General Data Protection Regulation (GDPR)

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is the European Union’s (EU) personal data protection law that aims to protect the privacy of EU citizens. Enacted in May 2018, it imposes a unified set of rules on all organizations that process personal data originating from the EU, regardless of location.

Because the GDPR applies to any organization that processes personal data originating in the EU – including organizations based elsewhere in the world – it is important for all organizations to assess compliance and meet the obligations set forth in the regulation.

Ramifications for non-compliance are significant, with fines reaching €20 million or four percent of the parent company’s annual worldwide revenue, whichever is greater.

What data needs to be protected under the GDPR?

Personal data is considered to be any information that can be used to identify a person. Some examples include:

• Names
• Identification numbers
• Location data
• Identifiable characteristics, whether physical, physiological, genetic, commercial, cultural or social
• Contact information such as telephone numbers and addresses
• Credit card numbers or banking details
• Personnel or customer numbers
• Account data
• Vehicle registrations and license plate numbers

In addition to protection of general personal data noted above, the GDPR also requires a higher level of protection for sensitive personal data. This type of data includes:

• Genetic, biometric and health data
• Racial and ethnic data
• Political affiliations
• Religious affiliations or ideological convictions
• Trade union memberships 

While the GDPR specifically applies to personal data originating in the EU, many companies choose to apply the requirements to all customers, regardless of location, since it can be impractical, complex and costly to maintain two or more data policies and supporting infrastructure. For this reason, many consumers who live outside of the EU also benefit from the safety and security provided by the GDPR.

What does the GDPR say about cybersecurity?

Data protection is a core component of both cybersecurity and GDPR compliance.

The GDPR outlines six specific principles required of companies when processing personal data:

1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Storage limitation
5. Integrity and confidentiality
6. Overarching accountability

While the GDPR offers specific guidance to organizations with respect to processing European Union personal data, the guidelines require companies to use their own judgment – or consult experts – to ensure they maintain compliance.

For example, Article 5(1)(f) states that organizations must maintain “appropriate security of the personal data, taking into account the state of the art, and implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

This raises several important, and hugely consequential, points of concern for organizations:

• What constitutes “appropriate security of personal data”?
• What constitutes “appropriate technical and organizational measures”?
• What constitutes “a level of security appropriate to the risk”?
• Since cyber risk is an evolving concept, how can the business ensure that the tools, policies and processes put in place provide sufficient coverage to ensure overall compliance on an ongoing basis?

The GDPR also specifies several other important points that affect an organization’s compliance. For example, any data breach that poses a risk to individuals must be reported within 72 hours of an organization becoming aware of the event. This underscores the need for organizations to have a detailed incident response plan in place, as well as systems that will allow the organization to quickly assess the event and gather the necessary information that must be reported to the relevant officials.

What Security Controls Should You Consider?

Because the GDPR is based in large part on both assessing the organization’s specific level of risk and putting in place “appropriate” measures based on that risk, there is no standard security solution outlined in the GDPR.

With that said, there are several best practices organizations should follow to understand their risk and protect their organization from both data breaches and potential legal ramifications associated with the GDPR.

Implement robust Identity and Access Management (IAM) tools and policies

One of the main principles of the GDPR is that personal data gathered by the organization should only be accessible to employees who have a specific and critical need for that data as part of their day-to-day professional responsibilities. This helps ensure that access to personally identifiable information (PII) and sensitive personal data is limited to as few people as possible.

Identity and access management (IAM) is a framework that allows the IT team to verify a user’s identity and confirm their access rights. Though IAM is broadly applicable to any system, network or asset, in the context of the GDPR, IAM focuses on data access.

Within IAM, there are several secure access strategies organizations can consider, including:

• Zero Trust: A security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
• Principle of Least Privilege (POLP): A computer security concept and practice that gives users limited access rights based on the tasks necessary to their job. POLP ensures only authorized users whose identity has been verified have the necessary permissions to execute jobs within certain systems, applications, data and other assets.
• Multifactor Authentication (MFA): A security feature that grants access to the user only after confirming their identity with one or more credentials in addition to their username and password. This may include a security code delivered via text or email, a security token from an authenticator app, or even a biometric identifier.

Develop and implement a cybersecurity training program, including Data Privacy Training

The GDPR focuses on protecting data from any type of risk. This can include the cybersecurity methods and tools that secure data and protect it from external breaches – as well as the steps taken and policies enforced to ensure the data is handled appropriately internally by employees.

While cybercriminals rely on a variety of methods to breach an organization, one of the most common – and often easiest – is by targeting employees through coordinated phishing attacks or other social engineering techniques. To minimize this risk, organizations need to develop a comprehensive employee cybersecurity training program that will educate people about common security risks, promote responsible online behavior and outline steps to take when they believe an attack may be in progress.

In addition, employees who have access to sensitive personal data should undergo special data privacy training to ensure they take the necessary steps to protect and secure that data.

Implement a comprehensive Data Loss Prevention (DLP) solution

Data loss prevention (DLP) is a part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage or misuse of data through breaches, exfiltration transmissions and unauthorized use.

