Why you need to start taking data protection seriously - and how ESET can help

What is GDPR?

What is GDPR?

Are you GDPR-compliant?

In May 2018, a new EU-wide data protection regulation comes into force.

If it affects you, you will need to start to thinking about compliance now. This site is designed to help you understand the GDPR, quantify the requirements, and offer solutions. The General Data Protection Regulation (GDPR) will affect every organization in Europe that handles personal data of any kind. It will also affect any company that does business in the EU. The rules are complex and fines for non-compliance are significant (up to €20 million).

But you are in the right place to learn more!

calendar due date GDPR

Online compliance check

Does your organization comply with the regulation?

Complying with GDPR, step by step

The implications of the GDPR are complex, so we have broken down the compliance process into three groups of measures that you should consider, subdivided into various areas of more detailed explanation. Just click on the bars in the diagram below to examine these areas at your convenience.

+In summary

Some of the principles set out in the GDPR are a continuation of those set out in the existing Data Protection Directive, namely: fairness, lawfulness and transparency; limitation of purpose; data minimization; data quality; security, integrity and confidentiality.

The GDPR establishes a new accountability principle by making data controllers responsible for demonstrating compliance with the principles. As well, the GDPR adds new aspects to the existing data protection principles, as follows

Lawfulness, fairness and transparency – Personal data must now be processed in a transparent manner in relation to the data subject.

Limitation of purpose – With some caveats, archiving of personal data which is in the public interest will not be considered incompatible with the original processing purposes.

Storage – Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Accountability – The data controller becomes responsible for, and must be able to demonstrate, compliance with the principles.

+Organizational structure requirements

Under the GDPR, you must implement a wide range of measures in order to ensure that you reduce the risk of breaching the GDPR and to allow you to prove that you take data governance seriously. Among the necessary accountability measures are: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a data protection officer (DPO).

The GDPR introduces the obligation for certain organizations to appoint a Data Protection Officer (DPO). Organizations must appoint a staff member or an external consultant as its DPO.

If you are a marketer with a large consumer database, you will probably need to appoint a DPO; national data protection authorities are expected to provide guidance on who qualifies.

Your DPO will be responsible for monitoring compliance with the GDPR, advising you of your obligations, advising on when and how a privacy impact assessment should be carried out, and be the contact point for enquiries from national data protection authorities and individuals.

The concept of a one-stop shop allows an organization which is established in several EU countries to deal with only one national data protection authority , although the rules for determining which DPA should take this role, and how they would handle complaints, are complex in some cases.

+Processes, procedures and policies

The GDPR redefines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”.

This is a broader definition than before and does not take into consideration whether the breach creates harm to the individual. If you suffer a data security breach, you must inform your national data protection authority immediately, or no later than 72 hours after discovering the breach.

However, you are exempted from notifying individuals if you have implemented appropriate technical and organizational measures to protect the personal data, such as encryption.

An important part of complying with the GDPR is privacy by design, i.e. designing each new process or product with privacy requirements front and center. This approach, while previously best practice, is now an explicit requirement.

A data protection impact assessment, also known as a privacy impact assessment (PIA), is intended to identify and minimize non-compliance risks.

The GDPR makes PIAs a formal requirement; specifically, controllers must ensure that a PIA has been run, before it begins, on any “high risk” processing activity.

If you operate internationally, your rules and processes for transferring data to non-EU jurisdictions will be a significant consideration, as the penalties for non-compliance or transfer of data to jurisdictions not recognized (by the European Commission) as having adequate data protection regulation will become much more severe under the GDPR.

+Awareness of data security

Now is the time to start explaining the need for GDPR compliance to your own employees. You may already need to start planning revised procedures to deal with the GDPR’s new transparency and individual rights provisions. This could have significant financial, IT and training implications.

+Accountability - technical measures

The GDPR makes controllers responsible for demonstrating compliance with its data protection principles, so you will need to make sure that you have clear policies in place to prove that you meet the required standards by regularly monitoring, reviewing and assessing your data processing procedures, building in safeguards, and ensuring that your staff are trained to understand their obligations – and be ready to demonstrate this at any time, when required to do so by your national data protection authority.

