Happy Birthday GDPR! – Defending Against Illegitimate Complaints

By John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, Assurance Investigatory Fellow – Cloud Security Alliance

On May 25th we will celebrate the first birthday of GDPR. Yes, one year ago GDPR was sort of a four-letter word (or acronym if you will). People were in a panic of how they were going to comply and worse yet, many didn’t even know if they had to and even worse yet, some just ignored it all together.

The European Data Protection board (EDPB) published an infographic on compliance and enforcement of the GDPR from May 2018 to January 2019. It shows that 95,180 complaints have been made to EU national data protection authorities by individuals who believe their rights under the GDPR have been violated. Two thirds of the most common of these complaints had to do with telemarketing and promotional emails which practically every organization uses as the main tools for communication.

Now, we can discuss the some of the biggest fines levied like Google and Facebook, but that’s been done to death and quite frankly the largest percentage of companies globally don’t fall into the category of Google and Facebook, nor due their budgets even come close.

I would prefer to concentrate on a topic you don’t see covered in the news much…complaints and the time effort and cost to defend yourself even if you’re not guilty.

Think about it, anybody can log a complaint. Whether or not you are in violation is one issue, proving you are not is another. While this is a troubling issue for large enterprises, small and medium size organizations can have a particularly tough time as time money and resources are at a premium. As the EDPB report mentioned, 95,180 complaints have been made to EU national data protection authorities by individuals who “believe” their rights under the GDPR have been violated. As you can imagine this can send a company scrambling to pull all the data and evidence together to not only prove compliance, but to prove the effectiveness of the system. Further, what if you are called out, technically not guilty of the specific infraction logged, but in the course of the investigation major non-conformities are found in your process?

So what is the best way to protect yourself and ensure not only compliance, but readiness, both from a process and forensic perspective?

Ensure you have a good solid data governance program in place that covers both security and privacy aspects of your organization. While there are many ways to attack this, cloud service providers and users need to make sure the proper sector specific controls are in place not just generic ones and that your scope is fit-for-purpose. It must cover all of people, process and technology to ensure holistic coverage.

CSA has been researching solutions to address these issues and since 2011 CSA STAR has evolved into a total GRC solution for cloud service providers and it continues to improve.

The Security, Trust, Assurance, and Risk (STAR) Program was developed by the Cloud Security Alliance in order to provide the industry a standard for which enterprises procuring cloud services could make informed data driven decisions.

The STAR program encompasses four key principles of transparency, rigorous auditing, all-inclusive and harmonization of standards providing a single program and a comprehensive suite that covers both security and privacy compliance.

So what level is best for you? You can read our quick reference guide, but gap assessments are always the best starting point. Measure where you are at against where you want to go and act on the differences! Also, this allows you to give yourself credit for your strengths. Many organizations have a lot of good things going on, so just don’t assume you have a major hurdle. A combination of STAR Level 1 and the GDPR Code of Conduct self-assessment (or code of practice) is the one-two punch to the road of due diligence. If you are already certified to ISO/IEC 27001 or you get regular SOC2 assessments, then you may want to also consider STAR Level 2 certification or attestation which not only increases your level of transparency but also assurance because it is third party tested and certified. The GDPR COC is still in the self-assessment stage, but a third-party certification will be available as soon as the European Data Protection Board finalizes all the annexes related to accreditation and certification (est. Q4). However, your submission is vetted thoroughly by our GDPR experts and once approved, you can file a PLA Code of Conduct (CoC): Statement of Adherence Self-Assessment and your organization will be posted on the registry. After publication, your company will receive authorized use of a Compliance Mark, valid for 1 year. You are then expected to revise your assessment every time there is a change to the company policies or practices related to the service under assessment.

There is a small fee to cover administration, maintenance and the vetting process, but it shows due diligence and when you consider the potential millions of Euros in fines you face ( or % of annual global turnover – whichever is higher) for non-compliance[1], the fee is a drop in the bucket for some piece of mind. If you already think you are compliant then the GDPR COC self-assessment can serve as another set of eyes and also provide a public statement of transparency.

