After years of preparation and public debate, the European Union enacted the General Data Protection Regulation (GDPR) on May 25, 2018. The main motivations of the GDPR are to harmonize the previously fragmented data privacy laws across Europe and to give data subjects meaningful rights over how their personal data is collected, used, and retained. GDPR has been hailed as “the most important change in data privacy regulation in 20 years,” and its implementation has been subject to intense scrutiny.
This blog post reviews the key GDPR requirements and discusses major GDPR actions and news. It also provides some practical guidelines for securing your Elasticsearch data.
A GDPR Primer
The main rights granted to data subjects under the GDPR are:
Consent: Companies that want to gather personal data must clearly explain what they intend to do with that data and get explicit agreement from the data subject to collect and use it. Companies must also comply immediately if consent is withdrawn.
Privacy by Design: Companies must be able to show that they collect and process only the minimal amount of personal data that they need to achieve their declared purpose.
Access: Data subjects have the right to get information from a company about whether or not their personal data is being processed, where, and for what purpose. If requested, the company must provide an electronic copy of the personal data at no charge.
Erasure: Also known as “the right to be forgotten,” data subjects can require a company to delete their personal data if continued processing is not justified or if the data is inaccurate or incomplete.
Protection: Companies must be able to demonstrate that they have instituted appropriate technological measures and operational processes to secure applications and data stores against the loss or exfiltration of personal data.
Notification: If personal data has been breached, companies must inform the regulatory authorities without delay. If the breached data can cause damage to the affected data subjects, they, too, must be notified within 72 hours.
These rights apply to EU residents, even if the data controller or processor is located outside of the EU. Thus, for example, non-EU organizations that regularly process at scale the personal data of EU citizens are required to appoint a Data Protection Officer (DPO). The DPO must be able to work independently to ensure and verify that the regulations are being applied and to document how personal data on EU data subjects is being processed.
From the point of view of the data controllers and processors, the GDPR takes a risk-based approach that differentiates among different levels of personal data. The most stringent implementation expectations are reserved for particularly sensitive data related, for example, to the data subject’s health, criminal history, or employment status. Furthermore, the GDPR sanctions companies for breaches according to the level of diligence that the company can demonstrate in upholding the rights described above.
The GDPR is administered through the supervisory authorities appointed by each country’s government. If investigation of a breach shows that a company was negligent in upholding its GDPR responsibilities, the fines and sanctions can be significant. In the case of proven negligence that resulted in a breach, the fine is up to 4% of annual global turnover or €20 million (whichever is more). If the regulations are violated, even if no breach occurred, the fine is up to 2% of annual global turnover or €10 million (whichever is more).
Recent GDPR Actions
To show that the GDPR is being actively enforced, here are some notable GDPR-related actions and fines incurred since May 25, 2018:
The largest fine to date (€50 million) was issued by the French supervisory authority against Google for not obtaining valid user consent for personalized advertising.
In January 2019, an Austrian non-profit organization (noyb, which stands for “none of your business”) filed a GDPR non-compliance complaint on behalf of 10 users against eight large technology companies, including Apple, Amazon, Netflix, Spotify, and YouTube.
The Eueropean authorities have received 113 GDPR-related cases as of mid-November 2019, for a total of almost €100 millions in fines.
British Airways faces a €204.6 million fine (not finalized) by the UK supervisory authority for a June 2018 data breach in which the personal information of 500,000 customers was harvested by a malicious site.
Again in the UK, Marriott faces a €110 million fine (not finalized) for a data breach that began in 2014 and has affected more than 500 million customers around the globe.
Perhaps more important than the larger fines that have been levied against well-known companies is the fact that GDPR actions are being taken against a wide range of organizations across the EU—from restaurants to hospitals, banks, and even a private car owner who unlawfully used a Dashcam. The GDPR Enforcement Tracker (maintained by the law firm, CMS) provides a list of such fines and penalties. One that we found particularly interesting was a €2.6 million fine levied in Bulgaria against the country’s National Revenue Agency for insufficient technological and organizational data protection measures.
GDPR and Data Loss Protection
The GDPR has a significant impact on how data controllers are expected to protect personal data against loss. Some of the prescribed measures are organizational, such as well-formed data governance policies, training employees on how to handle personal and sensitive data, and verifying that all relevant members of the data controller’s supply chain are—and remain—GDPR compliant. Companies should also consider employing a DPO, even if they don’t fall under the GDPR criteria that mandate it.
Other GDPR data loss protection (DLP) measures are technological in nature, such as automatic data classification and tracking, encryption of data at-rest and data in-motion, role-based access control, and advanced threat detection solutions.
Complying with the GDPR’s DLP measures requires proactive logging and monitoring. All activities across the company’s infrastructure (virtual and physical storage appliances, networks, endpoints, and so on) have to be monitored and logged. Analytics are required to gain insights into these diverse and big data streams in order to identify breaches quickly and remediate them in real time—or even to predict breaches before they occur.
GDPR, Elastic, and ReadonlyREST
Our blog post, How to Make Your Elastic Stack GDPR Compliant, provides a comprehensive review of the Elastic Stack as related to GDPR. It describes how various features and functions of the Elastic Stack can be used to achieve GDPR readiness, as well as to provide GDPR-grade protection of data and privacy.
In addition to the Elastic Stack features that an organization can use to support its GDPR compliance, Elastic also provides a fully managed SIEM (security information and event management) solution. SIEM systems are key to meeting GDPR data protection requirements. The Elastic SIEM solution ingests traffic data from a wide variety of sources across the company’s environment, centrally analyzes the data to quickly detect known or unknown threats, and issues correlation-based alerts.
ReadonlyREST’s community Elasticsearch plugin can help ELK-based organizations ensure they are GDPR compliant by adding data flow encryption, multi-level user access control, authentication (including an LDAP connector), and easy-to-write ACL rules (including field-level and document-level filters). ReadonlyREST’s commercial PRO and Enterprise Kibana plugins provide enhanced login and secure logout capabilities, secure support for Kibana multi-tenancy, and integration with SAML and other identification protocols.
GDPR has significantly raised the bar for data privacy rights, and, over the last year and a half, both consumers and regulatory bodies have been proactive in enforcing those rights. Large and well-known companies are facing unprecedented fines and sanctions that are clearly meant to convey the message that GDPR means business.
In our view, however, GDPR should not be seen as a battlefield between consumers and enterprises. Everyone wins in our data-driven economy when companies respect and protect the personal data of their customers. And, in fact, GDPR compliance is easily achieved through actions companies should already be taking: embracing diligent data governance and protection policies and controls supported by today’s cutting-edge data protection technologies.
If your business needs to protect, track and control access to sensitive data, try out our ReadonlyREST plugins and join our community.
Simone Scarduzio — “GDPR regulation is not an obstacle between your business and getting things done. It’s an excellent, free guideline that will prevent your business from being sued for handling privacy poorly.”
HOW CERN SAVES MONEY WITH READONLYREST
This year, CERN (The European Organization for Nuclear Research) optimized the usage of computing resources by consolidating 30+ Elasticsearch clusters into a handful of multi-user clusters.
Watch the presentation CERN organized to understand the guiding principles behind ReadonlyREST.