+Data breach – technical measures

You must prepare for data security breaches (defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”) by putting clear policies and tested procedures in place so as to ensure that you can react to and notify any data breach where required.

Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

+Ensure data subject rights - technically

The GDPR strengthens the rights of data subjects , for example by adding the right to require information about data being processed about themselves, access to the data in certain circumstances, and correction of data which is wrong.

One of the main aims of the GDPR is to bolster the rights of individuals. As a result, the rules for dealing with subject access requests will change, and you will need to update your procedures to reflect this.

In general, you will not be allowed to charge for complying with a request; also, you will typically have only one month to comply (the current limit is 40 days).

The right to be forgotten (‘erasure’ in the terminology of the GDPR) allows individuals to require your data controllers to erase their personal data without undue delay in certain situations, for instance where there is a problem with the underlying legality of the processing, or where they withdraw consent.

Third parties with whom you share individuals’ data are also covered by these rules.

The GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement”; however, there is some ambiguity about how data subjects’ right not to be subject to decisions based on profiling will be enforced.

The GDPR introduces a new right to data portability, which goes beyond individuals’ right to require that you provide their data in a commonly used electronic form this and requires that the controller provide information in a structured, commonly used and machine-readable form.

There are some limits to this rule, for instance it only applies to personal data processed by automated means.

As part of its aim to bolster the rights of individuals, the European Commission is also granting a right to restrict certain processing and a right to object to personal data being processed for direct marketing purposes, including profiling activities for direct marketing purposes.

Once an individual objects, their data must not be processed for direct marketing any further and the individual’s contact details should be added to an in-house suppression file.

Organizations must inform individuals about their right to object to the processing of their data in a way which is explicit and separate from other information which they must also provide to individuals.

+Communicating privacy info (consents, fair processing notices)

You may need to review how you seek, obtain and record consent; a data subject’s consent to processing of their personal data must be as easy to withdraw as to give, and must also be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.

The GDPR grants special protections when it comes to the handling of personal data pertaining to children, particularly in relation to commercial internet services like social networking.

Online, parental prior consent is required for use personal data for anyone under 13 years of age; Member States can set their own rules for those aged 13 to 15. If they choose not to, parental consent is required for children under 16 years of age.

As a result, you should start thinking about how to implement robust systems to verify individuals’ ages and to gather parents’ or guardians’ consent to process such data.

Consent must be verifiable, and when collecting children’s data your privacy notice must be written in language that children will understand.

The GDPR will probably increase the range of things you have to tell data subjects , for instance your legal basis for processing their data, your data retention periods and their right to complain to their national data protection authority if they think there is a problem with the way you are handling their data; note that the GDPR requires this information to be provided in concise, clear language.

+Data security (integrity and confidentiality)

The GDPR sets out data security principles similar to those in the current directive, including: fairness, lawfulness and transparency; purpose limitation; data minimization; data quality; security, integrity and confidentiality.

You must ensure that personal data is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage: “The organisation and any outsourced service provider shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk”.

The regulation suggests a number of security measures which can be used to achieve data protection, including: pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring personal data processing security.

The GDPR specifies encryption as one approach that can help to ensure compliance with some of its obligations. To quote from the regulation:

Article 32 – Security of processing

“1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controllers and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data […]”

Article 34 – Communication of a personal data breach to the data subject

“3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption […]”

+Data documentation, legal basis and audit

You should document what personal data you hold, where it came from and with whom you share it.

If you have inaccurate personal data and have shared this with another organization, the GDPR requires that you tell the other organization about the inaccuracy so that it can correct its own records. To do this may require an information audit across your organization or within particular business areas. This will also help you to comply with the GDPR’s accountability principle.

Under the GDPR, you should examine how you process personal data and identify the legal basis on which you carry out and document these processes.

This is necessary because some individuals’ rights will be modified by the GDPR depending on your legal basis for processing their personal data. One example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. However, consent is just one of a number of different ways of legitimizing processing activity and may not be the best (as it can be withdrawn).

