The GDPR and Application Protection

The General Data Protection Regulation (GDPR) is a European regulation intended to strengthen and unify data protection for all individuals within the EU, but it also addresses the export of personal data outside the EU. The regulation comes into effect in May of 2018 and organizations worldwide are working to ensure their security policies and procedures comply with the new legislation.
GDPR protection icon

Development and DevOps may be overlooked but they are not exempt.

Because data is created, accessed, and changed through applications, protecting your applications is a key component to protecting your data. Adding application protection to your secure software development lifecycle will make it more difficult for people and machines to exploit them.

PreEmptive Solutions prevents, detects, responds, and reports on unauthorized attempts to tamper, monitor, or reverse engineer software.

  • Preventing hacker-born breaches,
  • Avoiding or minimizing stinging GDPR penalties,
  • Shortening incident response time, minimizing breach scope, reducing notification cost and
  • Simplifying GDPR audit processes and validation.

Why is the GDPR getting so much attention?

  • Increased penalties ratchets up per incident costs. The higher the cost, the higher the per incident risk.

  • New organizational obligations with a global reach means more companies have more ways to fail. 

  • The “state of the art” GDPR compliance standard differs substantially from the more common “reasonable” standard. Industry norms have been replaced by computing best practices as the reference standard.

PreEmptive application integrity icon
Other than security-centered businesses, no organization can expect to be prepared to neutralize hackers looking to carve out their piece of the $1Trillion cybercrime market.

GDPR and Development: Processor Liability and Risk

For the first time, Data Processors (those who process, publish, transport and store private data) have regulatory and statutory obligations. Prior to the GDPR, security and notification obligations (and the fines and other penalties that can follow) only applied to Data Controllers (those who own the data and set processing policy).

Processor Obligations

The GDPR mandates that processing systems account for:

  • “State-of-the-art” hacking techniques and their corresponding countermeasures – not at the time of a system deployment – but continuously. There is no reasonable way to hit this standard without an ongoing investment to track cyber threat and countermeasure developments,

  • The cost of safeguarding implementations (time, money, other risks), as well as 

  • The relative likelihood and severity of any given class of data breach occurrence.

GDPR Obligations icon
(CHAPTER IV Controller and processor, Section 1 General obligations, Article 25 Data protection by design and by default)

Balancing current risk with the cost and side effects of that risk is consistent with well-understood risk management practices. For a discussion of these basic risk concepts in the context of application development, see The Six Degrees of Application Risk.

Notification: Appropriate Safeguards Buttressed by Notification Obligations

With the GDPR, appropriate safeguards are buttressed by notification obligations if/when a breach occurs.

Key factors include:

  • Timing: A data breach must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33).

  • Communication: Individuals must also be notified if adverse impact is determined (Article 34). The cost of notification obligations and the penalties of failing to meet timing and communication obligations could eclipse the cost of the breach itself.

  • Minimize the number of impacted citizens: Early breach detection (or attempts) limits the number of impacted citizens. The precision of breach measurement limits the potential for “false positives.”

GDPR notification example graphic

In short, PreEmptive Solutions detection, response and reporting capabilities reduce notification cost, breach duration, and overall risk.

Development and DevOps Are Not Exempt

On September 12, 2017 the following question was posted to the Europe Direct Contact Centre.

Subject: Liability stemming from Data Processor Software Development Practices

“Would a Data Processor be liable under The GDPR if the Processor develops software that is shown to have included avoidable vulnerabilities that subsequently led to a data breach?”

On September 22, 2017, in an official response, The European Direct Contact Centre replied (in part) as follows:

EU GDPR icon

“The GDPR requires that the controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures” – including “the requirements stemming from data protection by design and by default and those on (application) security.”

Put more succinctly, the EDCC responded YES. Data Processor Development and DevOps organizations are not exempt from GDPR obligations.

Implementer’s Journey and Resources

10 Essential App Best Practices for Developers: A Complete Guide preview image

10 Essential App Best Practices for Developers that includes:

  • GDPR Development Guidelines

  • Application Risk Management Assessments

  • Best Practices and more