This episode is sponsored by NuHarbor Security.
What is GDPR?
The General Data Protection Regulation was passed in 2016 and went into affect as of May 2018. I saw many organizations scrambling to achieve compliance the months preceding and following this past May. This new regulation Brought some additional changes Beyond the 1995 EU data protection directive. This regulation flipped a lot of organizations on their head, and for some security professionals inherited GDPR compliance obligations.
GDPR specifically focuses on reinforcing individual's rights, strengthening the EU internal market, ensuring stronger enforcement rules, and streamlining international transfers of personal data and setting global data protection standards.
The changes will give people more control over their personal data making it easier to access their information. GDPR is also designed to make sure that people's personal information is protected no matter where it is sent process for stored even outside of the EU As may be the case On the Internet.
This regulation flipped a lot of organization on their head and for some security professionals they inherited GDPR compliance obligations.
I've seen more security leaders pulling the short straw for GDPR responsibilities and are struggling to wade through the legal obligations. So what exactly is the security obligation with GDPR?
How is GDPR different than the 95 EU Data Protection Directive?
First off – what's the changes? It builds on the 95 EU directive. Some background on the directive.
In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data”. The seven principles governing the OECD’s recommendations for protection of personal data were:
Notice—data subjects should be given notice when their data is being collected;
Purpose—data should only be used for the purpose stated and not for any other purposes;
Consent—data should not be disclosed without the data subject’s consent;
Security—collected data should be kept secure from any potential abuses;
Disclosure—data subjects should be informed as to who is collecting their data;
Access—data subjects should be allowed to access their data and make corrections to any inaccurate data
Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
However – there was no enforcement to the directive.
What's the Difference between Privacy and Security
Data privacy in data security Are 2 very different disciplines What data privacy Primarily focuses on the governance of the data It ensures that an organization is doing what they say there doing with that information. A core privacy Tenant Is that you will only Use the data in a way that you say you're going to use the data The intersection with security Comes when You have lost the data Or data was manipulated Through A security weakness or security breach. At that point you have Use the data in a way that You have not informed the consumer as part of your purpose obligations. In otherwords, because of a security weakness or breach you've done something with the data you didn't disclose such as sharing it with people you didn't intend to and allowed use of the data you didn't receive permission for.
GDPR brings a lot of benefits for consumers including a right to be forgotten. It allows for easier access to one's data And gives a right to data portability. It gives a right to know when one's data has been hacked. In that data protection has been implemented by design and by default.
Security Hasn't Changed
The core Security Tenant HAS NOT changed from the EU directive to GDPR. It only provides more guidance, structure,