ICEBRG GDPR Compliance and Data Protection

November 2, 2018

By: Emily Anderson
  • Tags:
  • Data Protection
  • GDPR
  • Privacy

In security, we rely on data (and a lot of it!) to do our work—identify threats and stop bad actors. That mission can still be accomplished while remaining compliant with privacy laws such as the European Union’s General Data Protection Regulation (GDPR).

What is GDPR?

The GDPR is an EU privacy law replacing Directive 95/46/EC and comes into effect May 25, 2018. The GDPR aims to empower individual EU citizens with greater control over their personal data. In practice, the GDPR expands the definition of personal information and puts into law many privacy and data protection best practices that span across the privacy lifecycle including: notice, consent, collection, access, use, retention, and destruction.

Under the GDPR, data controllers (receive data directly from the data subject) and data processors (processing data on behalf and under the direction of the data controller) must implement technical and organizational measures “TOMs” to ensure that the data subjects’ rights are honored. TOMs include the following:

Privacy Reviews

Regular privacy reviews implemented for any privacy-impacting activity. This can include any activity that will collect data for the first time or use collected data for an alternate purpose. As part of the privacy review, you will assess what data is collected, notice provided, consent gained, intended use and any third-party transfers, along with retention, and destruction.

Anonymization and Encryption in Transit and at Rest

Anonymization and de-identification of data at the point of collection and prior to encrypted transfer is implemented to reduce risk. Sensitive elements of the data are stripped and the data is appropriately safeguarded from unauthorized access via encryption. At ICEBRG, we are proud to hold our first issued patent in furtherance of data protection, see US9912689B2 issued March 6, 2018.

Access Control

When the data reaches its destination, TOMs include encryption at rest and access controls. Only those with a business justification and regular privacy training should have access to data. Access controls should be reviewed regularly, once per quarter is a generally a good cadence if you have low turnover.

Privacy by Design

Engineering team TOMs include privacy by design engineering principles. Foundational Principles include:

  • Proactive not reactive; preventative not remedial

  • Privacy as the default setting

  • Privacy embedded into design

  • Full functionality—positive-sum, not zero-sum

  • End-to-end security—full lifecycle protection

  • Visibility and transparency—keep it open

  • Respect for user privacy—keep it user-centric

Privacy Incident Response Plan

Privacy incident response process and procedures should be in place. For many organizations, it makes sense to include your privacy incident response plan within the organizations security incident response plan. Note that you will need to assign or hire privacy-knowledgeable staff to lead privacy incident response. To make sure your organization is prepared should a privacy incident occur, you may consider implementing twice annual table-top exercises to practice a privacy incident response. An ounce of prevention is a pound of cure—rings true in privacy incident response preparedness.

Data Retention and Destruction

Data retention schedules should be drafted based on consent granted, contractual limitations, or a legitimate interest balancing test—weighing the interest of the data subject against the interest of the business and continued use. When retention period hits expiry, destruction practices should be in place and tested to ensure that data is not erroneously retained.

GDPR Data Processor Obligations

In addition to TOMs, data processors also have the following obligations under the GDPR:

  • Process personal information only as instructed by the Controller

  • Notice of collection, use, and retention with record of consent (contractual agreement with Controller)

  • Record of processing activity

  • Persons with access to personal information are contractually bound to confidentiality

  • Written consent to engage in sub-processing; impose data processing obligations on sub-processor

  • Delete or return all personal data to EU when done processing

  • Breach notification within 72 hours

  • Assist Controller with technical and organizational measures to ensure Controller’s ability to respond to Data Subject Request

  • Cooperate fully with audits by Controller

At ICEBRG, we support GDPR compliance through implementation and active practice of the above-mentioned TOMs and data processor obligations.

Additional Resources

ICEBRG is a network security analytics company offering a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. To learn more about ICEBRG, contact us at [email protected], or for privacy related questions [email protected].