General Data Protection Regulation (GDPR)

What is SANS Security Awareness Doing? 

On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU). The GDPR clearly describes and expands the privacy rights of EU individuals and places new responsibility on all organizations that manage, market to, or process EU citizens’ personal data.

What is GDPR? 

As defined by the EU General Data Protection Regulation: 

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy... 

Major Provisions: 

  • Data subject rights 
  • Data breach notification 
  • Safe handling and transfer of data 
  • Data Protection Officers (DPOs) 
  • Applicability and Penalty 

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens' data to better safeguard the processing and movement of citizens' personal data.


What Information is Covered in GDPR?

GDPR covers personal data

The General Data Protection Regulation further defines this as follows: 

Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

"Any information" - cookies, images, names, email addresses, employee numbers, location, occupation, gender, account records, etc. This is generally considered to be literal... any information relating to a data subject.


What About Data Breach Notification?

GDPR describes the requirements for the communication of a data breach involving EU citizen personal data.

Controllers shall notify the supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours, unless the breach is likely to result in a risk to the rights and freedoms of individuals.

When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller shall communicate the breach to the subject without undue delay.

What is Safe Handling and Transfer of Data?

GDPR addresses the need for the controller to , while taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.

It also addresses secure storage of data, ongoing security, integrity and availability of data and the ability to restore availability within a timely manner. It also calls for regular testing and evaluation of effectiveness of technical and organizational measures ensuring the security of the data.

And, it requires that companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

What is a Data Protection Officer?

The GDPR requires that certain companies appoint data protection officers; these officers serve to advise companies about compliance with the regulation and act as a point of contact with Supervising Authorities (SAs).

It outlines the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.

The DPO shall:

-Carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

-Have an expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.

-Inform and advise the processor and the employees who carry out processing of their obligations, monitor compliance with EU GDPR, provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

-Act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.


What is International Applicability and Penalty?

GDPR extends requirements to international companies that collect or process EU citizens' personal data, subjecting them to the same requirements and penalties as EU-based companies. It also outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company's global annual revenue depending on the nature of the violation.

How Does It Apply to SANS Security Awareness?

EU GDPR categorizes data holders into two groups: processors and controllers.

  • Controllers collect, process, store, and basically "own" the data and the relationship with EU citizens.
  • Processors are essentially sub-contractors of controllers who may process, store, and utilize EU citizen data on behalf of a controller.

There are additional required measures, processes, and documentation requirements for controllers.

SANS, including SANS Security Awareness, are considered controllers.

What is Privacy Shield?

Privacy Shield is an agreement between the EU and US allowing for the transfer of personal data from the European Union to United States.

The GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws. In general the EU does not list the US as one of the countries that meets this requirement.

Privacy Shield is designed to create an program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information.

In short, Privacy Shield allows US companies, or EU companies working with US companies, to meet the international data transfer requirements of the GDPR.