Documente Academic
Documente Profesional
Documente Cultură
CONTENTS
OVERVIEW_____________________________________________________ 3
A QUICK LOOK AT THE EUS DATA PROTECTION DIRECTIVE______________ 5
THE EVOLVING TECH LANDSCAPE: THE DPD TRIES TO ADAPT____________ 9
THE NEW EU GENERAL DATA PROTECTION REGULATION ________________ 11
CONCLUSIONS: GDPR COMPLIANCE CONSIDERATIONS_________________ 14
APPENDIX_____________________________________________________ 17
ABOUT VARONIS________________________________________________ 21
EU General Data Protection Regulation: The New Rules for EU Data Security
EU GENERAL
DATA PROTECTION
REGULATION:
THE NEW RULES FOR
EU DATA SECURITY
OVERVIEW
In 1995 with the enactment of the Data Protection Directive (DPD),
the EU adopted an ambitious set of data security and privacy rules.
Encoded in the Directive were requirements to obtain consumer
opt-in, limit the amount of data that was collected, allow correction
and erasure of personal data on request, and force organizations
to erase data that was no longer relevant.
The EU was one of the first to take many privacy principles more familiar
to us today as Privacy by Design (PbD) and turn them into real-world data
security laws and policies. The EUs DPD had an advanced definition of
personally identifiable information, referred to as personal data, which is the
data that is ultimately protected by the law. In the DPD, personal data could
cover both standard identifiers (name, address, phone number) as well as
Internet-era handles.
Over the years, with further interpretations by the regulators and court rulings
from the EU Court of Justice (ECJ), the original DPD was extended to cover cloud
providers, erasure of data on the Internet, and at least for the US, an additional
framework the EU-US Safe Harbor to cover the exporting of data outside
the EU zone.1
EU General Data Protection Regulation: The New Rules for EU Data Security
However, the DPD soon began to show some wear. One reason was that the
Directive gave EU countries the power to create their own laws based on the
DPD and then to interpret them, so differences began to emerge. While the DPD
provided a solid foundation, it was not equipped to handle the explosion in data
collection and storage, and it did not specifically address the world of cloud
processing, which fell in to a regulatory gray area.
The new General Data Protection Regulation (GDPR), which will replace the
DPD, was approved in April 2016. It will provide a uniform law across the EU and
address many of the shortcomings in the DPD. Companies have up to two years
to become compliant: the GDPR will go into effect in May 2018.
The GDPR will add requirements for documenting IT procedures, performing
risk assessments under certain conditions, notifying consumer and authorities
when there is a breach, as well as strengthening rules for data minimization. For
companies that only collect data of EU citizens over the Internet without having
a formal presence in a country, the GDPRs concept of extra-territoriality will
mean the GDPR will apply to them as well.
Finally, the GDPR will contain a significant financial sting for noncompliance:
maximum fines are tiered with some violations set at 2% and more serious lapses
at 4% of a companys global revenue.
Overall, the message for companies that fall under the GDPR is that awareness of
your data where is sensitive data stored, who is accessing it, and who should
be accessing it will now become even more critical.
To help your company maintain compliance with the GDPR, weve included a
table in the appendix mapping specific requirements to Varonis products.
EU General Data Protection Regulation: The New Rules for EU Data Security
A QUICK LOOK
AT THE EUS DATA
PROTECTION DIRECTIVE
The origins of the EUs Data Protection Directive can be traced
to the 1980s. At that time the European Commission decided to
formalize ideas on privacy as a fundamental right through
a single set of data security rules to replace what was then a
patchwork of country-by-country rules.2
The results were the DPD, which was adopted in 1995. While it did not achieve
its goal of unifying data rules more on that below it did point the way
towards the EUs approach to data security. Since the new GDPR borrows
heavily from DPD both terminology and principles lets take a brief look
at some of the more significant aspects of the Directive.
The DPD introduces three important concepts that relate to consumers and their
data, and the collection and processing of that data.
In the DPD, personal data means information relating to an identified or
identifiable natural person, known as the data subject. By an identifiable
person, they mean anyone who can be identified, directly or indirectly, in
particular by reference to an identification number or to one or more factors.
