May 1, 2018
5 mins

The General Data Protection Regulation

GDPR is meant to strengthen security and privacy protection for individuals. While it shares many principles from its predecessors, it's by no means a minor adaptation consisting of 11 chapters, 99 articles, and 187 recitals.

Who GDPR Applies To

The GDPR applies to all data controllers and processors. There are specific legal obligations placed on processors and controllers under GDPR. It applies to processing carried out by organizations within the EU as well as organizations outside the EU that provide products or services to individuals within the EU.

It primarily focuses on individual data which is defined in two categories of ‘personal data’ and ‘sensitive personal data’.

Personal data will include individual data as well as any information that can be used as an online identifier, e.g. an IP address. Sensitive personal data casts a wider net and covers data elements such as biometric or genetic data.

What GDPR Means for Enterprises

In order to comply with GDPR, enterprises will need to implement a number of security and privacy measures and controls, such as:

·       Assigning a data protection officer

·       Data breach notification within 72 hours

·       Inventory of all personal data processed

·       Data protection by design and by default

·       Data Privacy Impact Assessments

·       Fines of up to €20 million or 4%.

What Does It Mean from a Practical Perspective?

If you don’t already have the required security tools and controls in place, your organization will need to implement several new security controls, policies, and procedures. You will also need to demonstrate compliance with GDPR.

For security and privacy-conscious organizations, the new regulation should not bring about too much technical overhead. For those that haven’t, the impact will be much greater.

Here are some tips for implementing some of the key security requirements outlined in GDPR:

Article 30: Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility

Key tips to implement:

- If you don’t already have one in place, acquire and implement a log management or Security Information and Event Management (SIEM) tool. SIEM tools are important for monitoring all users and system activity to identify suspicious or malicious behavior.

- Don’t forget about data stored, or processed in cloud environments. Cloud is also in scope and records of activity maintained.

Article 32: …the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…

Key tips to implement:

- Create an inventory of all critical assets that store or process sensitive data to allow for more stringent controls to be applied.

- Undertake vulnerability scanning to identify where weaknesses exist that could be exploited. Ideally using a tool that can be easily integrate with existing security tools.

- Conduct risk assessments and apply threat models relevant to your business

- Regularly test to gain assurance that security controls are working as designed

Articles 33 & 34: Notification of a personal data breach to the supervisory authority; and; communication of a personal data breach to the data subject.

Key tips to implement:

- Put in place a threat detection controls to reliably inform you in a timely manner when a breach has occurred.

- Monitor network and user behaviour in order to identify and investigate security incidents rapidly

- Have a documented and practised incident response plan

- Have a communication plan in place to notify relevant parties

What are your next steps?

- If you fall under the scope of GDPR, examine the proposed regulation closely, using this blog and other resources, and start preparing for its implementation come May 2018.

- Understand what personal data is held and who has access to it.

- Inventory the existing security tools and capabilities you have in-house today.

- Perform a gap analysis to identify where you have the largest gaps in terms of security tools, personnel, and policies and procedures.

- Develop and implement a plan to begin closing these gaps

- Get the latest news and information about the regulation at the official site and from your local data privacy office.


Cybersecurity Awareness Month Recap - Resources and Tips
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
Four New Phishing Tactics to Watch Out For
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Real-time Review of Oklahoma State University Cybersecurity Breach
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.
No items found.