It makes sense no matter where you fall in the supply chain to take data privacy seriously. The CSA GDPR COC can help you establish a security-conscious culture. GDPR requires organizations to identify their security strategy and adopt adequate administrative and technical measures to protect personal data. Thanks to CSA’s research, the CSA GDPR COC provides the roadmap that will facilitate your organizations efforts to ensure, your processes will become more consolidated, ensuring good governance, compliance and prove that all important due diligence. Additionally, your data will be easier to use, and you will realize an underling value and ROI.

For more information and to discuss with one of our experts, contact us at [email protected]

[1] Up to €10 million, or 2% annual global turnover – whichever is higher; or for higher violations

Up to €20 million, or 4% annual global turnover – whichever is higher.

EU GDPR vs US: What Is Personal Data?


By Rich Campagna, Chief Marketing Officer, Bitglass

GDPR-personal data screen shotMay 25, 2018—GDPR enforcement day,—has come and gone with little fan fare (and about 6 quadrillion privacy policy updates), but that doesn’t mean we all know what to do to get into compliance. In fact, some measures put only one third of organizations in compliance as of the deadline, and the linked article refers to UK organizations—what about US organizations that are only now catching on to the fact that they probably need to be GDPR compliant? We thought that contrasting GDPR with typical US regulations and definitions would be helpful.

It’s personal. Or, is it?

First topic, what constitutes personal data?

In the US, when we hear “personal data,” that usually equates to Personally Identifiable Information (PII). PII, according to the CIO of the US Navy, is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual.” This has become an important enough topic that NIST has created a list of specific fields that constitute PII.

GDPR: It’s more than PII

How does this differ from how personal data is defined in GDPR?

Well, according to the GDPR, personal data means “any information relating to an identified or identifiable natural person.”

Side note: In GDPR, “natural persons” are typically referred to as, “data subjects,” which is the least personal and least natural possible way to describe natural persons that I can think of, but I digress…

GDPR clarifies that “identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In other words, personal information includes the US definition of PII, but goes much further. In addition to PII, personal information can include IP address (yes, even dynamic IPs with user behind a router doing NAT/PAT), sexual preference, medical prescriptions, occupation, eye color, shoe size and puzzling fandom of the band Survivor.

That’s lesson #1 – personal data, as defined by GDPR, goes far further than the typical US definition of PII.

More to come in future posts…



GDPR Is Coming: Will the Industry Be Ready?

By Jervis Hui, Senior Product Marketing Manager, Netskope

GDPR Prep and Challenges Survey report coverWith the impending May 25, 2018, date for GDPR compliance coming up, Netskope worked with the Cloud Security Alliance (CSA) to survey IT and security professionals for a recently released report covering GDPR preparation and challenges. According to one of our recent Netskope Cloud Reports, only about 25 percent of all cloud services across SaaS and IaaS are GDPR-ready. And with the ubiquity of cloud and web services, organizations face steep challenges with just SaaS, IaaS, and web alone, not to mention the myriad of other issues they need to address for the GDPR.

To help better understand the challenges, CSA and Netskope asked over 1,000 respondents questions that covered topics like their ability and confidence to achieve compliance, specific plans and tools being used to meet GDPR requirements, what they consider to be the most challenging elements of GDPR in terms of compliance, and its impact on company plans for the adoption of new technologies, provider relationships, and budgets. Key findings of the report include:

  • Eighty-three percent of companies do not feel very prepared for GDPR, with companies in the APAC region feeling less prepared than other regions.
  • Fifty-nine percent of companies are making it a high priority. Even so more than 10 percent of companies still have no defined plan to prepare for GDPR.
  • Seventy-one percent of the respondents feel confident that their organizations will meet GDPR compliance in time.
  • Thirty-one percent of companies have well-defined plans for meeting compliance, 85 percent have something in place, and 73 percent have begun executing that plan.
  • The GDPR’s “right to erasure,” (53%) “data protection by design and by default,” (42%) and “records of processing activities” (39%) were cited as being among the biggest challenges organizations face in achieving compliance.
  • Documentation of data-collection policies (68%), codes of conduct (56%), and third-party audits and assessments (55%) are among the most common tools being used to demonstrate GDPR compliance.

