Industry Observations

Data Officers and the GDPR

IDC predicts that by 2020, data breaches will affect nearly 25% of the world’s population. Last April, the European Commission ratified The General Data Protection Regulation (GDPR), which covers the capture, control, and consent to use personal information. This new regulation goes into effect next May 25, 2018.

Who does it affect? GDPR applies to any company, inside or outside the E.U., which offers goods and services to European citizens. It’s likely your organization must comply with GDPR. The question that many now face: How.

Protecting and securing data isn’t creating a veil of secrecy. It’s about breaking down silos between NetOps and DevOps to identify where data comes from and how it flows from the customer, through the applications, into databases, and back out again to other applications and APIs. The job of the newly mandatory Data Officer is to find out where the data lives and how it moves, and assign responsibility for making sure that the data of employees and customers is kept safe both in motion and at rest.

Payment data, PII, and other HR-related data are used daily through most organisations – how do you find all these points of egress and ingress? Do you know how your applications, both web and mobile, handle sensitive data? Do they authenticate via best practices in security coding? Do you have a strong password policy across your enterprise? (According to Verizon, about 40% of attacks are directed against web applications. For hacking-related breaches, over 80% used weak or stolen passwords.[i])

GDPR isn’t just about finding data and making sure it’s secure; the regulations dictate that organisations need to find the context of data in use, and prove everything is being done to protect the subject’s data and the rights of the subject itself. That’s where application security testing comes in.

WhiteHat Sentinel allows you to track your applications down to the developer and group for each DevOps team owning an application, and allows you a cross-application view of your security index to help prioritize remediation or mitigation of data at risk. With Sentinel Dynamic and Source application security testing, your Data Officer will be able to document ownership for all your applications, and create a clear line of responsibilities for finding, tracking, and remediating vulnerabilities that could lead to a data breach.

Compliance is an ongoing challenge, not a one-time penetration test. Let WhiteHat help your Data Officer add application security into the wider cyber-security measures you take as part of your end-to-end compliance program.


[i] https://www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf