One of the biggest hurdles to improving information security and data privacy is how efforts to do so are almost always reactionary. Legislation and regulatory bodies struggle to make effective changes to data security at a pace that matches the rapidly evolving digital landscape.
That being said, proper regulations are critical to holding organizations liable when their negligent or predatory policies lead to a data breach that negatively impacts the broader public.
One such legislation, the GDPR, sets the standard for protection of users’ personal information and data privacy throughout the European Union. It’s a wide-reaching set of regulations, and even organizations outside of the EU can find themselves facing steep GDPR fines for non-compliance.
If you’re concerned that the GDPR may apply to you, and you want to achieve compliance with any GDPR regulation you may have missed, you’re in luck. There’s a convenient checklist that can help you do just that.
What Is the GDPR Compliance Checklist? The Answer in Brief
Below is a quick summary of the most important points of this article.
What Is the GDPR Compliance Checklist?
Several online resources have been created to help simplify the work of achieving compliance with the GDPR. Some of the most useful of these resources are GDPR compliance checklists. Much as you might use a move-out checklist for a rental property, these compliance checklists put the most critical details on a list so they can be checked off one by one.
However, GDPR compliance checklists are not necessarily a guarantee of compliance. The EU does not have an official, parliament-approved checklist of GDPR requirements, and any you find online will come with a disclaimer indicating that it’s not legal advice.
In other words, just because you can check every box, don’t assume you’re completely in the clear. No GDPR regulation checklist, no matter how detailed or robust, is a suitable replacement for competent, qualified legal advice to avoid GDPR fines.
Where Can I Find the GDPR Compliance Checklist?
That being said, if any GDPR-compliant checklist carries anything approaching official authority, it’s the GDPR checklist for data controllers, found at GDPR.eu. This site, operated by Proton Technologies AG, is a comprehensive resource for organizations seeking GDPR compliance. While not an official government resource, it was funded in part by the EU’s Horizon 2020 Framework Programme and serves as perhaps the foremost knowledge base on the topic.
How Do I Use the GDPR Compliance Checklist?
The checklist found at the link above is broken into four sections:
- Lawful basis and transparency
- Data security
- Accountability and governance
- Privacy rights
Every section contains a list, with each item featuring a check box for marking completion, and an explainer paragraph (viewable by clicking on the list entry). Using the checklist is as simple as consulting the list items, reading the expanded explanation if needed, and assessing your organization’s level of adherence to the security measure standard.
If the list item’s statement is true for your organization, check the box. If not, make the needed adjustments to bring policy or systems up to the standard, and then repeat the assessment. Once every box is checked, you’re done.
What’s Next?
The next steps depend on whether or not your organization is required by law to adhere to GDPR guidelines. For those operating within the EU, serving EU residents, or otherwise intentionally monitoring the data of individuals in the EU, you’re required to be compliant with GDPR requirements or face sanctions. If that’s not you, you’re not liable for non-compliance.
If the GDPR applies to you, the best next step is to consult with a professional on a legal basis, optimally one with verified experience addressing GDPR compliance concerns. It may also be worthwhile to consult with InfoSec professionals with similar GDPR expertise if you don’t already have such an expert involved in the project.
If, on the other hand, you’re not liable for compliance, and are using the checklist as more of a grading rubric for your team’s level of cybersecurity, no additional action is strictly required. We’d still recommend consulting with experienced security professionals, however, as other regulations may actually be applicable to protect your sensitive data and personal information.
More importantly, most organizations carry significant data processing vulnerabilities without realizing it and only begin to recognize the potential risk once they compare their current readiness to an external standard. If this exercise with the GDPR has left you suspicious of additional data breach concerns hiding just beyond your current visibility, a compliance risk assessment could be worth a look.
The GDPR, and EU Efforts to Improve Security and Data Privacy
Concerns Regarding Data Privacy
Major data breaches involving sensitive, personally identifying information (PII) tend to get most of the press when it comes to cybersecurity, but it’s not the only way digital data can be exploited or abused. In fact, legitimate businesses and organizations have been engaging in customer data collection without valid consent for years, and it was ostensibly legal.
A good deal of this involves “cookies,” or small snippets of code that websites will use to tag users based on where they go online. These can be useful—such as when we check the “stay logged in” box so we don’t have to enter our password every time we visit the website. Not all of them are designed to benefit the user, however.
Cookies are often used as a way to identify demographics for more targeted advertising. If you’ve ever looked up a product on Google, only for ads for that product to start popping up on other sites, that’s what’s happening. Even ad targeting can have some benefits for the user, but it becomes a problem when those users have no way to decline consent or remove the data.
At best, user profiles collect a significant amount of data that sits untouched in a database the user has no way to reach. At worst, that collected data can constitute PII and can result in identity theft if stolen.
