7MS #294: GDPR Me ASAP
Below are show notes for an episode of the 7 Minute Security podcast, a weekly podcast I publish that focuses on topics such as penetration testing, network configuration, blue-teaming and career advice. I welcome you to subscribe in your favorite podcast app so you don't miss an episode!
We're talkin' about GDPR today!
GDPR in a nutshell
GDPR, in a nutshell, is a set of legal regulations focused on the privacy of personal information for EU citizens - no matter where they are. Entities that store and/or process personal information about EU citizens must clearly explain to the citizens what data is being stored and processed, and any parties the data is being shared with. The citizens must opt-in and agree to each instance or reason that their data is being stored and processed. The citizens also must be able to, at any time, request a copy of the data or request that it be deleted.
How does GDPR define "personal data"
As “any information relating to an identified or identifiable natural person."
When do GDPR regulations start being enforced?
May 25, 2018.
What are the key roles organizations need to be aware of as it relates to handling data under GDPR regulations?
Two primary roles:
An entity that determines the purposes, conditions and means of the processing of personal data
An entity which processes personal data on behalf of the controller
What are the GDPR lawful basis for processing data?
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Are there any good step-by-step guides to GDPR compliance?
This site lays things out at a high level with a 12-step program, if you will:
Review and enhance your organization's risk management process to identify problem areas
Make an inventory of all personal data you hold and ask yourself - why do you still hold it? Do you still need it?
Review data privacy notices and make sure you keep service users fully informed about how you use their data
Ensure your procedures cover all the rights individuals are entitled to, including deletion of data and data portability
Plan how you will deal with requests for changes to an individual's storage/processing of data. You must comply with requests within a month
Understand what your lawful basis for processing data is.
Review how you seek/obtain/record consent, and whether you need to make any changes to be GDPR compliant
Know that children's data must be processed differently (you need to verify individual ages and gather consent from guardians if necessary)
Perform DPIAs (Data Protection Impact Analysis) which is another word for risk assessments
Make sure you have procedures in place to detect/report/investigate data breaches
Know if you need to designate a DPO - Data Protection Officer - a point person with the knowledge and authority to help GDPR compliance efforts
If you do cross-border processing, there is a one stop shop (OSS) mechanism to allow your org to deal with a single lead supervisory authority (LSA) for your processing activities. The LSA has supervisory authority of the country in which you have your main establishment.