Arshad Noor - Jun 01, 2020

A Quick Guide to Addressing CCPA and GDPR: A StrongKey and VerSprite Collaboration

GDPR & CCPA  Events

For good or bad, the age of data privacy and security legislation is upon us. New York, India, Washington, Nebraska, Ecuador are but a few governments that have drafted their own legislation following the lead of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

There have been over 250 final and binding GDPR fines valued at more than $165 million since enforcement began in May 2018. CCPA enforcement begins July 1, 2020. Considering the CCPA’s provisioning of the right of consumers to bring lawsuits, it’s fair to assume the consequences of non-compliance should be taken seriously.

With decades of expertise and a deep understanding of data privacy and data protection issues and compliance, StrongKey and VerSprite collaborated on a simple, straightforward guide to addressing these privacy laws.

This guide will address the following questions:

Where should you start to address the CCPA and GDPR regulations?

First, you need to know the basics of the data privacy and security laws including key terms and the primary principles.

For example, a key term in GDPR is “personal data” or what is often more specifically called “personally identifiable information” (PII). Tony UcedaVélez is the CEO and Founder of VerSprite, a leading global cybersecurity consulting firm. Speaking to the importance of understanding exactly how the key terms are defined, VerSprite says:

“Historically, you had ‘personally identifiable information,’ and it was pretty clear to determine what that was: unique identifiers — things like social security numbers and bank account numbers. What’s happened is that the definition of ‘personally identifiable information’ has broadened, and it might be different depending on the regulation. For example, in some cases, information such as IP addresses and biometrics are now starting to be classified as personal — understanding where the data is, is such an important component, and then understanding how that data is classified. So how it relates to regulation and the definition is a very important component, because then that starts defining what's in scope from a privacy perspective.”

The GDPR outlines seven principles ranging from data minimization to integrity and confidentiality (security). And the CCPA outlines four new rights including the right to know what personal information is collected to the right opt-out of the sale of personal information. Familiarizing yourself with these basics at the beginning of your compliance journey will pay dividends when you’re ready to dig into the details of the regulations. 

With this foundational knowledge under your belt, the next step is to assess your current data collection and management processes. A heads up that this may be more complex than you expect. Even large multinational organizations who are used to adapting to new regulations are struggling to comply with CCPA and GDPR. One of the primary challenges is that companies of all sizes across industries don’t know what’s happening within their own organizations.

VerSprite, explains:

“The main problem that any organization has when facing privacy regulations is determining ‘Where's my data? Where is it going? And what am I using it for?’ Understanding where your data is, not just in terms of where it's statically found, but also where it’s going and how can you fulfill anonymization techniques and encryption, is going to be key. Data discovery is going to be an essential part to the onset of addressing CCPA and GDPR issues.

Finally, as you’re starting to figure out how to comply with these new data protection and security laws, consider how you can incorporate the intent of the laws. Think of this as privacy by design. For example, consider what PII is really needed to run your business. The less data you collect, the less there is to secure. And arguably, your users will have greater confidence in your business if they see that you’re building your business with security and their privacy in mind.

And viewing PII through the lens of enabling data privacy often offers the opportunity to minimize the use of PII or to anonymize it – both great options to consider as part of your compliance strategy.

What is the difference between data protection and data privacy?

Security and privacy do not always overlap. Security can exist without privacy, but privacy does not exist without security. UcedaVélez goes on to say that if companies are to deliver privacy for PII, identify what’s important to privacy, beginning with determining if there is a legitimate need to involve PII in the first place. Provided this need is established, companies should deliver a means of consent and clear understanding from the identifiable entity — typically the consumer — and then design to enable these factors. This means securing the data and the means to control it at every step.

In the words of Arshad Noor, CTO of StrongKey:

“... data needs to be addressed; first, the security and privacy of data before the business functionality can be released. Taking data into account, applications can be designed very differently to address whether it violates people's notions of privacy even if there is a law or no law against it. But clearly the laws are starting to become more and more prescriptive.”

Applications will start to be designed with this in mind, adding functionality that promotes privacy and security, so that if laws are put in place, companies can already be compliant beforehand.

