(This article was written by Barry Scott and first appeared on Centrify)
The theft of highly sensitive personal information on 57 million Uber drivers and customers in the Uber data breach — and its subsequent cover-up — is in many ways what the GDPR was invented for. Here is a multi-billion dollar US tech company that reportedly protected access to key data in the cloud by using just static log-ins. Not only did its data protection controls therefore fall short of the best practice “state-of-the-art” approach outlined in the GDPR, but the firm also failed to report the incident — something which would incur a fine of €10m (£8.9m) or 2% of global annual turnover from next May.
Cautionary tales like Uber are one thing, but with just six months to go, organisations need more concrete help with GDPR compliance. That’s why I’d recommend looking to already established frameworks and standards to help fill in the gaps. It’s an approach the ICO backs, and could be a useful mechanism to allay regulator concerns in the event you do end up suffering a breach.
Part of the challenge with GDPR compliance, which many IT leaders are now coming to understand, stems from the legislation’s lack of prescriptive advice on what security controls they should put in place to protect personal data. Article 32 of the law states:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
However, what do these measures include? Aside from pseudonymisation and encryption, organisations are given no firm examples of technologies to implement. Instead they are told to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,” to ensure such data can be restored “in a timely manner,” and that security systems be regularly tested.
Help At Hand
All is not lost, however, with Article 32 continuing:
“Adherence to an approved code of conduct … or an approved certification mechanism … may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.”
UK privacy watchdog the Information Commissioner’s Office (ICO) goes even further, with a whole page devoted to explaining the value of codes of conduct and certification mechanisms. It claims they can not only help organisations to comply with GDPR but also:
“improve transparency and accountability – enabling individuals to distinguish the organisations that meet the requirements of the law and they can trust with their personal data.
provide mitigation against enforcement action; and
improve standards by establishing best practice.”
The next question is what certificate mechanisms to choose. Unfortunately, the ICO told me that none have been “formally approved” as yet. However, I would recommend Cyber Essentials as a great place for smaller businesses to start. It helps prove SMEs have in place processes covering five key areas: firewalls and internet gateways; access controls; secure configuration; malware protection; and patch management.
For larger firms, we’d recommend looking at ISO 27001: an internationally recognised information security management standard. In addition, BS 10012has been written with GDPR in mind to help with personal information management, while ISO 27018 supports managing personally identifiable information (PII) on public clouds — something that could probably have helped Uber out.
The truth is that full compliance with additional standards and frameworks like these might not be realistic while you have your hands full with the GDPR. However, it’s worth taking a look because, even if you don’t implement them fully, some of these standards could provide more prescriptive info than the GDPR on what security controls you should use.
In this way, “state of the art” as described in the GDPR could be applied more easily through ISO 27001 and 27002, which recommends two-factor authentication for physical entry, network access and more. This is now regarded as an essential best practice technology response to the security challenges of static password-based systems — remember, it is this outdated username-password authentication that appears to have led to the Uber breach, and many others besides. Two-factor (or multi-factor) authentication should be applied as part of access policies designed to minimise your risk exposure, by limiting the number of privileged accounts and restricting users via the principle of “least privilege.”
One final world of warning: while frameworks and standards can help in your GDPR compliance efforts, always be cautious about any provider claiming to offer a one-stop-shop for compliance. Organisations need to be realistic that the GDPR is a highly complex piece of legislation with no easy workarounds.