EU General Data Protection Regulation: The New Rules for EU Data Security
EU General Data Protection Regulation: The New Rules for EU Data Security
3. Restricted
4. Accurate
6. Security
7. Automated processing
These should look somewhat familiar as they are related to Privacy by Design
(PbD), and both are based on older ideas from the Organization for Economic
Cooperation and Development (OECD) privacy guideline3. In any case, the
GDPR still includes these principles see article 5 but it further extends
and expands on them.
These principles are the basis behind specific DPD articles. Lets look at three
very significant ones.
EU General Data Protection Regulation: The New Rules for EU Data Security
In article 12 (the right to access), data subjects are given the right to obtain from
the controlleras appropriate the rectification, erasure or blocking of data the
processing of which does not comply with the provisions of this Directive, in
particular because of the incomplete or inaccurate nature of the data.
So under the DPD consumers really have a right to erase (and correct) data
though the rule only applies to controllers. Over the years, there were additional
court rulings that extended the erasure rules to processors and more specifically
cloud search engines. Of course, it would have been cleaner if the original DPD
had referenced both controllers and processors in article 12.
The DPD puts additional obligations on the controller by requiring in article 6
that personal data is adequate, relevant and not excessive in relation to the
purposes for which they are collected and then erased when the data is no
longer necessary.
These two articles are essentially the rules to enforce the data minimization ideas
that are reflected in the DPD principles 2 and 5.
Article 17 (security of processing) says that controllers must implement
appropriate technical and organizational measures to protect personal data
against accidental or unlawful destructionunauthorized disclosure or access.
While securing data should be an essential part of a law that starts with the words
data protection, the DPD was still vague on this subject.
The DPD acts as a kind of template, and EU countries are supposed to
transpose the rules into specific legislation. A countrys local data protection
authority (DPA) then enforces the law. This opened the problem of diverging
interpretations and enforcement patterns, depending on where the data
controller was located.
EU General Data Protection Regulation: The New Rules for EU Data Security
EU General Data Protection Regulation: The New Rules for EU Data Security
With the rise of the cloud and massive amounts of processing and storage
available on-demand, questions also came up about its legal status. Recall that
the DPD is focused on data controllers.
Is the cloud a data controller or processor?
In 2012, the EUs Article 29 Working Group, responsible for advising on DPD
issues, provided guidance: companies that use the cloud are controllers since
they direct how the cloud provider should handle the data6. Therefore the cloud
is a processor.
Now everything else falls into place. As a processor, the cloud service has to
have a contract in place with the controller according to the DPD.
The Working Group added that cloud customers should not accept boilerplate
contracts from the cloud provider. Instead, contracts between the parties should
have certain minimal DPD data security and a right to access clauses for
example, a request to delete consumer data by the controller had to be honored
by the cloud provider.
But again, individual DPAs were free to interpret and come up with their own
contract terms.7
Further issues involved search engine providers, who as cloud-based data
processors, would also be required to delete data on demand in their case,
search results. Only very recently was this resolved after a lengthy court process.8
According to the EU Court of Justice, there is effectively a right to be forgotten
in the current DPD. Interestingly, this right has an extraterritorial nature
personal data of EU citizens can be deleted even when the data processor
is not located in an EU country.9
Of course, it would have been far more straightforward if the DPD had more
explicit language on data processors and erasure rights, and the member
countries had less leeway to interpret the rules. This would all soon change.
EU General Data Protection Regulation: The New Rules for EU Data Security
10
EU General Data Protection Regulation: The New Rules for EU Data Security
11
SOMETHING NEW
Article 30 (records of processing activities) adds new requirements for controllers
and processors to document their operations. Most importantly there are now
rules for categorizing the types of data collected by controllers, recording the
recipients for which the data is disclosed, and specifying an indication of the
time limits before the personal data is erased.
Article 35 calls for data protection impact assessments (DPIAs) before the
controller initiates new services or products involving the data subjects health,
economic situation, location, and personal preferences and more specifically
data related to race, sex life, and infectious diseases. The DPIAs are meant
to protect the data subjects privacy by, among other restrictions, forcing the
controller to describe what security measures will be put in place.
