FEATURE

With GDPR, preparation

is everything
Jocelyn Krystlik, Stormshield
Jocelyn Krystlik

Since the new European General Data Protection Regulation (GDPR) on the
protection of personal data was voted in, businesses have been working towards
the transition that will take place in May 2018.1 With just a year to comply,
they are considering issues such as strengthened cyber-security, liability of data data and to be competitive while trading
collection entities and new mandatory procedures. in Europe. The other consideration is for
European companies working in the UK,
Despite the many changes that the UK’s before the UK’s exit from the EU and or UK companies working in Europe
exit from the EU will bring, British penalties for non-compliance will apply who would also be bound by GDPR.
organisations should still plan for GDPR during that period. Second, it is quite The intentions behind the GDPR are
for two important reasons. The first is likely that the UK will adopt the GDPR simple – to catch up with the threat of
that GDPR is most likely to go into effect in order to protect its citizens’ personal cyber-security in relation to strategy,
legislation and operations and be ready
to respond to that threat and ensure
future resilience.
Personal data will now be at the centre
of policies in the context of the digital,
borderless world in which we live and
operate. It is an important turning point
because digitisation has given rise to a
whole new host of critical issues in cyber-
security. Until recently, these were dealt
with by national authorities in each EU
country, but this presents legal problems
because of the complex and perpetually
shifting domain. The Internet and the
digital age currently make up the ‘grey
areas’ that Udo Helmbrecht, executive
director of the EU’s European Network
and Information Security Agency
(ENISA) warned about: “When you talk
today about the Internet, it is the Wild
West. Everyone can do what they want.”2

The backdrop
The digital revolution has resulted in a lag
between existing cyber-security policies
and the reality of new issues engendered
by the digital revolution and its paper-
less structure. In 1995, the EU approved
Directive 95/46/CE governing emerging
digital issues – in particular, newly digit-
ised personal data. This directive consists
The clock is ticking on the General Data Protection Regulation.
of seven basic principles which are, in

5
June 2017 Computer Fraud & Security
 FEATURE
essence: notification when personal data
is used, the consent of the person owning
such data, subsequent data transfer, data
security and integrity, accessibility and
applications.
“The hackers declared that
they had struck for two rea-
sons. First, they wanted to
show their disapproval of the
services offered on the web-
site and second, they wanted
to call out the company on its
confidentiality policy”
But we have moved on quickly and
the advent of platforms such as SaaS
(Software as a Service) and the growth
in cloud computing have changed the
landscape for ever. With the excep-
tion of a final amendment to the 1995
directive later that same year, no further
updates have since been made. In 2011,
a think tank was initiated and the EDPS
(European Data Protection Supervisor)
welcomed the desire to reform the legal
scope of personal data protection. At
long last it was accepted that legislation
was no longer fit for purpose.
Threats getting personal
The complexities of technology have
been equally matched by the complexi-
ties in cyberthreats in recent years, but
it was a series of headline-grabbing secu-
rity scandals that focused our attention
on the dangers to personal data. When
Edward Snowden, the National Security
Agency contractor, revealed the large-
scale espionage in which the organisation
was indulging, with European personal
data being targeted in particular, the
world was shocked. Another zinger
struck within the same year, when Max
Schrems’ campaign against Facebook
suddenly widened and questions were
asked about the use of European per-
sonal data by Apple, Skype, Microsoft
and Yahoo! and accompanied by accusa-
tions of collaboration with the NSA.
The case received wide media coverage
6
Computer Fraud & Security June 2017
and on 6 Oct 2015, the European Court
of Justice ruled in his favour.
As a result of this decision, the inter-
national Safe Harbor privacy principles,
which regulated data exchanges between
Europe and the US, were overturned.
But this was just the start and cyber-
criminals have increasingly turned to
hacking, ransomware and data leaks to
bolster the trade in personal data. No
one is safe anymore and the consequenc-
es often reach much further than mere
damage to corporate reputation.
The hacking of the Ashley Madison
website facilitating extramarital affairs
sent 32 million members on a roller-
coaster ride after their data was stolen
and published online. In the rubble
were a few politicians, prominent per-
sonalities and an ambushed company
offering a reward for any information
on the hackers, who declared that they
had struck for two reasons.
First, they wanted to show their disap-
proval of the services offered on the web-
site and second, they wanted to call out
the company on its confidentiality policy.
The attack aimed to show that despite
the fee requested by the website to erase
members’ data when they submitted such
requests, no data was ever erased.
A well-known mobile phone com-
pany was hacked, with 1.2 million of
its accounts, including names, tele-
phone numbers and email addresses,
becoming subject to repeated phishing
attempts over the phone or by email.
A few months later, it was Vodafone
Germany’s turn when 800,000 of its
contacts were stolen, then the UK, when
the telecoms provider TalkTalk went
through the same experience.
Privacy Shield
Attempts to address these issues such as
the Safe Harbor framework – which estab-
lished a clear legal framework with regard
to trans-Atlantic exchanges of personal
data – and the Privacy Shield framework,
have been made but subsequently over-
turned or challenged.3 As a result, many
EU businesses are using standard con-
tractual clauses in order to continue their
exchanges with the US, as defined in the
initial 1995 Directive 95/46/CE.
In a year, these alternatives will have to
make way for the GDPR, which imposes
a single regulation for all European data
and all entities collecting, hosting and
handling such data. The US is not on the
list of countries offering an adequate level
of security in data protection.
The implications
This new regulation aims to legislate all
personal data regardless of where it is situ-
ated. Data will be the focus of legal atten-
tion and subjected to this new regulation
instead of a country’s laws. This means
that – at least theoretically speaking – the
physical location of where the data is
hosted is no longer relevant. Whether it’s
in a datacentre in the US or India, or in
the City of London, the legal constraint
remains the same in theory.
Reluctance to comply will also not be
tolerated and companies can be fined as
much as 4% of their worldwide turnover
and up to E20m. It is noteworthy how
subtle the sanction is, in that while it can
only be applied in a given territory, its
impact will be felt elsewhere in the world.
This is the particular sanction that has
attracted attention from all sides, espe-
cially American organisations that have a
presence in the EU because even though
the GDPR is a European regulation, hav-
ing one foot in Europe means potentially
having to fork out a fine calculated based
on the worldwide earnings of a corporate
group. The parent company therefore
runs the risk of having to tap the coffers
on the other side of the Atlantic.
Requirements for
businesses
The GDPR will force businesses to
restore order to their operations and do
a little tidying up and while it will deliv-
er restrictions, it will also provide many
benefits to businesses.

