Compliance Assessment
Program Assessment & Compliance


You keep a wall all around ya
If you’re like many organizations, you’ve been feeling a little better lately about your security program. There is a lot of room for improvement of course, but at least you:- Are on top of your penetration tests – You’ve implemented some cool new “Next Gen” tools, so you’ve completely detected and stopped any novice pen testers. You realize that you have to step it up next time so the company actually gets some value — maybe by those guys who contributed to Metasploit and thePen Tester’s Framework (PTF), publish theSocial-Engineer Toolkit (SET)and severalGithub repositories and tools.
- Have been getting a portion of what you need for a budget by presenting a good business case based on risks identified from TrustedSec’sRisk Assessment.
- Were PCI compliant until the latest controls came out, but fortunately you got that clarified from TrustedSec’s lastwebinar.
(They’re) sittin’ so cool and nonchalant, draggin’ on a cigarette
The European Union rolled this regulation out with some huge fines (4% of revenue or €20 million Euros, and strict rules to go along with it) in order to protect and empower all EU citizens’ data privacy. The citizens (or more specifically “Data Subjects”) have rights such as the right to be forgotten, right to access of their information, right to be notified of a breach within 72 hours, and right of data portability.They also have rights over how you conduct business! They have the right that you shall build “privacy by design” in your organization, and the right to force you to have a Data Privacy Officer.It’s also a very broad interpretation of personally identifiable information that includes:“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Push, don’t shove…
If you’re not just hoping this will go away, it’s going to take some interpersonal skills (such as leadership, communication and relationship building) to get there as this will include many areas of your organization. You’re going to need all of your soft skill training to ensure they don’t shoot the messenger.First off, you must appoint a Data Protection Officer (DPO) as a single point of contact (don’t everyone stand up all at once). Again, this endeavor is going to impact many business processes, so you’ll be including C-level execs, maybe even up to the CEO in your efforts.And this is not something a company can just insure away or give to your lawyers to deal with. GDPR explicitly states that there will be “No more hiding behind long, complicated legalese when requesting consent to collect data. If your (customer rights) form isn’t both ‘intelligible’ and ‘easily accessible,’ you’re violating the law.” Thus, you’ll need to sit down with your legal counsel and ask them for their input.When discussing with other executives they (i.e. most likely You) will need to answer some questions such as:- What data (and data flows) are impacted?
- Who is the data about and do they reside in Europe?
- Can a breach harm the individual?
- Can we determine how the breach happened?
- Who do we notify and how?
- How will this impact our marketing messages and proposal templates?
- Who is going to be accountable to potentially lose their job?
- Do we want to start a new business line or regional expansion with these restrictions?
Chip away, chip away at the stone
Boiling it down, there are five (5) major areas of GDPR that you must address:1. Data Flow and Inventory
A data flow illuminates the path of information through the business throughout its life cycle to determine the existence and accuracy of data classification (i.e. Where is it? How does it move from system to system?). Once this is done, you can perform an access management assessment to determine which accounts (user and privileged) have access to privacy data.
2. Data Protection Impact Assessment (DPIA)
While there is overlap with the other four areas, the DPIA has 99 articles centered around “a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued.” It should primarily assess the necessity and proportionality of the processing operations in relation to the purpose it’s used for.It should also look at whether you’re building “Privacy by Design” into all of your systems and data management practices along with the gap/readiness checkbox of control items and roles and responsibilities of the full 99 articles.
3. Risk Assessment
While this is called out in the DPIA, I’ve put this as a separate task since it’s so critical to the organization and addresses so many other needs. GDPR state that you must have:This must start by analyzing information gathered from business leaders and the security assessment of networks, policies, and procedures to develop a plan of strategic and tactical security countermeasures.A risk assessment also must closely tie in security controls testing to include threat analysis and adversary simulations looking for technical and human vulnerabilities from social engineering to reduce the risk that an attacker can gain access to this critical data.This testing outlined is more closely aligned withRed Teamingas there is a goal to get at personally identifiable information (PII). GDPR specifically calls out adversarial (attack) simulation, and, as part of the breach prep below, it should test the organization’s detection and response capabilities.
- an assessment of the risks to the rights and freedoms of data subjects; and
- the measures to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.
4. Policies and Processes
It’s tedious, but certainly critical, to show that you’re not negligent by updating your existing IT and security policies and procedures to reflect GDPR expectations for Data Subject Rights. As we all know, it can’t stop there. We have to look at the processes so that we can actually operationalize that policy. That means working with business units to discover, classify, safeguard, and monitor sensitive data.
5. Breach Prep
Preparing for a breach revolves around Incident Response Planning and Testing of that plan. Therefore, it’s important to start by updating your incident response procedures, especially as they pertain to a potential breach of privacy information. This also includes reviewing and updating your logging and monitoring controls to ensure that your teams are notified immediately of inappropriate attempts to access sensitive data sets.