The new breach notification rule probably has received the most attention in the
media. Prior to the GDPR, only telecom and ISP service providers had to report
breaches within 24 hours under the e-Privacy Directive.11
Modeled on this earlier Directive, the GDPRs article 33 says that controllers must
tell the supervisory authority the nature of the breach, categories of data and
number of data subjects affected, and measures taken to mitigate the breach.
Controllers are required to notify the appropriate supervisory authority of a
personal data breach within 72 hours (at the latest) on learning about the
exposure if it results in risk to the consumer. But even if the exposure is not
serious, the company still has to keep the records internally.
EU General Data Protection Regulation: The New Rules for EU Data Security
12
EU General Data Protection Regulation: The New Rules for EU Data Security
13
CONCLUSIONS:
GDPR COMPLIANCE
CONSIDERATIONS
Going into the final negotiations that began in 2015, the parties
the EU Council, Parliament, and Commission still had differences
on some key issues. These included the GDPR fine structure, data
privacy officers (DPO), and breach notification reporting. Weve
already mentioned the breach rules, so lets cover the other two.
The GDPR has a tiered fine structure. Article 83 (general conditions for imposing
administrative fines) says that a company can be fined up to 2% of global
revenue for not having their records in order (article 30), not notifying the
supervising authority and data subject about a breach (articles 33, 34), or not
conducting impact assessments (article 35).
More serious infringements merit up to a 4% fine of global revenue. This includes
violation of basic principles related to data security (article 5) and conditions
for consumer consent (article 7) these are essentially violations of the core
Privacy by Design concepts of the law.
Since the EU GDPR rules apply to both data controllers and processors, that
is the cloud, the huge cloud providers are not off the hook when it comes
to GDPR fines.
Coming into the negotiations, there were also differences over whether
companies had to appoint a data protection officer who would be responsible
for advising on and monitoring GDPR compliance, as well as representing the
company when contacting the supervising authority.
EU General Data Protection Regulation: The New Rules for EU Data Security
14
With the final GDPR, many companies will likely need a data protection
officer or DPO (article 37). If the core activities of a company involve regular
and systematic monitoring of data subjects on a larger scale, or large-scale
processing of special categories of data racial or ethnic origin, political
opinions, religious or philosophical beliefs, biometric data, health or sex life,
or sexual orientation then theyre required to have a DPO.
In general, there is some room carved out for micro, small, and medium-sized
businesses in the GDPR. Most under-250 employee companies will likely not
need to have a DPO, keep records, notify a supervising authority about
a breach, or carry out a DPIA.
For EU companies and their US and other foreign subsidiaries that are currently
under the existing DPD, the new GDPR will be viewed as an evolution of the
existing regulations. Although the breach notification, the new documentation
requirements, and the steep fines will mean that they will have to up their
compliance game.
For companies, particularly US, caught in the extraterritoriality net, the GDPR will
come as something of a shock. This is especially true for web-based services that
are not regulated under existing US financial or medical data security laws.
For companies with existing IT data security standards in place SANS 20,
PCI DSS, ISO 27001 or NIST 800-53 compliance with the EUs GDPR should
be readily achievable
EU General Data Protection Regulation: The New Rules for EU Data Security
15
Our overall recommendation is that any company affected by the new law should
focus on these following points:
Data classification Know where personal data is stored on your system,
especially in unstructured formats in documents, presentations, and
spreadsheets. This is critical for both protecting the data and also following
through on requests to correct and erase personal data.
Metadata With its requirements for limiting data retention, youll need basic
information on when the data was collected, why it was collected, and its
purpose. Personal data residing in IT systems should be periodically reviewed
to see whether it needs to be saved for the future.
Governance With data security by design and default the law, companies
should focus on data governance basics. For unstructured data, this should
include understanding who is accessing personal data in the corporate file
system, who should be authorized to access, and limiting file permission
based on employees actual roles i.e., role-based access controls.
Monitoring The breach notification requirement places a new burden on
data controllers. Under the GDPR, the IT security mantra should always
be monitoring. Youll need to spot unusual access patterns against files
containing personal, and promptly report an exposure to the local data
authority. Failure to do so can lead to enormous fines, particularly for
multinationals with large global revenues.
