GDPR, the General Data Protection Regulation 2016/679 of the European Union, will go into effect on May 25, 2018. It is a piece of legislation that will affect all EU member states and it is designed to address issues regarding the safe storage and responsible use of EU citizenry’s personal data. In fact, it will affect any business or individual handling the data of EU citizens, regardless of where that business or individual is based. If you provide any kind of service or product to individuals it is likely that you are handling EU citizen data and therefore must become compliant with GDPR.
This new regulation represents a tightening of the data protection laws. The new regulation requires far faster responses to data breaches (within 72 hours), and the maximum penalty for breaching the legislation has increased by over four times to twenty million euros or four percent of a business’s annual global turnover, whichever is higher. In addition, GDPR will unify the processes by which EU countries regulate their data security. This will ensure breaches are easier to report, investigate and respond to the new supervisory authorities being introduced.
What does this mean, in practice? Let’s take a look at GDPR article 25, for instance, which calls for “privacy by design”. This means that privacy measures should be considered and incorporated into products and services as they are being developed. For example, data controllers (those keeping and manipulating data) to conduct “privacy impact assessments” in certain situations where there is a high risk of data exposure or misuse. GDPR encourages organisations to pseudonymise personal data to greatly reduce the impact of these breaches. As most data servers are powered by one Linux distribution or the other, it is important to know what security measures you can take to improve security.
Technical implementations of the EU policy are not discussed in the regulation, meaning there is no official guide on how to ensure Linux systems are GDPR compliant. So how do you ensure compliance? Dealing with breaches is one of the most important topics covered in GDPR. As such, event logging should be configured to detect any possible breaches or notable activity, like failed login attempts. It is important to note that any logging should be stored remotely to prevent the files from being accessed during breaches.
In the event of a breach, data could possibly be stolen, changed or removed. In such an event, it is incredibly important to keep backups of your database. This is both so you can compare the compromised and original databases to identify any malicious changes, and so you can restore your database to an unedited variant previous to the breach which will allow you to continue running your business smoothly.
Ensure that your operating system and all programs handling the data or granting access to the data are patched and up to date. You should also go about setting up a network firewall to prevent a small breach from quickly spreading to and accessing other associated systems.
GDPR compliance is incredibly important, not only to avoid the fines, but to keep your consumer-base safe and confident. Retention of data under GDPR requires an active statement of consent, as such any serious data breach and loss of customer confidence in your business could lead to dwindling customer data records, making it a lot harder to run a business. To avoid this keep researching GDPR, increase your transparency with customers where possible and ensure you maintain your security standard when you reach compliance.