The GDPR and Application Protection
The General Data Protection Regulation (GDPR) is a European regulation intended to strengthen and unify data protection for all individuals within the EU, but it also addresses the export of personal data outside the EU. The regulation comes into effect in May of 2018 and organizations worldwide are working to ensure their security policies and procedures comply with the new legislation.
Development and DevOps may be overlooked but they are not exempt.
Because data is created, accessed, and changed through applications, protecting your applications is a key component to protecting your data. Adding application protection to your secure software development lifecycle will make it more difficult for people and machines to exploit them.
PreEmptive Solutions prevents, detects, responds, and reports on unauthorized attempts to tamper, monitor, or reverse engineer software.
- Preventing hacker-born breaches,
- Avoiding or minimizing stinging GDPR penalties,
- Shortening incident response time, minimizing breach scope, reducing notification cost and
- Simplifying GDPR audit processes and validation.
Why is the GDPR getting so much attention?
- Increased penalties ratchets up per incident costs. The higher the cost, the higher the per incident risk.
- New organizational obligations with a global reach means more companies have more ways to fail.
- The “state of the art” GDPR compliance standard differs substantially from the more common “reasonable” standard. Industry norms have been replaced by computing best practices as the reference standard.
Other than security-centered businesses, no organization can expect to be prepared to neutralize hackers looking to carve out their piece of the $1Trillion cybercrime market.
GDPR and Development: Processor liability and risk
For the first time, Data Processors (those who process, publish, transport and store private data) have regulatory and statutory obligations. Prior to the GDPR, security and notification obligations (and the fines and other penalties that can follow) only applied to Data Controllers (those who own the data and set processing policy).
The GDPR mandates that processing systems account for:
- “State-of-the-art” hacking techniques and their corresponding countermeasures – not at the time of a system deployment – but continuously. There is no reasonable way to hit this standard without an ongoing investment to track cyber threat and countermeasure developments,
- The cost of safeguarding implementations (time, money, other risks), as well as
- The relative likelihood and severity of any given class of data breach occurrence.
Balancing current risk with the cost and side effects of that risk is consistent with well-understood risk management practices. For a discussion of these basic risk concepts in the context of application development, see The Six Degrees of Application Risk.
Notification: Appropriate safeguards buttressed by notification obligations
With the GDPR, appropriate safeguards are buttressed by notification obligations if/when a breach occurs.
Key factors include:
Timing: A data breach must be reported to the Supervisory Authority within 72 hours of the data breach (Article 33).
Communication: Individuals must also be notified if adverse impact is determined (Article 34).
The cost of notification obligations and the penalties of failing to meet timing and communication obligations could eclipse the cost of the breach itself.
Minimize the number of impacted citizens: Early breach detection (or attempts) limits the number of impacted citizens. The precision of breach measurement limits the potential for “false positives.”
In short, PreEmptive Solutions detection, response and reporting capabilities reduce notification cost, breach duration, and overall risk.
Development and DevOps Are Not Exempt
On September 12, 2017 the following question was posted to the Europe Direct Contact Centre.
Subject: Liability stemming from Data Processor Software Development Practices
“Would a Data Processor be liable under The GDPR if the Processor develops software that is shown to have included avoidable vulnerabilities that subsequently led to a data breach?”
On September 22, 2017, in an official response, The European Direct Contact Centre replied (in part) as follows:
“The GDPR requires that the controller uses only processors providing sufficient guarantees to implement appropriate technical and organisational measures” – including “the requirements stemming from data protection by design and by default and those on (application) security.”
Put more succinctly, the EDCC responded YES. Data Processor Development and DevOps organizations are not exempt from GDPR obligations.
Implementer’s journey and resources
Download The Application Risk Mitigation Workbook that includes:
- GDPR Development Guidelines
- Application Risk Management Assessment white paper
- Implementer Journey: supplier selection
- Best Practice Template: Project plan and guide