EU General Data Protection Regulation: The New Rules for EU Data Security
16
APPENDIX
Mapping of Relevant EU GDPR Articles to Varonis Products and Solutions
EU GDPR Requirement
Varonis Solutions
The controller
shall implement
appropriate technical
and organisational
measures for ensuring
that, by default, only
personal data which
are necessary for each
specific purpose of
the processing are
processedapplies to
the amount of personal
data collected, the extent
of their processing, the
period of their storage
and their accessibility.
EU General Data Protection Regulation: The New Rules for EU Data Security
17
EU GDPR Requirement
Varonis Solutions
64% of organizations say they dont know where their sensitive content
is located or who can access it. Finding sensitive content is only the
beginning. Once you know where your sensitive content lives, the really
difficult challenges arise:
Who has access to it?
Who is using it?
Who owns it?
Has it been breached?
Can I delete or archive it?
Where am I most at risk?
Who will be impacted when I make a change?
With Varonis DatAdvantage, organizations can conduct data security reviews
(attestations) at will and generate access reports with a mouse click. This
information can focus narrowly on data of a particular type or access by
a particular group or it can focus broadly on access activity trends for the
organization (i.e. active users, inactive users, active data, stale data, data
business ownership reports etc.). It gives auditors the power to determine
whether the appropriate security policies are in place and being enforced.
EU General Data Protection Regulation: The New Rules for EU Data Security
18
EU GDPR Requirement
Section 2: Data Security
Article 33: Notification of a
personal data breach to the
supervisory authority
Varonis Solutions
In the case of a
personal data breach
the controller shall
without undue delay
and, where feasible,
not later than 72 hours
after having become
aware of it, notify the
personal data breach to
the supervisory authority
likely to result in a
high risk to the rights
and freedoms of natural
persons, the controller
shall, prior to the
processing, carry out
an assessment of the
impact of the envisaged
processing operations
on the protection of
personal data...
EU General Data Protection Regulation: The New Rules for EU Data Security
19
REFERENCES
1 http://www.export.gov/safeharbor/eu/eg_main_018476.asp
2
https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/
Publications/Speeches/2014/14-09-15_Article_EUI_EN.pdf
http://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
https://www.sbs.ox.ac.uk/cybersecurity-capacity/system/files/IP%20addresses%20subject%20to%20
Personal%20Data%20Regulation.pdf
http://techcrunch.com/2013/07/25/ireland-prism/
http://idpc.gov.mt/dbfile.aspx/WP196.pdf
http://www.twobirds.com/en/news/articles/2014/global/cloud-computing-and-privacy-series-thedata-protection-legal-framework
http://searchengineland.com/library/legal/legal-right-to-be-forgotten
http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_data_protection_en.pdf
10
http://blogs.lexisnexis.co.uk/wipit/open-season-on-service-providers-the-general-data-protectionregulation-cometh/
11
http://www.insideprivacy.com/data-security/data-breaches/data-breach-notification-within-24-hoursin-the-electronic-communication-sector-an-example-to-foll/
EU DATA LAWS
Data Protection Directive:
http://eur-lex.europa.eu/LexUriServ/LexUriServdo?uri=CELEX:31995L004:en:HTML
General Data Protection Regulation:
http://eur-lex.europa.eu/LexUriServ/
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
EU General Data Protection Regulation: The New Rules for EU Data Security
20
ABOUT VARONIS
Varonis is a leading provider of software solutions that protect data from insider
threats and cyberattacks. Through an innovative software platform, Varonis
allows organizations to analyze, secure, manage, and migrate their volumes
of unstructured data. Varonis specializes in file and email systems that store
valuable spreadsheets, word processing documents, presentations, audio
and video files, emails, and text. This rapidly growing data often contains an
enterprises financial information, product plans, strategic initiatives, intellectual
property, and confidential employee, customer or patient records. IT and
business personnel deploy Varonis software for a variety of use cases, including
data security, governance and compliance, user behavior analytics, archiving,
search, and file synchronization and sharing.
Non-intrusive
We wont slow you or your system down. We can monitor
millions of events per day without impacting performance.
EU General Data Protection Regulation: The New Rules for EU Data Security
www.varonis.com
21