The new requirements for businesses
are as follows:
• The right to be forgotten accessible
to everyone.
• Clear, explicit consent required from
the person concerned to process his
personal data.
• The right to move data from one service
provider to another quickly and easily.
• Appointing a data controller. The
representative will need to act on
behalf of the data controller and
should be contactable by any supervi-
sory authority.
• Ensuring that data processing goes
through documented procedures,
whether the business conducts such
procedures itself or they are done on
behalf of the business. These docu-
ments will be required during audits.
Particular data
An essential concept to understand dur-
ing the transition to the GDPR is that
every business possesses personal data that
falls within the remit of the European
regulation. Whereas in the past, data
protection concerned mainly the banking
and medical sectors, the scope of ‘person-
al data’ has broadened considerably and
now includes any information relating to
a person – from their name, photograph,
email address or bank account details,
through to messages posted on public
websites, medical data or a computer’s IP
address. Everyone has the right to protec-
tion of that personal data.
All businesses have personal data to
protect – employee databases, payrolls,
client databases – all of which carry per-
sonal data, even when their economic
activity revolves around a non-strategic
sector, such as the selling of clothes.
Shadow IT
In order to comply with the precepts of
the GDPR, an adequate level of security
must be demonstrated for any European
data collected and hosted by a company.
Shadow IT will therefore return in 2018
June 2017 Computer Fraud & Security
as a dominant issue as the prospect of
co-workers deciding to use services that
are not managed or controlled by the
organisation (eg, web conference tools,
mass mailing SaaS business platforms,
etc) will pose a new legal danger and add
another layer of complexity.
“The GDPR requires informa-
tion relating to a data breach
to be produced within 72
hours – providing a guarantee
to the business in its capacity
as a client – and forces cloud
providers to equip themselves
with mechanisms to record
logs and report alerts”
There are already several schools of
thought on how to deal with Shadow
IT. Some organisations lock up their
networks so that nothing can be installed
on employees’ workstations without
the intervention of the IT department.
Obviously, this has become a source of
frustration for both employees and IT
managers alike. Data encryption may be a
less drastic but highly effective alternative.
The cloud
The growth in cloud computing places
the issue of protecting European data in
a new dimension.
Data is entrusted to an external part-
ner and hosted away from the business’s
physical premises, which forces business
owners to ensure that the hosting entity
can provide an adequate level of security,
and produce logs in the event of an inci-
dent as and when required. The GDPR
requires information relating to a data
breach to be produced within 72 hours
– providing a guarantee to the business
in its capacity as a client – and forces
cloud providers to equip themselves with
mechanisms to record logs and report
alerts as well as the entire cyber-security
arsenal that should be included in any
credible cloud solution.
Since the data is digitised, migrating it
FEATURE
to the cloud can make it cross certain bor-
ders. This is a major risk that needs to be
closely monitored and for which solutions
do exist. Even in the scope of the GDPR
and the extremely tense international
context at the moment, some businesses
may nonetheless have data hosted outside
Europe, sometimes tied to their economic
models or their corporate structures, or
because a value-added application does not
offer hosting within the EU.
The regulatory nature of the GDPR
will push migrating businesses to choose
data or cloud hosting in a European
country in order to ensure that the cloud
provider will be duty-bound to comply
with the restrictions imposed by the
GDPR in processing data. The same
goes for UK businesses for now.
The rights of businesses with regard to
cloud providers are:
• Presentation of logs within 72 hours.
• Written procedures that can be
produced upon request.
• Absolute guarantee that data will not
be processed by the hosting company
without prior authorisation of both
the client and the collecting entity.
• Ensuring that data processing goes
through documented procedures. This
applies whether the business conducts
such procedures itself or they are done
on behalf of the business. These pro-
cedures will be required to be evalu-
ated during audits.
A business’s duties to data subjects
include:
• Appointing a data controller (liaising
with the potential cloud provider and
authorities in the event of an audit).
• Clear explicit consent required from
the person concerned to process
his personal data. Once again, the
business must clearly express how it
intends to use the data it collects or
with which it has been entrusted.
• The right to be forgotten on request.
This newly established right forces
businesses to provide the clear and
straightforward possibility of erasing
an individual’s or another business’s
data simply upon request.
7
 FEATURE