Broader Cybersecurity Concerns
Even for those of us who work in capacities where the use of cookies is important to our efforts, we’re not immune. That data can just as easily be ours, and it’s just as vulnerable to predatory usage or unauthorized access. In other words, because cybersecurity issues affect everyone, data privacy is everyone’s problem.
Recent years have seen major legislative bodies in places like the US and the EU attempting to bring some of the digital disorder to heel. Updates to frameworks like the NIST 2.0 and the NIS2 point to the growing concern, and the growing consensus, that a concerted, collective effort has to be applied to the problem of information security.
New laws and standards have been passed that govern aspects of security like the handling, storage, transfer, and disposal of data (among a host of other things). And that’s just the tip of the iceberg. They also have sought to establish more consistent standards, similar in spirit to how workplace safety and environmental impact have been managed for decades.
Finally, having rules on the books is crucial as it allows governing bodies to hold organizations accountable when there are instances of non-compliance. If there’s no law to break, there can’t be any penalty for breaking it.
Where the GDPR Fits
While most legislation applies to specific industries, or InfoSec more broadly, the General Data Protection Regulation (GDPR) was the EU’s attempt to attack the issue of user data rights more directly. It’s one thing for a website to leak plaintext login credentials for their users, who at least willingly chose to set up accounts and provide information.
But until recently, cookies were collected without valid consent or even disclosure. If you weren’t tech-savvy enough to know how websites knew you were you, then you likely had no idea it was even happening—the GDPR changed that.
One of the most publicly visible effects of the GDPR becoming law was the addition of pop-ups on websites disclosing cookies and asking for consent. It wasn’t the only major adjustment that websites and organizations had to make, though. In addition to giving users the chance to consent to customer data collection, it also established a host of other rights, like their “right to be forgotten.”
In other words, the GDPR gave power back to the users, so that their data could only be taken with their permission, and had to be disposed of at their instruction.
What Is the GDPR (and How Does It Work)?
The Abbreviation
As mentioned above, GDPR is an abbreviation for The General Data Protection Regulation. Passed by the European Parliament in 2016 and applicable from 2018 onward, the GDPR set the new standard regarding data privacy and user data rights across the EU.
The Organization
While much of the actual enforcement of the GDPR standards happens at the national level, the regulation as a whole is administrated by the European Data Protection Board. This organization replaced the Article 29 Working Party, the same way the regulation itself replaced earlier standards for data privacy.
The Purpose and Core Tenets
As the full documentation of the GDPR is rather extensive (with nine chapters and nearly 100 articles), distilling the whole of it into a few axioms isn’t easy. Depending on what online resources you consult for your answer, the main “aspects”, “goals”, or “principles” will vary slightly both in subject and in number.
On the official europa.eu site for the GDPR, however, they specify at least three key principles:
- Fair and lawful processing
- Purpose limitation
- Data minimization and data retention
Put in less formalized language, the GDPR instructs organizations regarding:
- What circumstances, methods, and purposes count as lawful when collecting user data
- How purposes for collecting and using data should be limited to only what is strictly necessary
- When data is collected, it should be the minimum data required for the purpose, and stored for the shortest amount of time possible before disposal
These are principles very similar in methodology to those found in other aspects of cybersecurity. For example, Identity and Access Management seeks to limit every user to the lowest access privileges possible and to reduce or eliminate privileges whenever they are no longer needed.
With these guiding tenets, the GDPR seeks to keep organizations from abusing their ability to collect, store, use, and share data, and to give users greater control over their own data.
The Regulations
Again, the GDPR is a lengthy piece of legislation with quite a few legal nuances. But the most prominent, and most important, rules it enforces are as follows:
- If data is being collected, the individual must be informed and given a chance to decline
- If an individual requests to exercise their “right to be forgotten,” the data controller must delete their data
- Individuals must be allowed to access the data that has been collected from them on request
- Collected data must be kept up-to-date and accurate
- There are strict limits regarding what data can be collected, how much of it can be collected, and how long it can be stored
- The data controller must appoint a Data Protection Officer to monitor and manage GDPR compliance
Who the GDPR Applies to
As EU legislation, the GDPR is aimed at establishing data protection for citizens and residents of the EU. In a pre-internet world, this would mean that it only protects people if they are an EU citizen, and is only enforceable for organizations in the EU.
But they don’t (or didn’t) call it the “World Wide Web” for nothing. Individuals in the EU can visit websites all over the world, and organizations from across the globe can target users and customers within the EU’s borders. That muddies the waters a bit, but there are some pretty clear dividing lines regarding who has to worry about compliance.
