logo.png
Guided Website Threat Review

Foregenix Blog

Andrew McKenna

Information Privacy, The General Data Privacy Regulation (GDPR) & Your Business

PCI, PA-DSS and P2PE, GDPR

,30/01/17 16:43

To begin, we'll take the following definitions of 'privacy' and 'information privacy' from the International Association of Privacy Professionals:

Broadly speaking, privacy is the right to be let alone, or freedom from interference or intrusion. Information privacy is the right to have some control over how your personal information is collected and used.

Here we'll discuss Information Privacy. In interacting with many online resources, we submit personal information in order to facilitate, customise or improve the user experience. A number of legal entities and instruments exist internationally which oblige the controllers of this data to process and store the data legally, fairly and securely. This includes requesting only the data required to perform the function requested, retaining the data for a period no longer than can be justified given the nature of the service, protecting the data from unauthorised access and misuse. The General Data Privacy Regulation (GDPR) which has been ratified across Europe will come into force in May 2018. This Regulation will not only be binding on entities processing or storing data in Europe but also on any entity processing or storing data on European citizens.

GDPR.png

While most businesses have programs, at various levels of maturity, to protect sensitive business and financial information, the personal information of customers is often stored in perpetuity in clear text without strong access controls. Moreover, inventories of this data are not maintained and the ability to extract this data discretely is often not exercised. Before providing some specific guidance points, I should mention the penalties for data breach as these will certainly make you sit up and take notice!

The following sanctions can be imposed:

  • A written warning in cases of first and non-intentional non-compliance
  • Regular data protection audits
  • A fine up to 10,000,000 EUR or up to 2% of the annual global turnover for the previous financial year in the case of an enterprise, whichever is greater
  • A fine up to 20,000,000 EUR or up to 4% of the annual global turnover for the previous financial year in the case of an enterprise, whichever is greater 

Here are a few things you should be doing and be able to do:

  1. Perform an internal discovery exercise to identify if you process or store customer's personal data
  2. Maintain an inventory of personal data stored
  3. Maintain and inventroy of personal data storage repositories
  4. Enforce access control to personal data storage repositories
  5. Enforce retention periods on personal data storage repositories and delete data securely at the end of said period
  6. Consider encryption of personal data
  7. Verify that if a customer requests their data, you have the ability to extract that data and provide it to the customer 'in a structured, commonly used, machine-readable and interoperable format'. I imagine this means xml or json but this is not specified.
  8. If a customer requests their data be erased, you must have the means to do this - 'the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data'.
  9. Implement Privacy by Design principles in internal projects related to customer information
  10. Perform Privacy Impact Assessments when handling personal information or making changes to systems handling personal information
  11. Education - provide training to the business regarding privacy regulataions and their responsibilities.

    A number of the above points will be familiar to entities who have performed sensitive asset identification exercises, risk assessments or have performed efforts to adhere to information security frameworks. A privacy program needs to be supported by a strong information security program - these cannot exist in isolation.

    The regulation in full is available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

TRENDING POSTS

Kirsty Trainer
The "Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More
Duncan Slater
Alert: Major UK Payment Service Provider iFrame Man-In-The-Middle Breach

The Foregenix Digital Forensics and Incident Response Team recently reported a man-in-the-middle ...

Read More

Cyber Security Insights

Jake Dennys
17/10/17 10:33

Foregenix Highly Commended at Fraud Awards 2017

Earlier this year we were shortlisted for a prestige award at Fraud Awards 2017, presented by Retail Risk. Judges had selected Foregenix as a ...

Read More

Jake Dennys
09/10/17 14:24

Why an SSL certificate won’t protect your website, but FGX-Web will.

Having an SSL (Secure Sockets Layer) certificate on your website is important and it's also a good thing to have. The little green padlock in the ...

Read More

Mike Hinton
04/10/17 10:55

Is My Hosting Provider Protecting My Website?

Recently, it was discovered that over 14 million Verizon customers data, including PIN’s, had been exposed on an unprotected web server.  Three ...

Read More

Jake Dennys
28/09/17 10:21

We're Showcasing Cybersecurity at Ecommerce Expo 2017!

Flyers printed, banners set up, scanners prepped, we are officially at Ecommerce Expo 2017! It’s our first year at the show and we’ve hit the road to ...

Read More

Paul Taylor
25/09/17 12:09

Responsible Disclosure of Zero-Day Vulnerabilities Discovered in NfSen and AlienVault OSSIM

Part 1 of 2 – Introduction and Background NfSen is an open source netflow data capture and analysis module which can be used as a standalone product, ...

Read More