GDPR and Cybersecurity Compliance: How it Impacts Security

GDPR was a trailblazer. Since its adoption in 2016, the EU’s data privacy and protection framework has become the model for many other privacy frameworks worldwide. By now, most businesses understand GDPR’s core idea of protecting privacy and personal data. But let’s talk specifics. What does a company need to change about its cybersecurity to be GDPR compliant? That’s what this article will cover.

Table of Contents

• Who is required to be GDPR compliant?
  • What types of privacy data does the GDPR protect?
  • Which companies does the GDPR affect?
• What does GDPR mean for cybersecurity?
• Types of Cybersecurity that Need to Be GDPR Compliant
  • Critical Infrastructure Security
  • Application Security
  • Network Security
  • Cloud Security
  • Internet of Things Security
• GDPR Principles to Improve Your Cybersecurity
  • Data Breach Detection and Response
  • Thirty-Party Risk Management
  • Data Protection Impact Assessment
  • Data-centric Security

Who is required to be GDPR compliant?

Any company that collects or processes personal data from people in the European Union, or offers goods or services to them, is required to be GDPR compliant. If you’re reading this, chances are high that your organization needs to be GDPR compliant too.

GDPR distinguishes between data controllers and data processors. A data controller is any person or entity who makes decisions about why and how data is processed, while a data processor is any person or entity who processes data on behalf of the controller. Both need to be GDPR compliant, but data controllers have stricter requirements.

What types of privacy data does the GDPR protect?

GDPR protects the personal data of people in the EU. Personal data in this context is defined as “any information which are related to an identified or identifiable natural person.” This is left deliberately vague so it can be interpreted as broadly as possible. Here are a few examples of what personal data can include:

• A name
• Location data
• A number plate
• Someone’s appearance
• Ethnic data
• Personal IP address
• Sexual orientation
• Political opinion
• Trade union membership

Which companies does the GDPR affect?

GDPR applies to all companies that interact with people in or from the EU, regardless of how many employees a company has or where they’re located. For example, GDPR applies to a Philippine dental clinic with twelve employees if they have Europeans on their mailing list.

However, companies under 250 employees (SMEs) are freed from a few record-keeping obligations that larger companies have to abide by under GDPR. See GDPR Article 30, Section 5 for more information on those record-keeping requirements.

Stop automated threats from trying to break into your databases. Start your free DataDome trial today.

What does GDPR mean for cybersecurity?

GDPR can be seen as a burden or an enabler, and your life will be a lot less stressful if you see it as an enabler. The data protection and privacy framework should be seen as a big incentive for companies to take data privacy in cybersecurity seriously and to put the right processes, safeguards, and measures in place to keep the data you collect, store, or process as secure as can be.

Types of Cybersecurity that Need to Be GDPR Compliant

GDPR compliance and cybersecurity are intricately connected. GDPR compliance requires good cybersecurity on both a technical and organizational level, because its entire purpose is to avoid the misuse of personal data. You need to protect yourself against all kinds of cybersecurity threats that will try to infiltrate the below layers of your organization.

Such infiltration will often happen in the form of malicious bots. Modern hackers create highly specialized bots that can bypass simple cybersecurity solutions and result in account takeovers, card cracking, and worse. Staying compliant with GDPR requires adopting a solution that will fully protect you against such automated threats.

Critical Infrastructure Security

Critical infrastructure are the systems, networks, and assets that are crucial for the continued operation of your organization. This is probably where your cybersecurity is strongest right now, because any disruption there will immediately affect your organization. Suffice to say your critical infrastructure needs to be GDPR compliant.

