This article is part of the Twingate Infosec Compliance Series. Written for IT admins, security ops, and anyone else tasked with implementing infosec requirements imposed by compliance standards, this series explains common standards, how they relate to information security, and how to get started with attaining compliance. This article discusses a law but is not legal advice. Consult a qualified advisor to understand how GDPR may apply specifically to your organization.
What is GDPR and who does it apply to?
GDPR, short for General Data Protection Regulation, is a European Union regulation that came into effect on May 28, 2018. GDPR is a comprehensive privacy law that regulates how organizations handle personal data.
“Personal data” is broadly defined as any information that relates to an identified or identifiable person. It’s not limited to obvious “identifiers” like names or email addresses. Information that can be tied back to an identifier, which could include something like a person’s favorite color or search history, also counts.
GDPR is far-reaching. It would be a mistake to think that GDPR doesn’t apply to you just because your company doesn’t have an office in Europe. While this is an oversimplification, you can generally think of GDPR as probably applying to you if: (a) you have operations physically located in the EU, such as an office, employees, or servers; or (b) you process personal data of EU residents in connection with the sale of goods or services, or the monitoring of behavior occurring in the EU. The second limb sweeps up a lot of companies that do business over the internet globally.
Additionally, if a customer who is regulated by GDPR shares personal data from their customers with you, they may be required to pass on to you, via contract, the obligations that GDPR imposes on them.
Why GDPR matters
GDPR is an important law in the EU, which regards privacy as a fundamental human right. If GDPR applies to you, compliance is legally required. A company that touts “we comply with GDPR” is like a taxi driver advertising “I comply with road signs.” Compliance is mandatory and you should not expect anything less.
GDPR is typically enforced by data protection authorities in each EU country. Their powers include auditing companies, demanding remediation of non-compliance, restricting further processing of personal data, and — this is the one that normally gets people’s attention — levying fines of up to 4% of a company’s global annual turnover (although in practice fines seldomly reach the maximum). Violations may also render businesses susceptible to being sued by individuals who were impacted by the violation.
Violating GDPR also can impact a business’ reputation and make doing business in Europe more difficult.
Who’s responsible for GDPR compliance?
Inside a company, GDPR compliance is typically spearheaded by the legal team or the privacy team, if one exists.
Infosec requirements under GDPR
Security is a key part of GDPR. After all, it’s in the name: data protection. Security is primarily mentioned by GDPR in two sections (emphasis added):
Article 5: “Personal data shall be … (1)(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 32: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk … In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Security under GDPR encompasses all aspects of security — not just protection against malicious actors, but also service availability, data integrity, and disaster recovery. However, GDPR is completely non-prescriptive when it comes to how security measures are implemented. GDPR requires “appropriate technical or organizational measures” that take into account “the state of the art,” implementation costs, the nature of the processing activity, and risks to the individual. You won’t find any mention of password complexity requirements, or server hardening, or intrusion prevention systems in GDPR.
This is by design. This phrasing acknowledges both that security standards evolve over time, and that security is about risk management — not risk elimination — and therefore is very context-dependent. One example is that 10 years ago, SSL/TLS was arguably not a standard security measure for websites, whereas today it’s universally expected.
The flipside of this flexibility is ambiguity. You will be tempted to ask your lawyers: “So what does ‘appropriate’ security actually mean? Is what we’re doing good enough?” But as an IT security expert, you are actually much better placed to make that call and should feel empowered to do so.
You keep up with what’s happening in the industry (i.e. what the “state of the art” is), you know how much it costs to implement security measures (in terms of time, money, and other resources), and you know how to strike the right balance for your business. A good way to think about it is, if you were to ask your peers in other companies, or other security experts in the industry to critique your security program, what would they reasonably say?
It’s interesting to note that data protection authorities in Europe don’t only employ lawyers - for example, the Irish Data Protection Commissioner (who regulates some of the most well known global technology companies) is known for having many “technologists” on staff.
The other aspect of GDPR is what’s known as the “accountability principle,” which requires organizations to “be able to demonstrate compliance,” in addition to actually being compliant. Demonstrating compliance generally means being able to provide evidence through documentation or other written records. Written infosec policies and procedures, and records that show they were carried out (e.g. filed and closed JIRA tickets) must be a part of your security program.
Other GDPR requirements that might impact you indirectly include data breach notification obligations, and rights that individuals (known as “data subjects”) have over the personal data that you’ve collected about them, such as erasure, access, and data portability. Those rights extend not only to customer data you handle yourself, but to customer data that your downstream service providers handle for you — this may require you to work with them to complete data subject requests.
How Twingate helps with GDPR compliance
Twingate is a Zero Trust Network Access (ZTNA) solution that provides secure access to private network resources. As we’ve mentioned previously, access controls are a cornerstone of infosec programs: to ensure data is handled as intended or permitted, you must first ensure the right people have access to the right data, in the right context. And conversely, no one else should have access.
“State of the Art”. Traditional remote access technologies like VPNs are increasingly plagued with security problems in today’s “work from anywhere” world. For example, the principle of least privilege cannot truly be accomplished with VPNs, which grant users access to entire networks. ZTNA solutions are clearly the future ("zero trust" was even mentioned 11 times last month in this Presidential Executive Order on public sector cybersecurity). Howev adoption has, until Twingate, been slow due to how challenging and difficult it is to deploy in an organization.
Twingate brings a simple way for organizations to progress to ZTNA, no matter their size. Offering least privilege access by default, Twingate allows fine-grained access to be granted at the port level. With Universal 2FA, Twingate also enables multi-factor authentication to protect any resource or service on a private network — not just applications.
Twingate is tailor-made for the modern workforce. Modern workforces are fluid, with companies having a mix of employees and transient contractors who increasingly work remotely using a variety of devices — not all of which are company-issued. These highly dynamic environments demand a solution that makes it possible for IT teams to keep up, and Twingate delivers on that by creating a one stop shop for managing access across the entire enterprise network via an intuitive admin console.
Implementation & maintenance costs. Upgrading to a state of the art solution doesn’t mean paying through the nose. Twingate is a software-based solution that doesn’t require any capital expenditure on hardware appliances or other equipment. Twingate makes deployment painless for busy IT teams: no changes to existing network infrastructure are required, and end users can install and setup Twingate on their devices without any hand-holding from help desks. Twingate’s APIs also allow common tasks like provisioning and deprovisioning new users and resources to be automated.
As your organization grows, adding more users is easy. And because Twingate takes care of scaling for you, you don’t need to worry about managing performance issues or outgrowing the solution.
Accountability. Twingate provides you with a single source of truth for managing, reviewing, and auditing access controls. Additionally, Twingate’s identity-indexed logging and analytics provides admins with unparalleled visibility and written records of activity across the entire network, assisting organizations with their security monitoring and auditing needs.
Contact us to learn more about how Twingate can help you to comply with GDPR’s security requirements.