CISSP D1 Preview | General Data Protection Regulation (GDPR)

Now that we have covered some of the laws for the US, let’s look at ones from the EU.
And the big one here is GDPR– General Data Protection Regulation.
It’s a data protection law in the EU that governs data protection and privacy for all individuals in the EU and the EEA.
It was enacted in 2018, but some years before that we knew it was on the way.
And this is another one of those places where the EU is much more proactive in its approach to IT security and privacy versus the US.
In the US, it is that patchwork of laws I talked about earlier.
If something breaks bad enough, well, then we fix it.
But there is no overarching plan.
There is no vision.
As you can probably tell by now, I think the EU laws, at least for now, are much better.
They protect the customers and the citizens of their countries much, much better.
With the GDPR, it does not matter where we are based, it matters where our customers are.
If we have customers that live in the European Union, we have to adhere to the GDPR.
And it covers all the people that live in the EU, not just the citizens, everybody who is there.
But then if you are an EU citizen and you live outside the EU, it does not cover you.
You have to be physically present in the EU.
And the GDPR is pretty aggressive as far as who it goes after and how big the fines are.
If a company violates the GDPR, we can be fined up to €20 million or 4% of our annual revenue, whichever is greater.
And that “whichever is greater” is a pretty big thing.
To many large multinational companies, 20 million is probably nothing.
They might do their risk analysis and see, “We can make 50 million by doing this, but only 20 million if we get fined.”
But the 4% is a big thing.
If we look at 2019, Google’s parent company Alphabet made a $162 billion dollars.
If they got 4%, that is $6.5 billion dollars.
And we can probably argue the case that it wouldn’t be the parent company and it would be Google and all that stuff.
But as an example, it is good visual reminder of how much money that actually is, so $6.5 billion.
That is something that you, as an IT security professional, can take to your board of directors or your CEO.
They understand that, 4%.
It is pretty easy math.
And now that we have a clear idea of how bad it is if we violate the GDPR, let’s look at what it actually contains.
What is it that we need to be compliant with?
So this is all data collection.
It is all privacy of the individual.
The law sounds something like this.
Unless a data subject, that would be one of the individuals in the EU, has given express consent to use the data for one or more purposes, it is not legal to process it unless there is a legal reason to do so.
And any personal data is really anything that can be identified as yours.
This goes back to the PII we talked about before.
Your name, your email address, your actual address, your IP address.
It is even more stringent than the US version.
Here, they don’t care if your name is common.
And then on top of that, the GDPR also demands that companies use sort of randomization.
So if we have, let’s say, 1,000 people that agree that we can use their data and do analytics on it, it should still be impossible to identify any one person using that data.
The only real exception or restriction to the GDPR is, if for whatever reason, the data is required by national security, military police or the justice system.
Then and only then might your identity be unmasked.
But in any other circumstance outside of that, you have a ton of rights compared to what you had before.
You also have the right to get a free copy of all your data from anyone who holds it.
If they have data on you, you have the right to see it.
You have the right to be forgotten.
Meaning, if you requested, they have to delete all your data with a few exceptions.
You, for instance, can’t just call in and have all your credit card information erased because they are required by law to keep it.
But in the cases where there is no laws or regulations requiring them to keep your data, you can request to have it deleted.
On top of having the right to see your data, you can also request it in an electronic format.
Let’s say you’re switching from one health care provider to another.
You can then request all your records and all your data or insurance, or whatever you have when you’re moving from one provider to another.
You have the right to get everything that they have on you in an electronic format.
The GDPR also comes with breach notification rule.
If your data is compromised, both users and data controllers must be notified within 72 hours of a breach.
That is much sooner than what the EU had in place before.
And I think it is much sooner than pretty much anywhere else in the world.
If you remember back to the US laws, yes, they have to notify, but it doesn’t always have to be right away.
And if the data was encrypted, then maybe they don’t.
I’ve talked about the Equifax breach before.
It took weeks, maybe months before they told anyone that they had been breached.
And some of the excuses they used were, “Well, we were working with law enforcement and we didn’t want to start a panic.”
But also remember, this is the time period before they told anyone about the breach, where most of the senior executives sold off their stocks because they knew they would plummet and they went out and bought domain names to direct those people who were affected by the breach, so they can get help.
But my guess is, there were probably hundreds or thousands of people who could have put a lock on their credit scores, their Social Security numbers, but because they didn’t know they were compromised, they didn’t.
So, again, here, sooner is better.
And now that I got that off my chest, again, let’s look at what we do as a company.
Obviously, we need to ensure that our customer data is secure, but we also need to make sure that we only collect what is absolutely necessary for the completion of our duties.
We are not legally allowed to collect anything else that we don’t need for those duties; whatever it is we’re doing.
And then on top of that, any company whose activities involve data processing or monitoring must approve a data protection officer.
That means we have someone who is directly responsible to make sure that we follow the GDPR.
And while senior management is still ultimately liable, that does not mean that anyone else isn’t.
This again, goes back to due care and due diligence.
And then as the last part of this lecture, let’s look at some laws in the EU and between the EU and the US that are now legacy.
Meaning, they’re no longer used.
The EU Data Protection Directive was also a very aggressive pro privacy law and it is the predecessor to GDPR.
Here, organizations also have to notify individuals how they gather the data and how it is used.
They have to allow you to opt out for sharing your data with third parties.
For the use of your most sensitive data, you have to opt in.
And then finally, it is not legal to transport the data outside of the EU unless the country you transported to has adequate, and that means the same type or same level, privacy protection.
And the US, for instance, does not.
And then finally, we have the EU-US Privacy Shield and Safe Harbor.
And they were both frameworks on how we exchanged data over the Atlantic, between the European Union and the US.
And in most cases, what that really means is US companies can get easier access to personal data from EU entities under the EU privacy laws.
But just like the Data Protection Directive, these no longer exist.
Safe Harbor was declared invalid by the European Court of Justice in October of 2015 and the same court declared Privacy Shield invalid on July 16th 2020.
Now, US companies have to adhere to the GDPR.
And while I think it is unlikely you will see these three on the exam, I also would feel bad if you actually did so I have included them.
You just never know when an exam question with something that is old curriculum gets left in there.