How Does GDPR Affect Your Product’s Security Requirements?
The General Data Protection Regulation (GDPR) cybersecurity requirements may have been implemented to protect data of citizens from the European Economic Area (EEA) countries, but it extends to every business that processes the data of these citizens.
If your product processes personal data and is being used by anyone from that region, or is available for public download in global application stores, you must ensure full GDPR compliance or risk hefty fines. Read this article to find out what are the GDPR cybersecurity requirements and what measures to implement to ensure full compliance.
What is GDPR?
GDPR entered into force on 25 May 2018 to protect the data and privacy of citizens of the European Union. It guarantees personal data processing only when legally sought-after and in accordance with a proper, risk-based protection mechanism.
More importantly, GDPR guarantees the protection of individuals' rights, including the right to refuse personal data disclosure or processing. The regulation is directly binding and applicable to all European Economic Area (EEA) countries, and extends to all countries that provide digital products or services in the region.
What types of personal data does the GDPR protect?
GDPR guarantees the protections of all personal data, which is deemed any information related to an identified natural person, or a person that can be identified.
For instance, full name, date of birth, address, phone number, and social security number are personal data. Web application owners and operators shall keep in mind that digital data which relate to an individual, such as IP addresses and browser cookies, are also personal data.
Which companies does GDPR affect?
GDPR protects the personal data of all EEA member states’ citizens, so it concerns any entity that processes this data, regardless of location. This means that almost every owner or operator of a web application is affected by GDPR.
Only companies that do not have any relations with any of the EEA member countries may be exempt from this regulation, but as long as you offer products available for download on a global scale, you’re likely to have users from the EU.
In any case, noncompliance with GDPR would be damaging to your business’ reputation, so every digital service provider should respect this regulation.
What happens if an organization is not in compliance with the GDPR?
A company breaching the GDPR risks a fine of up to 20 million EUR, or up to 4% of its entire global turnover of the preceding fiscal year, whichever is higher.
Employees of companies breaching GDPR regulations may notify relevant authorities about the breach and may schedule a GDPR compliance audit. The scale of the fine will depend on the number of individuals affected by the breach, the number of violated stipulations, and what the cooperation with the regulatory looked like (among other criteria).
See the Enforcement Tracker for the list of recent cases and their justifications.
Which GDPR cybersecurity requirements affect your product?
Every company that processes personal data must take GDPR seriously. There are several requirements relating to cybersecurity of a product used for data processing, outlined in the regulation. To comply, products must assure:
- Sufficient protection level against external threats (coming from online environments)
- Sufficient protection level against internal threats (bad actors, accidental misuse)
- Functions that ensure respect of the individual’s rights: Right to be informed about data processing, right to access personal data, right to rectification, right to be forgotten, right to restrict processing, right to data portability, right to object to data provision
- Removal or anonymization of data when the legal basis for data processing ends or expires
In addition, application owners must:
- Maintain a data access log
- Offer the option to modify personal data records,
- Obtain consent before performing processing or automated decision-making
Owners are also obliged to constantly measure, monitor, and adjust their GDPR security measures in accordance with an up-to-date risk analysis.
Is your product GDPR compliant?
GDPR doesn’t provide a list of specific security requirements, which complicates the assessment of a product’s compliance. Instead, there are several points in the regulation that are often presented as detailed checklists, based on the best industry standards and practices.
GDPR-related court rulings often mention these standards, which were captured by the Center for Internet Security in their CIS controls. Applying the key controls to all processes and operational procedures applicable to personal data processing will help ensure GDPR compliance. Let’s take a closer look at them.
How to ensure a product’s GDPR cybersecurity compliance?
In my opinion, the most important CIS controls that apply to GDPR cybersecurity are the following:
1. Architecture, development and configuration security
Products that process personal data must be developed in a secure way and guarantee the protection of data via architecture and configuration.
The most commonly mentioned security standards are provided by the Open Web Application Security Project (OWASP) - a non-profit organization working to increase security of web and mobile applications. When choosing an external provider, conduct a security audit and make sure their product was developed in accordance with the OWASP Application Security Verification Standard.
When you’re developing a product internally, invest in extensive security competences of the development team.
2. Data encryption and anonymization
GDPR requires businesses to minimize data processing to genuine needs. It means you must protect personal data against disclosure, e.g. through encryption, and process decrypted information only when necessary.
Remember to remove personal data when it’s no longer needed, following other applicable laws (fiscal, civic, Penal Code, etc). You may remove the personal data records completely or anonymize them.
3. Identity and Access Management
Companies processing personal data must always know who is accessing them. Visitors must be permitted to perform only the actions that are determined by a business need: Role in the organization, work duties or formal data processing authorization.
This is controlled via Identity and Access Management (IAM) operational procedures that control who can access specific data and what they can do with them. Products processing data must have IAM implemented or at least be connected to a similar system (e.g. Microsoft Active Directory).
IAM should identify the individual who requested access to personal data through login+password details, hardware tokens, mobile devices, phone numbers or even fingerprints, blood vessel patterns, retina patterns or face images.
4. Availability, backup, and disaster recovery
GDPR enforces the individual’s right to access their data, so companies processing personal data must make all efforts against loss or theft of that data.
Technical failures, software errors, and human factors such as errors or malicious activities are all risks from the GDPR security perspective. The only way to fulfil those requirements is to store data securely and back up the system regularly.
Also, implement additional procedures to preserve access to personal data in case of catastrophes like war, riots, political system collapse or natural disasters. Periodically review and test those procedures as well.
5. Vulnerability management and testing
A product’s security flaws may not be discovered during the development phase. Such errors can be particularly grave for data security, especially if bad actors come across them before the owners do.
That’s why businesses must constantly monitor and search for such security errors. When you discover a vulnerability, assess the risk and implement relevant mitigating measures.
I’ve seen many companies neglect software maintenance, while vulnerability monitoring is crucial for cybersecurity and GDPR compliance. You can’t buy or develop a new product and assume that it will remain fully secure forever.
6. Monitoring and alerting
The cybercrime world is very dynamic and new cyberthreats emerge as you read this. To protect your product against them you must monitor for anomalies and alert about them should they be discovered.
This can’t be done without ongoing monitoring of the application behavior for regular usage patterns, as well as technical and business metrics. Monitoring and alerting are also crucial during the product’s maintenance period.
Security information and Event Management solutions may be helpful in obtaining useful insights in application usage and detecting anomalies, but remember to also ensure the highest security competences of your security team. Insufficient logging and monitoring remains one of the top ten security issues observed in all kinds of applications.
7. Incident response plan
Anomalies in the application may constitute security incidents. Should data confidentiality be breached or availability and integrity of data compromised, the company is obliged to investigate the incident and notify the relevant supervisory authority within 72 hours.
Establishing an incident response plan for such occasions is crucial for minimizing the damage. Ensure you keep track and document such incidents, have a notification process, and know how to escalate and mitigate. More importantly, learn from incidents and improve your product.
8. Policies and awareness
Instilling policies for secure data processing is essential for GDPR cybersecurity compliance. They should include measures that relate to the above rules and a security awareness training plan. Employees engaged in personal data processing must be thoroughly trained to use the product securely and to know what kind of threats exist and what to do should they discover them.
The impacts of the GDPR on a product's security requirements
To wrap up, if your company uses personal data you must ensure measures are implemented to secure full compliance. It is crucial to fulfilling the requirements relating to the cybersecurity of a product used for data processing. Otherwise, breaching the GDPR might result in heavy financial fines. Architecture, development and configuration security, data encryption and anonymization, identity and Access Management, among others, are important CIS controls that apply to GDPR.