The General Data Protection Regulation (GDPR) officially 'went live' in 2018, and in that time both the European Data Protection Board (EDPB) as well as organisations subject to GDPR have had plenty of opportunities to see how these rules play out in the real world, and how organisations have responded to it. Earlier this year, the EDPB published guidelines to assist data controllers with regards to data breach notifications from a practical, case-based perspective. With the sheer number of cyberattacks and breaches occurring these days, this guidance is going to be from a place of valuable experience.
The subject of data security, personal information, breaches, mitigations and so on is fairly daunting to the uninitiated, in fact, it can even be daunting to those who educated in the sector also. Many organisations have struggled to establish a robust response to GDPR, therefore, practical, and real-world guidance like this will be most welcome in many IT communities. The examples given lend credence to the belief that how we protect against a breach, and the maturity of organisation’s contingency planning are of equal importance. It is no use being 100 percent in one and 0 percent in the other.
Language matters
For the most part the EDPB guide makes recommendations using simple, plain English. With good definition of what a 'personal data breach' actually is and makes distinctions between the types of impact breach can have. The guidance places clear focus on the risk to individuals and the expectation that appropriate measures, technical or otherwise, are applied to mitigate those risks.
It is correct in calling out data breaches as symptomatic of outdated or vulnerable security schemes and makes several well-grounded statements, for example:
"As a general truth, it is always better to prevent data breaches by preparing in advance, since several consequences of them are by nature irreversible."
Whose job is this anyway?
GDPR uses the label 'data controller', to mean the party in control of personally identifiable information (PII). This can unintentionally reinforce the message that "This is a problem for the security team". The eternal problem for data security is that, through this type of language, people who are generally, and understandably, ignorant of the issues feel permitted to pass the subject off as "not my problem" – leading organisations open to data breach opportunities.
If you ever sent or received a spreadsheet with a list of names and addresses, or other personally identifiable information, you were in a very real sense a controller of that data. The gap between formal documentation and its definitions, and the guidance which needs to reach 'normal humans' is where some consultancies make their money. This EDPB guidance does feel like it could use more human-digestible language, and potentially link to smaller, easily digestible guidance such as community content, therefore making it more accessible to not just members of IT teams, but whole organisations.
More real-world guidance
The subjects of accountability, data protection and security by design are mentioned in the EDPB in passing – however, these are all critically important subjects and require focus. Individuals may be focussed on some objective or outcome without having placed adequate consideration on the processing or storage of individuals data. People can behave simply as consumers of data, rather than responsible data controllers. It may help if people each considered themselves accountable for their own actions as these may have a material impact on the organisation they work for.
The EDPB document provides several mentions of subjects like backups, encryption, and training, however areas such as multi-factor authentication and the principle of least privilege in particular get relatively little coverage. When it comes to limiting or mitigating a breach, these will be critical matters. On a similar vein, zero trust authentication and access methodology are not mentioned in the document at all.
Expectation vs reality
It is convenient for documents with a security focus to make sensible sounding but perhaps unlikely statements like this one:
"Ensuring that all reasonable IT security measures are in place, making sure they are effective and keeping them regularly updated when processing or circumstances change or evolve."
Passages like this leave plenty much open to interpretation. Applying the principle of least privilege is a process which iterates with each operating system or feature release in the cloud. However, it is not uncommon to see proportionally few organisations in the world with the resources to adequately review technology and ensure this is rolled out across the environment as updates appear. More often than not, difficult choices have to be made and priorities given.
The contours of these discussions will be heavily influenced by budgets, the organisational configuration of the CIO and CISO in relation to the rest of the C suite and the board, and the relationship between IT operations, engineering, security functions and other IT functions.
Effective management of identity subsystems like Active Directory and Azure Active Directory in particular are crucial in limiting or frustrating bad actors’ efforts in impacting data privacy. The EDPB document briefly discusses the need to segment or isolate systems, which most will read from a network segmentation perspective. In an identity-driven world, the principle of least privilege and the Bell-LaPadula (or ‘tiered access’) models are equally as important as network segmentation, as is zero trust in a cloud-enabled organisation.
We're all in this together
It is fair to say that this EDPB document is focussed more upon data breach notifications rather than the controls used to minimise likelihood of a data breach or specific features of contingency planning – but an opportunity to nudge forward good practices in these areas is always worth using.
The supplied document does provide valuable real-world case studies with some practical guidance given to the types of consideration, decisions and actions which may have to be taken. Recent trends have shown an increase in the frequency of cyberattacks over the past few years, so it remains as vital as ever that organisations are well-prepared, and the EDPB are doing their part to help organisations do just that with this vital document.
Gavin Ashton, Security Strategist, Stealthbits, now part of Netwrix