By Paul Brennecker, Principal QSA, PCI PFI, PCIP
The countdown to European-wide data protection is on. But while some businesses will be anxious about how to ensure compliance with the new GDPR regulation by 2018, those that are already PCI-DSS compliant, or heading that way, are more than half way there and can use this existing framework to build GDPR compliance into their operating systems.
When John Lennon said, “Imagine there’s no countries…” he was unlikely to have been thinking of data protection or the borderless reach of cloud computing and the global economy. But he could have been. Because national borders and individual legal systems do not apply in this era of global data storage. So it is inevitable that borderless regulations are being enacted to counter security issues regarding personal data. PCI-DSS already recognises that national borders or laws are not relevant and the General Data Protection Regulation (GDPR), which is due to come into force in 2018, goes one step further.
Although there are still some additional bodies that have to approve it, the EU Parliamentary committee for civil liberties, justice and home affairs voted positively in December 2015 to accept and implement GDPR and because it will be a regulation it becomes law across all member states as soon as it is fully approved. There will be a single Data Protection Authority rather than the 28 existing authorities in Europe. There is no need for member states to create a local law to enact it.
The important thing to bear in mind at this stage is that the GDPR, although far-reaching and enforceable, is less prescriptive than the PCI DSS standard that already exists. GDPR provides detail about what needs protecting but little in the way of an actual action plan. PCI DSS on the other hand offers a detailed framework upon which to build. The two complement each other and GDPR compliance will be best enacted alongside the existing PCI DSS.
The first challenge is for entities to understand what personal data is processed and how to protect it. The GDPR goes into considerable detail on this. Personal data is “any data relating to an individual, whether it relates to their private, professional or public life.” This can be anything from a name, photo, email address, bank details, payment card number, mobile phone identifier (IMEI code), computer IP address and even posts on social networking sites.
Data Discovery forms an essential part of this. As part of our work as QSAs we regularly see examples of stored personal data that has dropped off the map. This may be as simple as card numbers found in the browsing history of a desktop computer or as serious as a live webserver containing historic personal information that was serving no purpose to the parent company. Using a tool to assist in the search for this data has proved an invaluable part of the PCI DSS assessment process. Appropriate security goals must therefore be based on a risk analysis and privacy impact assessments will have to be performed regularly (annually).
Also in scope is biometric data (face, finger prints, heart beat and voice recognition all being considered by UK Banks) and DNA. UK banks, according to some reports, are looking at this technology for authentication. Also included are IP address (online identifiers) and mobile device identifier (location identifiers). Even general descriptions of individuals (often in the form of additional notes on a system) are considered to be personal data.
In addition to protection of data, there will be increased rights for an individual to know and have access to personal any information you hold on them. You cannot charge for access to this. A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. In addition, the data must be provided by the controller in a structured and commonly used electronic format.
Where you have 250 or more employees or process 5000 data objects in a 12 month period you must appoint an independent Data Protection officer (DPO). Under the GDPR, the DPO will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach. This is much in the same way as PCI card payment breaches are handled.
Similarly, any third parties who process data on your behalf will be just as accountable as the data processor under the new regulation for any breaches of the regulation.
Most of us in the Information Security industry recognised PCI compliance as a giant step forward for those entities processing card payment data. Now it seems that the rest of Europe is catching up with this, which can only be a good thing for us in our personal lives. Like PCI however, GDPR does carry a burden, so a carefully thought out implementation plan is going to save time and resources in the long run.
Non-compliance of GDPR will have severe consequences. Financial penalties will be tier based and are likely to be up to €20,000,000 or 4% of turnover whichever is the greater. Written warnings can also be issued for initial and non-intentional breaches and it is unlikely that many would want to be the first to test this. Sanctions will now also include regular data protection audits.
For those that are already compliant with the PCI DSS, an annual review of the data being processed should form an integral part of the project. This ensures that any new technologies or processes are not excluded and ongoing compliance is maintained. Applying the PCI approach to the implementation of the GDPR will assist greatly as the framework is already there. This is a tremendous bonus to those that have already implemented PCI or those that are currently scoping a project. By integrating the PCI DSS framework to the GDPR principles, you already have a head start.
The presentation upon which this article is based was delivered at the PCI London event on 28th January 2016.