What is SANS Security Awareness Doing?

On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). The GDPR clearly describes and expands the privacy rights of EU individuals and places new responsibility on all organizations that manage, market to, or process EU citizens’ personal data.

SANS Security Awareness is committed to information security and privacy. SANS Security Awareness embraces GDPR. We are ready.

In preparation for the May 25th deadline, a compliance road-map was created. Data protection policies and procedures have been updated and technical safeguards implemented. SANS today, is fully compliant with privacy laws, and will remain so going forward. The SANS Institute, and subsidiary, SANS Security Awareness, is ready for GDPR.

SANS's Commitment to Data Protection

SANS Security Awareness welcomes the GDPR and recognizes it as a significant step forward for data privacy and rights of individuals. It provides a great opportunity to tighten security controls and process, as well as provide transparency into what personal data SANS collects and how it is securely processed and stored. This helps empower our customers to manage the use of their data. SANS has carefully reviewed the requirements and recitals of GDPR and are carefully making enhancements to our products, systems, contracts, and services to ensure compliance and the safeguarding of our customers data.


Due to the nature of our business, SANS has always been deeply committed to our client's data protection. We have long been compliant with PCI and Privacy Shield, and currently embrace the EU GDPR as another way to continue our model of excellence in governance and compliance."

Howard Cribbs , Global CIO at SANS

What is GDPR?

As defined by the EU General Data Protection Regulation:

 The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy...

Major Provisions:

Data subject rights

Data breach notification

Safe handling and transfer of data

Data Protection Officers (DPOs)

Applicability and Penalty

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens' data to better safeguard the processing and movement of citizens' personal data.


What Information is Covered in GDPR?

GDPR covers personal data. 

The General Data Protection Regulation further defines this as follows:

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

"Any information" - cookies, images, names, email addresses, employee numbers, location, occupation, gender, account records, etc. This is generally considered to be literal... any information relating to a data subject.


What are Data Subject Rights?

Proper collection for purpose, processing of personal data. GDPR states that data collected must be relevant for our intended purpose and that it needs to be collected for specified, explicit, and legitimate purposes.

Conditions for consent require notification to data subjects using concise, transparent, intelligible and easily accessible language. GDPR also gives EU citizens the right to withdraw their consent at any time.

GDPR also gives data subjects more control over personal data that is processed automatically. The result is that data subjects may transfer their personal data between service providers more easily (also called the "right to portability"), and they may direct a controller to erase their personal data under certain circumstances (also called the "right to erasure").

Notification to EU citizens upon data collection or acquisition. Notification must be provided with a reasonable period after obtaining the data not exceeding one month. The notification must include:

What information is being collected.

Who is collecting it.

How is it collected.

Why is it being collected.

How will it be used.

With whom will it be shared.

What will be the effect of this on the individuals concerned.

Whether the intended use likely to cause individuals to object or complain.

How to withdraw consent, correct data, or request restriction of use.

The identity and contact details of SANS Data Protector Officer (SANS DPO).

What About Data Breach Notification?

GDPR describes the requirements for the communication of a data breach involving EU citizen personal data.

Controllers shall notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours, unless the breach is likely to result in a risk to the rights and freedoms of individuals.

When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller shall communicate the breach to the subject without undue delay.


What is Safe Handling and Transfer of Data?

GDPR addresses the need for the controller to , while taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

It also addresses secure storage of data, ongoing security, integrity and availability of data and the ability to restore availability within a timely manner. It also calls for regular testing and evaluation of effectiveness of technical and organizational measures ensuring the security of the data.

And, it requires that companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

What is a Data Protection Officer?

The GDPR requires that certain companies appoint data protection officers; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs).

It outlines the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.

The DPO shall:

-Carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

-Have an expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.

-Inform and advise the processor and the employees who carry out processing of their obligations, monitor compliance with EU GDPR, provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

-Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

What is International Applicability and Penalty?

GDPR extends requirements to international companies that collect or process EU citizens' personal data, subjecting them to the same requirements and penalties as EU-based companies.

It also outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company's global annual revenue depending on the nature of the violation.


When Does It Matter?

GDPR comes into full effect May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.


How Does It Apply to SANS Security Awareness?

EU GDPR categorizes data holders into two groups: processors and controllers.

  • Controllers collect, process, store, and basically "own" the data and the relationship with EU citizens.
  • Processors are essentially sub-contractors of controllers who may process, store, and utilize EU citizen data on behalf of a controller.

There are additional required measures, processes, and documentation requirements for controllers.

SANS, including SANS Security Awareness, are considered controllers.


What is Privacy Shield?

Privacy Shield is an agreement between the EU and US allowing for the transfer of personal data from the European Union to United States.

The GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. In general the EU does not list the US as one of the countries that meets this requirement.

Privacy Shield is designed to create an program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information.

In short, Privacy Shield allows US companies, or EU companies working with US companies, to meet the international data transfer requirements of the GDPR.