The results seem to indicate that while organizations are in the midst of implementing programs, solutions, and processes to comply with the GDPR, many were still feeling under-prepared as of the survey dates of January 25-February 21, 2018. The interpretation of the articles and how DPAs will enforce the GDPR probably only exacerbated organizations’ feelings of under-preparedness. The good thing is that 70 percent of respondents indicated that they either felt ‘somewhat confident’ or ‘very confident’ that their respective organizations would be ready to meet GDPR compliance by the May deadline.

Across Netskope customers and prospects, we’ve seen many security teams work across their organizations, collaborating with legal, compliance, and technology teams to implement policies and solutions to meet GDPR guidelines. While cloud and web services present more risk vectors for data loss and threats, securing the use of these services allows for continued productivity gains and flexibility by employees. The full GDPR Preparation and Challenges Survey Report contains more information on how organizations are preparing for the GDPR.

Download the full report to get more specifics and see how others compare to your current GDPR compliance plans.

Cloud Security and Compliance Is a Shared Responsibility

By Gail Coury, Chief Information Security Officer, Oracle Cloud

Organizations around the world are ramping up to comply with the European Union’s General Data Protection Regulation (GDPR), which will be enforced beginning on May 25, 2018, and each must have the right people, processes and technology in place to comply or else potentially face litigation and heavy fines. The drive for more regulations is in large part  the direct consequence of the rise in data breaches and cyber security incidents. In an effort to protect data privacy, governments are stepping in and demanding greater transparency in how organizations handle sensitive personal data. GDPR is just one such privacy mandate that will affect organizations globally and impact the lifeblood of their operations. Many have spent countless hours already preparing for the deadline, while others are just getting started.

Organizations are rapidly embracing cloud services to gain agility and thrive in today’s digital economy. This has created a strategic imperative to better manage cybersecurity risk and ensure compliance while keeping pace at scale as firms move critical apps to the cloud. According to the Oracle and KPMG Cloud Threat Report, 2018, 87 percent of organizations have a cloud-first orientation.

The conventional mindset—that security is an obstacle to cloud adoption—is rapidly losing relevance. Enterprises in highly regulated industries are becoming more confident putting sensitive data in the cloud. Ninety percent of organizations say that more than half of their cloud data is sensitive information, according to the same report. Although customers are confident in their cloud service provider’s (CSP) security, they should vet their cybersecurity programs vigorously, and conduct a comprehensive review assessment of their security and compliance posture. Trust has always been important in business and paramount when choosing a cloud partner.

GDPR is top of mind for a lot of organizations because it’s a people, process and technology challenge and requires a coordinated strategy that incorporates different organizational entities versus a single technology solution. It is a complicated law and introduces intricate new regulations and requirements for handling personal data. In fact, 95 percent of firms affected by GDPR say that the regulation will impact their cloud strategies and CSP choices, based on findings published by Oracle and KPMG. One of the central considerations would be movement of sensitive data between CSP data centers. Organizations need to understand and clarify how their CSPs employ essential data protection controls and standards to meet GDPR requirements because every cloud platform and vendor has unique cybersecurity standards.

As you may know by now, cloud security and compliance is a shared responsibility, where the cloud provider and the tenant each have a role to play. Although it sounds relatively simple, customers are often not clear where their provider’s role ends and their obligations start, creating gaps. Knowing what security controls the vendor provides allows the business to take steps to secure their own cloud environment and ensure compliance. Almost every organization today has more than one regulation with which they need to comply and they increase the complexity with each cloud service they add. As organizations continue to lift and shift their apps to the cloud, they need to keep pace with scale and ensure security and compliance is maintained.

I am excited to explore these topics with other industry experts at the Cloud Compliance Zeitgeist panel on April 16 (12:50 p.m. – 1:35 p.m.), at the Cloud Security Alliance Summit at the RSA Conference 2018. Also, my colleague, Mary Ann Davidson, Oracle’s Chief Security Officer, will lead the panel Getting to Mission Critical with Cloud. You will hear directly from some large complex global enterprises about their journey to the cloud, cybersecurity challenges and their complex compliance mandates.

We look forward to seeing you there!