Articles on GDPR delving into definitions, clarifications on security issues, territorial scope, increased fines and so on are written daily. No one can deny the global effect of GDPR. With GDPR, citizens know their rights, they have control over their personal data, and now – GDPR has to be well-communicated by data controllers to company stakeholders. 

What is often neglected is the thought process around relations to third parties, and how these relations are binding from a business’ perspective/cyber ecosystem. 

Here are the bare essentials needed for a GDPR perspective with third party relations.

GDPR

After outdating the 1995 EC-94-46 Directive, General Data Protection Regulation (GDPR) went into effect in May of 2018, with an extended territorial scope and stricter fines. This new law was automatically binding throughout the EU on the date it became enforced [2]. Unlike its predecessor, GDPR has fines as high as 20 million Euros or 4% of annual global turnover (whichever is higher). 

Under the new rules, a company is subject to GDPR regulations if it processes the personal data of EU citizens, independent of geographical location. The definition of personal data is broad, however, it includes any data that can be directly or indirectly associated with a person. This data could be in the form of a simple name-surname, ID numbers, image records, address,  IP address, an email, a payment data, or even a cookie data.

What does GDPR say about third parties?

GDPR clearly states that all businesses and their third-parties are jointly responsible for protecting user data. The third parties come in two forms: either as a “joint-controller” or as a “data processor”, each having different responsibilities vis a vis person a.k.a data subjects.

Image Courtesy: Toa Heftiba on Unsplash

Interestingly enough, GDPR not only requires businesses themselves to implement GDPR-compliant technical and organizational measures, but also choose third parties according to their level of security compliance.

Industry-wide, businesses must conduct risk assessments a.k.a Personal data Impact Assessment (PIA) to comply with GDPR. What many don’t realize is third parties are also recursively liable for this assessment, with a clear requirement in Article 28(1) stating: 

“the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this regulation and ensure the protection of the rights of the data subject“,

it is now businesses’ responsibility to check whether their third parties are providing sufficient guarantees.

The Relation between Fines and Third Parties

From May 2018 – March 2020, the Data Protection Authorities imposed a total of 231 fines and sanctions. With the addition of GDPR, the number of fines and costs associated has increased drastically. Although this spike demonstrates increased accountability, the total number of fines issued remains low in comparison to the 144,000 complaints submitted. 

Top 10 fines given under the GDPR [1]

As filed complaints and fines continue to pile up, it is not surprising the top-two fines are due to third-party related breaches.

As the largest skimming community, Magecart hackers conducted the British-Airways data breach by leveraging a third-party library. The Magecart community used an unauthorized insertion of a third party JavaScript code. The fraudulent code aimed to steal the payment data submitted on the checkout pages and was obtained via the process and payment forms.

The Magecart hackers changed a third-party JavaScript called “Modernizr”, a JS library used to enhance interaction, in the British-Airways incident. It was updated by the Magecart hackers to collect the data submitted from the payment forms, and to deliver it to their appointed server in Romania.

Image Courtesy: Marvin Meyer on Unsplash

British Airways (BA) initially announced that 380,000 customer records containing credit card details had been confiscated during the cyber attack executed between August 21st – September 5th. According to the Information Commissioner’s Office (ICO), the incident happened after British Airways website users were diverted to a fraudulent site. Through this fake site, the attackers harvested details of approximately 500,000 customers.

A fine of £183.39 million ($230 million) was issued, and set a new record as the highest penalty to be issued from ICO under GDPR.

Holding second place in GDPR fines, Marriott data breach became sensational the moment the hospitality giant announced the breach in November of 2018. Its Starwood guest reservations database was accessed in an unauthorized manner for four years, from 2014 until September of 2018. Around 383 million records – not guests – were involved in the incident, with multiple records associated.

The data breach started at Starwood Hotels, before Marriott acquired the chain. This incident shows the importance of due diligence during M&A operations.

Point-in-time Compliance is not accurate, Make room for Continuous Monitoring!

While citizens now know their rights with GDPR and have control over their personal data, companies are still falling behind and will face difficulties when a breach occurs. British Airways was considered a PCI-compliant organization at the time of the incident. It reminds us to ask, ‘How far was British Airways from quarterly vulnerability scans and pen tests when the breach occurred?’ Attackers crafting sophisticated hacking techniques are now competing with time. This problem can only be mitigated by countermeasures that run in near-real time, such as the continuous monitoring feature of Black Kite.

6 Steps for Third Party GDPR Compliance 

  1. List all third parties you share personal data with (either in the form of a “joint-controller” or “processor”)
  2. Revise terms of agreements and policies with third parties
  3. Restrict access to personal data on a need-to-know basis
  4. Run the third-party risk assessment (PIA)
  5. Maintain records of third-party processing activities
  6. Check adherence to lawful basis or consent

HOW Black Kite CAN HELP

Comprehensive Cyber Risk Rating

Black Kite’s cyber rating can be directly leveraged in the third-party risk management process covered under Article 28 of GDPR.

Compliance Module

Knowing the cybersecurity maturity level by assessing compliance levels is a key component in reducing third-party risks. Black Kite’s standards-based approach makes it easy to estimate and assess compliance levels of third parties. Black Kite correlates cyber risk findings to industry standards and best practices. The classification allows organizations to measure the compliance level of any company for different regulations and standards including NIST 800-53, ISO27001, PCI-DSS, HIPAA,  GDPR, and Shared Assessments.

FAIR

Black Kite uses the Open FAIRTM model to calculate the probable financial impact if a third-party vendor, partner, or supplier experiences a breach. It communicates risks in quantitative and easy-to-understand business terms. Open FAIRTM has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk, meeting the criteria of “..using only processors providing sufficient guarantees to implement appropriate technical and organizational measures” of GDPR.

References

[1] https://www.accessnow.org/cms/assets/uploads/2020/05/Two-Years-Under-GDPR.pdf
[2] https://ec.europa.eu/info/law/law-making-process/applying-eu-law_en

Featured image courtesy: Image by Pete Linforth from Pixabay