The information presented on this webpage does not constitute a legal opinion, and users should not rely on its accuracy when making financial or business decisions. ESET will not be liable for outcomes resulting from such actions. Always seek independent legal advice.

Join our GDPR webinar

Talk to our experts about how the new General Data Protection Regulation will affect your business. ESET is hosting webinars to explain the issues around the GDPR. These webinars are free to attend: just sign up below and we’ll invite you to the next event.

Encryption as a solution?

What is encryption?

Encryption is the process of encoding information in a way that prevents unauthorized parties from being able to read it.

Key length and encryption strength

Encryption strength is most commonly equated to key length (bits) and the encryption algorithm used. The simplest way to defeat encryption is to try all the possible keys. This is known as a brute-force attack, but longer keys have made this approach ineffective.

To brute force a 128-bit AES key, every one of the roughly 7 billion people on Earth would have to check 1 billion keys a second for around 1.5 trillion years to test every key.

So attackers do not typically try to reverse-engineer the algorithm or brute force the key. Instead, they look for vulnerabilities in the encryption software, or attempt infect the system with malware to capture passwords or the key as they are processed.

To minimize these risks, you should use an independently validated encryption product and run an advanced, up-to-date anti-malware solution.

How does it work?

Encryption is applied, most commonly, in two different ways:

Encrypted storage – often referred to as ‘data at rest’ – is most commonly used to encrypt an entire disk, drive or device.

This type of encryption becomes effective only once the system is stopped, the drive ejected or the encryption key blocked.

Encrypted content also referred to as granular encryption – means, typically, encrypting files or text at the application level.

The most common example is email encryption, where the message format must remain intact for the email client application to be able to handle it, but the text body of the email is encrypted along with any attachments.

eset data encryption example

What do I need from encryption?

While key length and the range of software features are important, they do not tell you how well a product will perform from the user’s point of view – or from the administrator’s.

FIPS - 140 Validation

The most widely accepted independent validation is the FIPS-140 standard. If a product is validated to FIPS-140 then it is already more secure than most situations demand and will be acceptable under the GDPR and other regulations.

Ease of use for non-technical users

There will always be situations where your employees will need to decide whether or not to encrypt a document, email, etc. It is vital that they are able to use the software provided and can be confident that encrypting data will not lock them – or authorized recipients – out.

Remote management of keys, settings and security policy

To avoid staff having to make security decisions, encryption can be enforced everywhere – but this tends to restrict legitimate business processes and can stifle productivity. The inclusion of a remote management capability – one that allows changing of encryption keys, functionality or security policy settings for remote users, who typically represent the biggest security issue – means that the default settings for enforced encryption and security policy can be set higher without limiting normal processes elsewhere in the business.

Management of Encryption Keys

One of the biggest usability challenges is how users are expected to share encrypted information. There are two traditional methods:

Shared passwords, which suffer from being easy-to-remember-and-insecure or impossible-to-remember-and-secure-but-written-down-or-forgotten

Public-key encryption, which works well across smaller workgroups with no or low staff turnover, but becomes complex and problematic with larger or more dynamic teams.

Using centrally-managed, shared encryption keys avoids these problems, with the added bonus of mirroring the way that physical keys are used to lock our houses, apartments, cars, etc. Staff already understand this concept, and it only needs explaining once. Coupled with a premium remote-management system, shared encryption keys strike the optimum balance of security and practicality.


eset data encryption file download

Quick Guide
to the EU GDPR

Are you ready to comply with new data regulations? The EU’s new GDPR explained.

eset data encryption file download

Is GDPR good or bad news for business?

Willing to learn more about the most important changes introduced by GDPR and their practical implications? The pros and cons of reform for business.

Download Free Guide

Thank you!

Download your GDPR guide below

eset data encryption file download

Quick Guide
to the EU GDPR

Are you ready to comply with new data regulations? The EU’s new GDPR explained.

eset data encryption file download

Is GDPR good or bad news for business?

Willing to learn more about the most important changes introduced by GDPR and their practical implications? The pros and cons of reform for business.