How to Think About GDPR as a Security Vendor

Before May 25th, 2018, thousands of companies scrambled to become compliant with a new European data protection law to protect an individual’s rights. The rollout of the European Union General Data Protection Regulation (GDPR law) sought to place stricter guidelines concerning how companies use and store personal information.

The new data protection regulations give people more control over their private data and place stronger accountability on companies by allocating governing power to local competent authorities to oversee and enforce GDPR regulations.

Multiple facets define GDPR, and it can become complex. So, we’ve compiled a quick guide to help you navigate the law with this GDPR overview.

What Is GDPR?

For a fast GDPR summary, it’s the strictest compliance law to keep public data safe. It gives EU citizens greater control over accessing their personal data while restricting their use by organizations. The full EU general data protection regulation summary has 99 articles detailing the increased responsibilities of companies and organizations and EU citizens' rights.

Since 1995, this has been the most substantial advancement for data legislation. GDPR is a legal framework that allows member countries to make minor adjustments to suit its citizenry. Within the GDPR overview, this adaptability permitted the United Kingdom to replace its 1998 Data Protection Act with its Data Protection Act (2018).

The Importance Of GDPR

Understanding GDPR legislation is critical for any organization whose operations include collecting personal data from EU citizens. This regulation affects companies both internally and externally of the EU under the articles of GDPR. Meaning, any company that interacts with the data of an EU citizen, resident, or business is subject to GDPR compliance.

Since an organization might potentially collect EU customer data, it may be subjected to the provisions laid out in the GDPR articles. By extension, the organization can be at risk of being subjected to GDPR penalties.

The first year after the GDPR regulations were rolled out, hundreds of thousands of complaints, data breaches, and inquiries were reported. This is accompanied by over 100 companies receiving fines for non-compliance. Among these companies was Google, which was fined 50 million euros for its lack of transparency when using personal data to create targeted marketing, according to French authorities.

Does GDPR Apply To You?

As this GDPR overview has dictated, if you or your company collects or handles an EU citizen or business's personal data, you will need to comply with it. However, you may not be aware of what that private data may entail. The ultimate goal of GDPR is to protect a person's data that can directly or indirectly be traced back to them, uncovering their identity.

Clear examples of private data that can expose a natural person (a living person, not an entity) would include:

  • Name
  • Address
  • Username
  • ID number
  • Race/ Ethnicity
  • Genetic data
  • Photo
  • Banking details

However, private data isn’t always so obvious. A person’s IP address, cookie identifiers, and even job title may be considered as a way to unveil someone’s identity.

While you wouldn't necessarily consider someone's job title as an identifier, if it's coupled with multiple pseudonymized data, it could eventually lead to a specific individual, putting it under the authority of GDPR.

GDPR & Castle Key Principles

At Castle, we make an effort to adhere to some of the key principles behind the new data protection regulations. When it comes to Product Development we take a  Security & Privacy by Design approach. This means that for any new services, products, or processes that involve a user’s private information, privacy needs to be considered in the initial development.

As a vendor, it's also important that we make it easy for our customers to adhere to the regulations. In our relationship with our customers, Castle is considered a "Data Processor". In other words, whenever an application integrates with Castle, the end-user data sent to us is still owned by the application. However, we are in a position to process it to provide our services. As the application is still the owner of the data, they maintain the direct relationship with the end-user. There are certain circumstances however, where a data processor such as ourselves may need to be involved in a GDPR related workflow. Let's look at a few examples:

1. Right To Access

GDPR introduced Article 15: Right of access by the data subject. This states that users have the right to request access to the data held on them. If you receive this request from your user, you may need to forward the request to your vendors, such as Castle, so that the vendor can provide data related to this user as well. Castle offers an API endpoint to submit these User Data Access Requests.

You can learn more about this GDPR supporting API from Castle here.

2. Right To Be Forgotten

GDPR introduced Article 17: Right to be forgotten. This states that users have the right to request all data held on them to be permanently purged. If you receive this request from your user, you may also need to forward the request to your vendors, such as Castle, so that the vendor can purge that user’s data too. Castle offers an API endpoint to submit these User Data Purge Requests.

You can learn more about this GDPR supporting API from Castle here.

3. Breach Notification

A company must notify an individual within 72 hours if their private data has been potentially exposed due to a data breach. One of Castle's core competencies is detecting ATOs, whether through a large scale credential stuffing attack, or a one off, manual takeover. Whenever Castle detects malicious or anomalous activity within a user's account, we can send applications real-time notifications providing context about the events in questions. This empowers apps that integrate with Castle to not only inform users of potential breaches within 72 hours, but within seconds, shutting down any problem before it starts.

GDPR is a complicated topic that has a wide range of implications for businesses, the least of includes the introduction of challenging technical responsibilities. Although challenging, the regulations are there for good reasons, and they speak to an issue that is central to Castle's belief and identity: User Safety and Privacy. For this reason, we try to take steps to make this as easy as possible on our customers. If you're a developer using Castle or considering Castle, and have any questions or suggestions on how we could better support you in your own support of GDPR standards, let us know at support@castle.io!