DLP is also a way for companies to identify and classify sensitive personal information and ensure the company’s data policies comply with relevant regulations, including the GDPR. A properly designed and configured DLP solution streamlines reporting to meet these compliance and auditing requirements.

In addition to the identification and classification of sensitive personal data, some DLP solutions can track when that data is accessed, shared or downloaded and provide alerts to relevant team members.

Enabling data obfuscation techniques, including pseudonymization and anonymization with DLP

Another component of DLP has to do with protecting data through obfuscation techniques.

Data obfuscation is the process of disguising confidential or sensitive data to protect it from unauthorized access. Data obfuscation tactics can include:

• Data Masking: Data masking, or data anonymization, is a data obfuscation technique whereby sensitive data like encryption keys, personal information or authentication tokens and credentials are redacted from logged messages. Data masking changes the value of data while using the same format for the masked data.
• Pseudonymization: Data pseudonymization is a data obfuscation technique where organizations can de-identify a data record by replacing personally identifiable information fields with a fictitious entry, or pseudonym.
• Encryption: Data encryption protects data by converting plaintext to encoded information, called ciphertext, which can only be accessed through decryption with the correct encryption key.
•  Tokenization: Data tokenization is the process of substituting a piece of sensitive data with another value, known as a token, that has no intrinsic meaning or value. It renders data useless to an unauthorized user.

Consider implementing an Insider Risk Management (IRM) solution for high-risk organizations or industries

An insider threat is a cybersecurity risk that comes from within the organization — usually by a current or former employee or other person who has direct access to the company network, sensitive data and intellectual property (IP), as well as knowledge of business processes, company policies or other information that would help carry out such an attack.

When it comes to GDPR compliance, Insider Risk Management (IRM) – a solution that provides visibility into high-risk user activity, helping SOC and Insider Threat teams swiftly detect, investigate, and respond to sensitive data compromised by insiders – can be an important consideration because insiders can often do more damage than external threat actors when it comes to personal data. For example, insiders typically know where the data is located, how to access it, and, in some cases, what the gaps are in detection systems. The implicit trust and access employees are granted, together with their institutional knowledge, can make risky activity hard to distinguish from authorized usage.

IRM is becoming increasingly important as remote or hybrid work models continue to grow and employees are granted access to systems and data through more applications and messaging systems than ever to enhance productivity.

At present, DLP and IRM are often two separate and distinct security solutions. However, as data protection becomes a central element of most cybersecurity programs, these two solutions are beginning to converge.

Develop an Incident Response (IR) Plan

Because the GDPR specifies that organizations must report a data breach to the Data Protection Authority within 72 hours, organizations that manage European personal data must have a clear plan in place for dealing with such events.

Incident response (IR) is the overarching term used to describe the steps companies take to prepare for, detect, contain, and recover from a data breach.

One of the most important parts of the IR plan with respect to the GDPR is incident notification. This includes all notifications, both internal and external, that must be made after an incident has been analyzed and prioritized. This aspect of the plan should also include reporting requirements specific to the GDPR or any other relevant regulations.

Endpoint protection and vulnerability management

Endpoints are the nexus for the loss of valuable data. Not only does enterprise data flow through and remain stored on devices, but they are also used to authenticate users and identities and access code repositories, cloud workloads, SaaS apps, and files. This makes endpoint protection – the cybersecurity approach to defending endpoints from malicious activity – an important element of maintaining compliance with the GDPR

Likewise, vulnerability management – the ongoing, regular process of identifying, assessing, reporting on, managing and remediating cyber vulnerabilities across endpoints, workloads, and systems – is another critical security measure. Vulnerability management is a broad category, which can include software updates and patching to protect against the latest threats and exploits.

Leverage SIEM and SOAR to automate workflows and streamline GDPR compliance activity

The GDPR subjects organizations to a number of reporting requirements. Centralized security solutions such as SIEMs and SOARs often include built-in compliance capabilities that automatically gather data from different tools and software and aggregate that data into a single report. These reports can be customized to maintain compliance with mandated requirements for the GDPR, as well as other regulations.

SIEM and SOAR systems can also be configured to raise alerts when violations occur. This gives IT teams valuable insight into potential risks and helps teams resolve them more quickly, which not only limits the potential impact of the breach but also cuts down on instances of non-compliance.

How CrowdStrike can help with GDPR Compliance

Cybersecurity plays a key role in data protection and GDPR compliance. CrowdStrike’s next-generation product offerings, professional services and global expertise can help organizations meet their GDPR obligations.

The CrowdStrike Falcon^® platform is designed with data protection in mind. CrowdStrike’s cloud-based, crowdsourced model focuses on identifying indicators of attack (IOAs) in real time to stop the unknown threats of tomorrow, rather than merely the known compromises of the past.

The Falcon platform also empowers customers to stop breaches by implementing state-of-the-art safeguards with transparency, portability, data minimization and proportionality to safeguard enterprises and further legitimate interests, such as those in GDPR Recitals 47, 48 and 49.