May 1, 2018
|
5 mins

The General Data Protection Regulation

The primary objective of GDPR is to strengthen security and privacy protection for individuals. While GDPR shares many principles from its predecessors, consisting of 11 chapters, 99 articles, and 187 recitals, it is by no means a minor adaptation.

Who GDPR Applies To

The GDPR applies to all data controllers and processors. There are specific legal obligations placed on processors and controllers under GDPR. It applies to processing carried out by organizations within the EU as well as organizations outside the EU that provide products or services to individuals within the EU.

It primarily focuses on individual data which is defined in two categories of ‘personal data’ and ‘sensitive personal data’.

Personal data will include individual data as well as any information that can be used as an online identifier, e.g. an IP address. Sensitive personal data casts a wider net and covers data elements such as biometric or genetic data.

What GDPR Means for Enterprises

In order to comply with GDPR, enterprises will need to implement a number of security and privacy measures and controls, such as:

·       Assigning a data protection officer

·       Data breach notification within 72 hours

·       Inventory of all personal data processed

·       Data protection by design and by default

·       Data Privacy Impact Assessments

·       Fines of up to €20 million or 4%.

What Does It Mean from a Practical Perspective?

If you don’t already have the required security tools and controls in place, your organization will need to implement several new security controls, policies, and procedures. You will also need to demonstrate compliance with GDPR.

For security and privacy-conscious organizations, the new regulation should not bring about too much technical overhead. For those that haven’t, the impact will be much greater.

Here are some tips for implementing some of the key security requirements outlined in GDPR:

Article 30: Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility

Key tips to implement:

- If you don’t already have one in place, acquire and implement a log management or Security Information and Event Management (SIEM) tool. SIEM tools are important for monitoring all users and system activity to identify suspicious or malicious behavior.

- Don’t forget about data stored, or processed in cloud environments. Cloud is also in scope and records of activity maintained.

Article 32: …the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…

Key tips to implement:

- Create an inventory of all critical assets that store or process sensitive data to allow for more stringent controls to be applied.

- Undertake vulnerability scanning to identify where weaknesses exist that could be exploited. Ideally using a tool that can be easily integrate with existing security tools.

- Conduct risk assessments and apply threat models relevant to your business

- Regularly test to gain assurance that security controls are working as designed

Articles 33 & 34: Notification of a personal data breach to the supervisory authority; and; communication of a personal data breach to the data subject.

Key tips to implement:

- Put in place a threat detection controls to reliably inform you in a timely manner when a breach has occurred.

- Monitor network and user behaviour in order to identify and investigate security incidents rapidly

- Have a documented and practised incident response plan

- Have a communication plan in place to notify relevant parties

What are your next steps?

- If you fall under the scope of GDPR, examine the proposed regulation closely, using this blog and other resources, and start preparing for its implementation come May 2018.

- Understand what personal data is held and who has access to it.

- Inventory the existing security tools and capabilities you have in-house today.

- Perform a gap analysis to identify where you have the largest gaps in terms of security tools, personnel, and policies and procedures.

- Develop and implement a plan to begin closing these gaps

- Get the latest news and information about the regulation at the official site and from your local data privacy office.

 

Knock Knock: Quantum Computing
The moment a computer is invented that is fast enough to break current cryptography, we, as cybersecurity professionals will have a whole new reality to deal with. Guess what? Quantum computing is here.
SOC Myths & Fallacies: Why Do Most Security Operations Centers Fail?
Over the course of a year long investigation, we interviewed CIO, CISO, managers, security analysts, security engineers and compliance officers. Find out what we learned.
Self-Defense & Cyberwar
As someone who may be responsible for protecting a network, facilities or people, the evolution of cyberweapons and your rights to defend yourself will become a rather critical aspect of your strategies in the coming years.