As such, the GDPR applies first to any organization based in, or with a functioning branch in, the EU. Beyond that, any external organization that offers goods and services to EU residents, or otherwise monitors individuals in the EU, must also be compliant.
In short, if the organization caters to or specifically targets individuals in the EU, it can be held liable for non-compliance with the GDPR.
Is There a US Equivalent to the GDPR?
While many US companies have to adhere to the GDPR, the legislation technically only protects people in the EU. Other locations, such as the United States, have to be protected by the governing bodies that have jurisdiction there.
Currently, the US doesn’t have a unifying federal regulation on data privacy and user data rights. Some states have sought to implement their own, of which the California Consumer Privacy Act (CCPA) is the most comparable to the GDPR. But current implementation in most states tends to be less robust, if there are even data protection laws at all.
The Importance of GDPR Compliance
GDPR Compliance Leads to More Ethical Digital Policies
Despite being perhaps a bit philosophical or idealistic, the most important reason for GDPR compliance, or any strong policy for data privacy and cybersecurity, is that it’s ethical.
We share the digital spaces of the internet the way we share physical spaces in our homes, communities, and whole lives. Decreased safety in those shared spaces affects everyone, and even when we don’t personally find ourselves on the receiving end of disaster or tragedy, we all share a responsibility to help “keep the streets safe” for fellow netizens.
No individual, or single organization, can prevent every potential negative outcome. But we should still seek to make sure that when breaches and abuses happen, they aren’t the result of our actions or negligence.
GDPR Compliance Helps Minimize Societal Costs
Moving to more pragmatic reasoning, there are significant ramifications when data privacy is not upheld correctly. Again, it may not directly affect us or someone we know, but a lack of internal cost is not the same as “harmless.” External costs are still costs.
When a sensitive data breach leads to a spike in identity theft cases for example, that can have a ripple effect on the economy at large. Victims seek to undo the damage, with banks and businesses scrambling to remediate on their behalf. Even if no recompense can be offered, the resulting loss of trust in the brand can trigger a mass exodus of consumer loyalty, leading to lost business, reduced demand, and decreased commerce reaching outward from there.
It may take time, but those ripples will eventually reach the whole market, and that’s if more direct consequences don’t reach the non-compliant organization first.
GDPR Compliance Helps Avoid Business Losses
Here’s the meat and potatoes of the answer on this matter. If you need a concrete reason to pursue compliance, the following should provide just that.
For infringements regarding non-compliance, the GDPR stipulates a range of possible sanctions of increasing severity, with the most severe being “a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.”
Beyond that, individuals can pursue compensation directly, holding organizations liable for infringement. They can do this if they’ve suffered material damages, or even non-material damages, “such as reputational loss or psychological distress.”
Repercussions like these are often far from private when addressed, and they can be difficult to sweep under the rug, PR-wise. Even if the initial financial loss is manageable, the resulting loss of reputation and brand trust can significantly impact business profits moving forward.
Where the Checklist Comes In
As mentioned above in the summary section, compliance checklists provide a streamlined rubric for determining your current level of compliance. They also help identify the areas of non-compliance that should be addressed first. A checklist can provide a kickstart for compliance efforts, especially for teams that aren’t used to adhering to standards of this nature.
Keep in mind, however, that none of the checklists currently available constitute official resources or actual legal advice. Don’t rely solely on a GDPR compliance checklist when performing due diligence, or you may find yourself held fully liable for details the checklists didn’t—or couldn’t—cover.
A GDPR checklist is an aid, a starting point, not a replacement for legal consultation and official compliance. It’s a meterstick that can help estimate just how far you need to go, and how much work will need to be done to reach full compliance. It’s useful and valuable.
Just be sure your efforts don’t stop there.
How RiskRecon Can Help
No matter where your organization is based, or where in the world it does business, compliance is a major concern for any business looking to minimize losses. It’s not the only source of risks and threats, however, and it’s not the only area where organizations need protection.
Cybersecurity as a whole is a challenge most infrastructure and operations (I&O) teams lack the resources to properly address. Every year, the number of breaches, leaks, violations, and disasters increases, as does the average loss value. Every year, organizations accumulate more vulnerabilities. And every year, I&O teams are expected to achieve more with less support.
There’s a lot that can go wrong, and without a way to even the odds, it’s only a matter of time before a major loss is completely unavoidable.
That’s where we come in. RiskRecon by Mastercard provides organizations with the insight, information, and support they need to shore up their defenses and minimize cyber risk. With a comprehensive risk assessment, your team can make effective, informed decisions regarding your own security posture, and the security posture of your business partners and vendors.
In the fight for information security, information is both your best defense and your most powerful weapon. You can’t protect what you can’t see, and you can’t remediate vulnerabilities you don’t know about.