Application Security

It’s easy to forget about applications if you’re not a mobile-first company. But apps, even internal ones, are an attack vector for hackers and fraudsters. Insecure software had led to some of the largest data leaks in history (e.g. the 2017 Equifax breach). Security needs to be part of every stage in the software development lifecycle. Best practices include:

• Frequently patching software and systems
• Using the least privilege principle
• Practicing code reviews for security
• Encrypting all data, both in transit and at rest

Network Security

Now that many companies have employees who work remotely, network security has become more complicated. It’s not uncommon for employees to access personal data from a network the company doesn’t know anything about. That’s why network security is crucially important for GDPR compliance. Security protections include:

• Firewalls
• A remote-access VPN
• Strong access control
• Network segmentation

Cloud Security

Enterprise cloud offerings often have terrifically strong cybersecurity to protect their clients’ data. After all, their entire business model would crumble with a single breach. However, it’s not unusual that company information is accidentally (or for convenience) synced to personal, insecure clouds. This increases a hacker’s attack surface. Protect yourself by:

• Implementing identity and access management (IAM)
• Educating employees on the importance of cloud security
• Securing the devices employees use to access cloud data

Internet of Things (IoT) Security

The Internet of Things are all the objects that process information and connect to your network. Examples could include a manufacturing machine, cameras, AR glasses, a motion detector, etc. These devices are often not as secure as laptops or computers, which is why they are popular attack vectors. Best practices to protect this layer include:

• Disabling unused devices
• Monitoring unusual IoT activity on your network
• Frequently auditing all your connected devices
• Using strong passwords for all devices

GDPR Principles to Improve Your Cybersecurity

Now that we’ve covered which layers of your organization you need to be especially careful of when it comes to data protection, it’s time to go over the specific GDPR principles that will help improve your overall cybersecurity. 

Data Breach Detection and Response

GDPR Article 33 and 34 cover what you need to do in case of a personal data breach, both with regards to the relevant supervisory authority and to the data subject. What’s important is that, in most scenarios, you must notify the authority not later than 72 hours after becoming aware of the breach. When doing so, you must describe:

• The nature of the breach, along with categories and number of records.
• The name and contact details of a contact point.
• The likely consequences of the breach.
• The measures you’ve taken or proposed to address the data breach.

Want to avoid data leaks altogether? DataDome is world-class fraud protection that blocks all automated threats from attacking your websites, apps, and APIs. Book a free live demo today.

Third-party Risk Management

If you are a data controller who transfers personal data to third parties for processing purposes (in which case you’re the data controller and they are the processors), you must have proper risk management in place. While data processors must be GDPR compliant too, the regulations for controllers are stricter. GDPR Articles 24 and 28 outline the responsibilities of the controller. Here are a few key elements:

• You must implement technical and organizational measures to ensure that the processing is done appropriately (even if you’ve outsourced the processing).
• You must have certification mechanisms in place to demonstrate compliance with your obligations as a controller.
• You will only work together with processors who have provided sufficient guarantees that they have implemented appropriate technical and organizational measures.

Data Protection Impact Assessment

A data protection impact assessment is a process that identifies the risks tied to the processing of personal data and how you can minimize those risks for optimal data leak protection. It is not a requirement for GDPR compliance, but it can help, particularly when you’re working with third parties. Article 25 covers it in more depth, but the assessment must contain at least:

• Why you’re controlling or processing personal data
• How you’re processing data
• How that processing risks breaching user privacy rights
• How specifically you will address those risks

Data-centric Security

Overall, GDR encourages data-centric security. Whether it’s people on a marketing mailing list, a customer database, health records, or a leads database, personal data is usually one of the most valuable assets in any company. Any security measures you implement, whether technical or organizational, should have data protection at the core of its design.

Key Takeaway

It takes some effort to become and to stay compliant with GDPR, but doing so will improve your overall cybersecurity, including the cybersecurity of areas that are often overlooked, such as application security or IoT security. It will also strengthen the security between you and third parties and it tells you how to detect and respond to data breaches.

A cybersecurity breach can do irreparable damage to the reputation of your company, not in the least because it can lead to hefty GDPR fines. DataDome’s online fraud and bot protection software is fully compliant with GDPR (and other local data protection regulations) and will block all malicious bots from scouring your websites, apps, and APIs. Schedule a live demo today to see how it works.