Security Experts:

Connect with us

Hi, what are you looking for?



Consent Control and eDiscovery: Devils in GDPR Detail

The European General Data Protection Regulation will be in force in just over 12 months: May 25, 2018. This is the date by which all EU nations must have enacted the regulation.

The European General Data Protection Regulation will be in force in just over 12 months: May 25, 2018. This is the date by which all EU nations must have enacted the regulation. Gartner predicts that “by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.”

GDPR will affect all EU-based companies, and all US companies that have any trade with the EU. Despite the threat of hefty non-compliance fines, Gartner is not alone in finding a lack of preparatory urgency among organizations.

“The Gartner data aligns with a survey Imperva recently conducted of IT security professionals at RSA,” Imperva’s chief product strategist Terry Ray told SecurityWeek. “Our data showed an overall lack of urgency among the IT professionals surveyed, with only 43 percent of respondents indicating that they are evaluating or implementing change in preparation for GDPR.”

An April 2017 NetApp survey that queried 750 CIOs, IT Managers and C-suite executives in France, Germany and the UK, found that around 10% of companies have yet to begin preparations. Seventy-three percent of respondents have some concern over meeting the GDPR deadline.

A new report (PDF) published Wednesday by Pierre Audoin Consultants (PAC) and sponsored by Reliance acsn also supports the idea that companies do not understand the urgent need for GDPR compliance. Paul Fisher, a research analyst and cyber security lead at PAC, suggests, “The fact that compliance and more especially, GDPR, has such a low priority among our respondents is worrying. I do not believe that they are burying their hands in the sand, more that the implications and complexity of GDPR compliance have not yet fully sunk in.”

It is tempting to believe the lack of preparedness is due to a misunderstanding of the nature of the regulation — a belief that so long as personal data is kept safe, compliance will be assured. This is not true with GDPR. “The big change is that organizations will be financially punished for violations of record keeping and privacy impact assessment obligations, and not just actual data breaches,” explains the PAC analysis.

“The increasingly empowered position of individual data subjects tilts the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data,” warns Gartner.

It is this data subject empowerment that particularly makes GDPR different and complex. Simply installing new layers of security will not ensure compliance.

Gartner suggests organizations should focus on “five high-priority changes to help them to get up to speed with GDPR requirements.” These are:

Check for GDPR applicability

Appoint a data protection officer (DPO)

Demonstrate accountability in all processing activities

Check cross-border data flows

Prepare for data subjects exercising their rights

The devil is in the detail of that final recommendation. In full, Gartner says, “Data subjects have extended rights under the GDPR. These include the right to be forgotten, to data portability and to be informed (e.g., in case of a data breach). If a business is not yet prepared to adequately handle data breach incidents and subjects exercising their rights, now is the time to start implementing additional controls.” An additional right is the data subject’s right to withdraw consent for personal data processing.

Compliance and security officers need to consider the effect of data subjects exercising their rights — and in particular the two issues of withdrawal of consent and the right to be forgotten.

The first issue involves the provision and withdrawal of the data subject’s consent. Implied consent and implied cessation are no longer sufficient — consent must explicit. Being able to prove that consent was given and continues (that is, has not been withdrawn) is new and will require completely new procedures. Gartner says, “A clear and express action is needed that will require organizations to implement streamlined techniques to obtain and document consent and consent withdrawal.” One option could be the Consent Receipt Specification being developed by the Kantara Initiative — but whatever solution is adopted, maintaining the status quo is not an option.

The second issue — the right to be forgotten — requires that an organization should have absolute knowledge of where all EU personal data is stored, and be able to remove it. That is no simple task in the age of cloud and mobility.

The PAC report notes, “Compliance with GDPR will only be legally registered if an organization is able to identify exactly where data is, whether in its own data centres, in the cloud or with a third party. The data controller will be held responsible for data at all times.”

This requirement is little different to eDiscovery; but the reality is that few organizations currently have fully effective eDiscovery. Historically, the primary motivation has been litigation and the threat of litigation — with the implication that if you don’t get sued, you don’t need eDiscovery.

This will no longer be realistic. Any one of the European data subjects can request — effectively on a whim — that all data you hold on them be removed. Organizations will not merely be required to do that, they will need to be able to demonstrate that they can do that. A combination of data classification and eDiscovery needs to be in place by May of next year.

“One of the huge holes for GDPR compliance,” Skyhigh’s privacy spokesperson Nigel Hawthorn told SecurityWeek, “is third party data handling. Most organizations aren’t sure how many third parties process data for them, whether that’s an outsourcer or a cloud provider being used to crunch or collaborate on data. The Data Controller is ultimately responsible for data handling of all of their third-party data processors and needs to ensure that the data processor’s data handling procedures are robust
— I am sure this will catch out a lot of people.”

The message from Gartner, reinforced by many other surveys, is that the task is more complex, and the available time much less, than many organizations realize. Hawthorn adds, “Gartner’s prediction that by the end of 2018 less than 50% of organizations will be in full compliance reminds everyone we need to accelerate our efforts now — as the regulation will be been in force for over 6 months by the end of 2018 and the risks of non-compliance can be huge.”

His advice is that “Organizations need to take an holistic approach to GDPR compliance involving teams from multiple departments, led by senior management. The Governance, Risk and Compliance teams need to lead the project but involve IT risk and security along with other teams that are heavy users of data, such as marketing and HR. Sadly, marketing, the team most likely to break the regulations, is rarely involved in the discussions.”

Related ReadingeDiscovery – An Enterprise Issue That Can’t be Ignored

Related Reading: Practical Effects of GDPR on Security Operations & Incident Response

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...