General Data Protection Regulation

WHAT IS THE GDPR

The General Data Protection Regulation is a pan-European data protection law. It gives EU citizens more control over how their personal data is processed and places a range of new obligations on organisations that process and control the processing of personal data.

The Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.

 

Any organisation processing European citizens’ data would need to comply with the General Data Protection Regulation (GDPR).

Article 3 of the regulation defines the territorial scope as;


  • This Regulation applies to the processing of personal data in the context of establishing a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

    • This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

  • the monitoring of their behavior as far as their behavior takes place within the Union.
  • This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

 
In July 2019, the ICO announced its intention to issue a
€204,6 million (£183.39 million) fine to the British Airways for violation of Article 31 of the GDPR.


Information Commissioner’s Officehttps://ico.org.uk

The General Data Protection Regulation sets out seven key principles;

  1. Lawfulness, fairness, and transparency
  2. Purpose limitation
  3. Data minimisation
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security
  7. Accountability

These principles should form the core of your data processing policies and approach to handling personal data.



The GDPR defines a mandatory breach disclosure time constraint; a breach must be reported within 72 hours of its discovery. Along with potentially hefty fines of up to 4% of your global turnover for anyone that has not shown due care to their customer’s data.

Initially, the GDPR is seemingly void of any mention of penetration testing. However, it does have a statement under Article 32;

“(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Laneden can help build a program of works to help your organisation achieve regular security testing, understand your technical controls’ effectiveness, and help ensure security risks are defined, and mitigation understood.

Providing a thorough and independent examination to identify security vulnerabilities within the software, systems, and network configurations.

Laneden can provide an on-site debriefing of the findings explaining how attackers could potentially gain control of your systems and exfiltrate data.

A comprehensive report is written containing an executive summary and is consumable by anyone in the organisation regardless of their technical background.

Along with enough detail to allow you to understand the risks and concise and clear guidance on how to either mitigate or remediate those risks.

 
People’s personal data is just that – personal.

When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience.

That’s why the law is clear – when you are entrusted with personal data you must look after it.

Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights. “


ICO|Elizabeth Denhamhttps://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/

 

Methodology

Using a combination of automated and manual testing, our consultants will conduct a thorough assessment of your infrastructure, identifying vulnerabilities that may be exploitable by both authenticated and unauthenticated users across your network.

The use of automated tools and in-depth knowledge of manual testing allows us to accurately and effectively assess your infrastructure, maximising the time available.

Assessments are conducted in line with the current standards and methodologies utilised in the industry, such as those outlined in the Penetration Testing Execution Standard (PTES). Using PTES as guidance, Laneden defines our approach in six phases:

  • Pre-engagement
  • Intelligence Gathering
  • Vulnerability Analysis
  • Exploitation
  • Post Exploitation
  • Reporting

 

Deliverables

Our consultants engage with the client to discuss the scope and make certain all is in order prior to the assessment beginning

Communications at the beginning and end of each assessment day, confirming either the assessment is starting or ending for the day.

On-going communications from the engaged engineer, highlighting any major issues as they come across them.

A comprehensive report is provided containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.

Clear and concise information describing each issue to hand.

Technical references will be provided when relevant, allowing you to gather more information on the vulnerability if required.

Each vulnerability will be put into context and given a risk-based score. Utilising CVSS 3 scoring and relevant context you can get a real picture for each associated risk.

Simple remediation advice, advising what is required to remediate the relevant vulnerability.

 

FREQUENTLY ASKED QUESTIONS

WHAT ARE THE KEY GDPR PRINCIPLES

Article 5 of the GDPR sets out seven key principles that lie at the heart of the general data protection regime.

Article 5(1) requires that personal data shall be:

 

  • Processed lawfully, fairly, and transparently concerning individuals (‘lawfulness, fairness and transparency’);

 

  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

 

  • Adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed (‘data minimisation’);

 

  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

 

  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organisational measures required by the GDPR to safeguard the rights and freedoms of individuals (‘storage limitation’);

 

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Article 5(2) adds that:

    1. The controller shall be responsible for and be able to demonstrate compliance with p


For further details, please refer to the Information Commissioners Office website.

 

HOW DO I BECOME GDPR COMPLIANT

In 2018, the European Union enacted new legislation to protect its citizens’ personal data, potentially affecting every organisation worldwide.
The Information Commissioners Office has suggested the following 12 steps in preparing for GDPR compliance.

 

  • Awareness
    It would be best to make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

 

  • Information you hold
    It would help if you documented what personal data you hold, where it came from, and who you share it with. You may need to organise an information audit.

 

  • Communicating privacy information
    You should review your current privacy notices and put a plan to make any necessary changes in time for GDPR implementation.

 

  • Individuals’ rights
    You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

 

  • Subject access requests
    You should update your procedures and plan how you will handle requests within the new timescales, and provide any additional information.

 

  • Lawful basis for processing personal data
    You should identify the lawful basis for your processing activity in the GDPR, document it, and update your privacy notice to explain it.

 

  • Consent
    You should review how you seek, record, and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

 

  • Children
    It would be best if you started thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

 

  • Data breaches
    You should make sure you have the right procedures in place to detect, report, and investigate a personal data breach.

 

  • Data Protection by Design and Data Protection Impact Assessments
    You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

 

  • Data Protection Officers
    You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. It would help if you considered whether you are required to designate a Data Protection Officer formally.

 

  • International
    If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.


For further details, please refer to the Information Commissioners Office website.

 

Professional Services
Get in Touch