EU is Implementing New GDPR Cybersecurity Standards. What They are and Why You Need to Pay Attention

With or without Britain, the European Union is about to implement broad-based data privacy and security business standards across all 28-member countries. The new standards, passed in April 2016, replace outdated 1995 standards. They will take effect on May 25, 2018, which is coming sooner than you think. (Britain said that it will implement the standards “as long as it remains in the EU).

These regulations apply to any company that has any data on any party that resides in the EU—not just to EU corporations. Even if you don’t have a European office, you probably have some data somewhere that will force your compliance to these rules.

The new rules, called the General Data Protection Regulation (GDPR), are trying to force any business that wants a presence within the EU to guarantee that all user/ customer data and privacy is protected in all transactions within the EU.

Penalties are extremely harsh. Non-compliance can bring both private and public repercussions, but the big one is that fines can be up to five percent of global revenue.

This is a major change in privacy rules. Several recent surveys of corporate tech departments found that two-thirds of them thought that they would have to change their European strategies to accommodate these standards. Over half of them figured to be fined for non-compliance, a third thought they could incur reputational damage for non-compliance, and most expect to incur costs for bringing their businesses up to the new standards.

What is a company to do?
Answer these questions and look at these things:

  1. What entities are responsible for compliance? All of them—companies that create the data, companies that transmit the data, companies that process the data, companies that review the data, and companies that store the data, including cloud storage companies. All third-party contracts need to be reviewed and updated for compliance with GDPR

  2. Next, who in the corporation is responsible for compliance? CEO? CIO? CISO? CDO? We will just call this here and say that all of them are. That way, the buck doesn’t get passed and the company doesn’t fall short.

Also bring legal into this. Violators of the regulations can be sued for damages.

The new regs constrict the data that can be transferred outside of the EU. A company has to show compliance before it can transfer data from, say, France to the US.

Any user (anyone whose data is stored or transmitted) has the right to see what information about that individual exists, and the company will have 20 days to provide that. No hiding (this means you—Uber data breach that was hidden for a year).

Users can also demand that their data be erased. Completely. From every database and spreadsheet. This will probably require new protocols.

Corporations will need to generate and transmit reminders to users that the corporation has a user’s data and what the company is doing with it, and be able to prove compliance with this requirement.

This is a lot, and it really requires a company that qualifies under the new regs to take its privacy game to another level.

Kimmell Cybersecurity has the knowledge, understanding and skills to update and upgrade any company to meet these new standards. Call us.


Want DoD Contracts? Comply with DFARS by the End of the Year

After a two-year delay, the US Defense Department is finally implementing the data security requirements of Defense Federal Acquisition Regulation Supplement (DFARS). The new security requirements will go into effect as of December 31, 2017. Any Defense Department bidding from any potential contractor from that point on will have to comply with these new regs, whether materiel is being purchased or leased by the government. Read on for an overview of these regulations.

So, what are they and how do bidders comply?

Step One: Do You Need to Comply?

First, you should already have some notion of this. Check your current contracts and solicitations. The DFARS data security requirements have been included in all of them for the last year or so.

The upcoming deadline are controls that DoD has in place specifically for controlled unclassified information (CUI), which basically is any sensitive data that a contractor meets and stores or transmits during the course of fulfilling a contract.

That sensitive data can include credit card data, healthcare data, anything to do with storing information in the cloud, or anything to do with developing weapons or communications.

It also includes information on any mission-critical physical and virtual infrastructure whose failure could cause security and other problems.

A full readout of what constitutes DFARS’ CUI is here. Read through it and determine if you handle any of that data as a DoD contractor. If you do:

Step Two: If You Need to Comply, how do you do it?

If you’ve read the readout and you’re a DoD contractor who works with any of that data, then you have to conform to the National Institute of Standards and Technology (NIST) Special Publication 800-171 data security provisions that are compiled here: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

That document begins: The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations.

So you as a contractor have to prove to the DoD that you are complying with these standards in a way that indicates to DoD that you understand and prioritize that paragraph.

The document covers 14 specific data security areas:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

The standards themselves are really a set of best practices and are performance-based, so the only thing that a contractor must prove is that their CUIs are secure. Most businesses probably have some of these checks in place, but, as you can see, this is complicated stuff that requires the presence of cybersecurity professionals to make sure that your company is compliant with these new standards.

There is some flexibility built in to these standards that will allow data security professionals like Kimmell Cybersecurity to design and implement personalized solutions to SP 800-171 conformance.

Let us look at your system and make sure that you’re in full compliance with DFARS.