How does one map out data protection?

To start, an organization needs to know what sensitive data they have and the systems, people, and processes that touch the data. This meta-awareness is part of what is called a Data Privacy Impact Assessment (DPIA).

A DPIA is the means by which businesses determine how data passes through their systems, processes, and personnel to know where and when to put protective measures in place. VerSprite recommends sequencing the journey as the best method:

  • Creation or introduction of data
  • Minimizing interaction with the data, both from people and electronics
  • Specify system components (including people) and applications that handle it
  • How is the data removed and destroyed

Following the assessment, it’s time to establish the protective measures required to secure the data.  The most important security concept here is key management, or how the encryption keys — the keys to unlocking encrypted data — are protected. While many companies manage their keys in the cloud, using the cloud for key storage is a significant security risk with profound implications should a breach occur. The 2019 Capital One data breach that exposed over 100 million credit card customer records is a clear example. Capital One used AWS cloud storage for their key management as well as to store their encrypted data. A hacker was able to exploit the lack of a web application firewall allowing her to steal the encrypted customer records and then decrypt those records.

Noor and UcedaVélez agree that regardless of its specific infrastructure, key management requires planning for the following:

  • limiting access to the keystores
  • controlling the flow of data appropriately
  • making certain all angles of attack have been examined with a mind towards prevention and contingency

In addition to keeping key management out of the cloud, consider that storing any sensitive data in the cloud poses enormous risk. Cybersecurity experts agree that the vast majority of cloud-based data breaches are due to human error, typically misconfigurations. While keeping all sensitive data completely out of the cloud is ideal, for those who do keep sensitive data in the cloud putting security protocols in place is just the beginning. Humans make mistakes. It is important to implement processes that check, monitor, and update configurations on a continuous basis.

A DPIA is the means by which businesses determine how data passes through their systems, processes, and personnel to know where and when to put protective measures in place. VerSprite recommends sequencing the journey as the best method:

  • Creation or introduction of data
  • Minimizing interaction with the data, both from people and electronics
  • Specify system components (including people) and applications that handle it
  • How is the data removed and destroyed

In summary, the core components are understanding where the personal information is and who needs to interact with it. The sequence covers the major components, systems, people, and methodology from start to finish.

How do companies foment an integrated approach to align stakeholders?

It is helpful to couch the idea of data security in terms of risk assessment versus a check box to periodically meet compliance. This helps maintain an integrated, multi-departmental effort instead of a siloed approach.

Breach disclosure laws began as reactive but didn’t stem the tide of breaches. Newer regulations are an attempt to help businesses get ahead of the problem. A question that plagues Noor:

“With all the brain power aimed at solving the issues, why do they persist in such volume?”

Only recently have executives begun to prioritize the idea of backing a tighter security model, both regarding office policies and in design planning. Preemptively placing security into the core of application design alongside functionality and ease of use considerations is key. And replacing passwords and other older security technologies will help close the gaps that allow breaches to continue unabated. Security must be addressed up front, rather than reactively; it is not an afterthought, and affects all levels of business.

How can we get ahead of the problem?

Klaus Schwab, the founder and executive chairman of the World Economic Forum said in 2015, “This is the new world, it's not the big fish, which eats the small fish, it’s the fast fish which eats slow fish.” The importance of encryption as a preemptive measure is emerging as the ‘fastest fish’ response. Regulations like CCPA set the precedent for impromptu privacy audits that test the protective measures a business uses for PII; if found wanting, consumers will have the option to sue.

Architecture shifts over the evolution of computer systems have gone from single-machine to multi-machine to client-server methodologies, and then to the Internet. Each shift a disruption in its own right. Data security and privacy comprise yet another such disruption, one which deserves the same level of attention as previous shifts in the industry. These newer privacy regulations are showing responsible leaders that data privacy and security are good practices for everyone, both internally at a company and externally for shareholders and customers alike.

To find out more about encryption technologies being used to secure industry PII, or to learn more about the speakers who inspired this article, visit strongkey.com and versprite.com.

Click here to watch a simple breakdown of GDPR's most complicated encryption requirements.