• The right to move data from one ser-
vice provider to another. The busi-
ness will take responsibility for this
procedure, which must be easy, quick
and upon the contact’s request.
• Complete and unambiguous infor-
mation from the collector regarding
the processes applied to collected
personal data.
• The right to notification within 72
hours if data is compromised and/or
a security incident has occurred. This
is one of the new and critical points
of the GDPR that businesses will
have to bear in mind when choosing
a cloud service situated outside the
borders of the EU or if they decide
not to host data in the cloud.
• The guarantee that privacy policies
are explained in clear and unambigu-
ous language.
Code of conduct
In order to support organisations in the
transition to May 2018, the EU offers
two tools – a code of conduct and cer-
tification. The regulation encourages
associations and other bodies represent-
ing categories of data controllers or
processors to draw up codes of conduct
intended to contribute to the proper
application of the regulation. These
codes should uphold the principles of
fair and transparent data processing, for
example, the collection of personal data
and information communicated to the
public and concerned individuals.
The GDPR marks the European
Commission’s intention to establish certi-
fication mechanisms and data protection
seals and marks, allowing data subjects to
quickly assess the level of data protection
provided by controllers and processors.
Getting help
Facilitators in the transition to GDPR will
need to rely on the help of professionals
such as specialist law firms, or even the use
of dedicated legal tools online; consulting
firms that may be able to conduct analyses
after an audit and provide advice on how
to better manage the digital transition
while taking into account the constraints
of the GDPR; corporate architects, which
can offer sound guidance since their
advice is based on the consideration of the
organisation in its entirety instead of only
its data or information systems; guarantees
of GDPR compliance from cloud hosting
entities.
Get equipped with suitable cyber-secu-
rity solutions that answer any questions
raised by the audit. Since the GDPR is
being introduced to help combat secu-
rity threats, protection and prevention
is absolutely essential. At the same time,
don’t forget that pilfered encrypted data
is not considered a leak if the decryption
keys are not accessible, so encryption con-
tinues to be the best bet for compliance.
About the author
Jocelyn Krystlik is product marketing man-
ager for cloud at Stormshield. He has a var-
ied background in security, having spent five
years consulting and working as a product
manager in Arkoon Network Security before
it was purchased by Stormshield’s parent
company, Airbus. Since July 2014 he has
been advising Stormshield’s customers on how
to mitigate threats, providing cloud and data
expertise and is instrumental in the market-
ing of the company’s data security product.
References
1. GDPR Portal, home page. Accessed
May 2017. www.eugdpr.org.
2. Fleming, Jeremy. ‘Cyber-security
directive held up in face of ‘Wild
West’ Internet’. Euractiv, 1 Apr
2015. Accessed May 2017. www.
euractiv.com/section/digital/news/
cyber-security-directive-held-up-in-
face-of-wild-west-Internet/.
3. Privacy Shield, home page. Accessed
May 2017. www.privacyshield.gov/
welcome.

The impact of quantum

computing on cryptography
Jean-Philippe Aumasson, Kudelski Jean-Philippe
Aumasson
Quantum computing has been heralded by some as the death of cryptography
as we know it. Yet the quantum computers that exist today can’t perform more duction to quantum computing and its
complex operations than tasks such as factoring 15 into 3×5, so they’re pretty
fundamental capabilities.
useless. A useful quantum computer would need to be large and reliable enough
to perform operations involving thousands or millions of quantum bits (qubits)
in order to break cryptographic algorithms widely used today. How quantum
prepared and understand the real impact
computers work
We don’t yet know how hard it is to
build such a scalable, fault-tolerant of quantum computing on our networks’ While a classical computer works with
quantum computer, but we should be security. Let’s begin with a simple intro- bits that are either 0 or 1, a quantum

8
Computer Fraud & Security June 2017