GDPR – brief overview of requirements

Europe’s General Data Protection Regulation (GDPR) will come into effect on May 25th 2018, necessitating all organisations that process data of EU residents with less than 12 months to meet the stringent requirements of the regulation.

The General Data Protection Regulation (GDPR) is Europe’s newest framework. It is designed to replace local data protection laws such as the UK’s Data Protection Act 1998, the Belgian Privacywet, or the German Bundesdatenschutzgesetz (BDSG). Organisations must implement a cloud security strategy that supports compliance and minimises their organisation’s exposure to the new breach notification requirements. Severe financial penalties, as high as 20 million Euros or 4% of total annual turnover will be enforced on those who are found to be in breach.

Key points to notice:

  • Organisations are responsible for Personal Identifiable Information.
  • Appropriate Security Controls required to be in place.
  • There is mandatory disclosure of data breaches.
  • Potential financial penalty for noncompliance up to 4% of turnover or 20 million.

The primary objective of GDPR is to strengthen security and privacy protection for individuals. While GDPR shares many principles from its predecessors, consisting of 11 chapters, 99 articles, and 187 recitals, it is by no means a minor adaptation.

Who GDPR Applies To

The GDPR applies to all data controllers and processors. There are specific legal obligations placed on processors and controllers under GDPR. It applies to processing carried out by organisations within the EU as well as organisations outside the EU that provide products or services to individuals within the EU.

It primarily focuses on individual data which is defined in two categories of ‘personal data’ and ‘sensitive personal data’.

Personal data will include individual data as well as any information that can be used as an online identifier, e.g. an IP address. Sensitive personal data casts a wider net and covers data elements such as biometric or genetic data.

What GDPR Means for Enterprises

In order to be ready for GDPR, businesses will need to implement a number of security and privacy measures and controls, such as:

    • Assigning a data protection officer
    • Data breach notification within 72 hours
    • Inventory of all personal data processed
    • Data protection by design and by default
    • Data Privacy Impact Assessments

What Does It Mean from a Practical Perspective?

If you don’t already have the required security tools and controls in place, your organisation will need to implement several new security controls, policies, and procedures. You will also need to demonstrate ‘readiness’ or ‘awareness’ with GDPR.

For security and privacy-conscious organisations, the new regulation should not bring about too much technical overhead. For those that aren’t, the impact will be much greater.

Here are some tips for implementing some of the key security requirements outlined in GDPR:

Article 30: Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility

Key tips to implement:

– If you don’t already have one in place, acquire and implement a log management or Security Information and Event Management (SIEM) tool. SIEM tools are important for monitoring all users and system activity to identify suspicious or malicious behaviour.

– Don’t forget about data stored, or processed in cloud environments. Cloud is also in scope and records of activity should  maintained.

Article 32: …the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…

Key tips to implement:

– Create an inventory of all critical assets that store or process sensitive data to allow for more stringent controls to be applied.

– Undertake vulnerability scanning to identify where weaknesses exist that could be exploited. Ideally use a tool that can be easily integrated with existing security tools.

– Conduct risk assessments and apply threat models relevant to your business

– Regularly test to gain assurance that security controls are working as designed

Articles 33 & 34: Notification of a personal data breach to the supervisory authority; and; communication of a personal data breach to the data subject.

Key tips to implement:

– Put in place a threat detection controls to reliably inform you in a timely manner when a breach has occurred.

– Monitor network and user behaviour in order to identify and investigate security incidents rapidly

– Have a documented and practised incident response plan

– Have a communication plan in place to notify relevant parties

What are your next steps?

– If you fall under the scope of GDPR, examine the proposed regulation closely, using this blog and other resources, and start preparing for its implementation  that comes May 2018.

– Understand what personal data is held and who has access to it.

– Prepare an inventory of the existing security tools and capabilities you have in-house today.

– Perform a gap analysis to identify where you have the largest gaps in terms of security tools, personnel, policies and procedures.

– Develop and implement a plan to begin closing these gaps

– Get the latest news and information about the regulation at the official site and from your local data privacy office.

How DMZ IT can help:

We can help you to meet many of the GDPR security and privacy requirements. Some essential benefits from working with us include:

    • Asset discovery to detect unknown systems on your network.
    • Vulnerability assessment to identify likely targets by attackers.
    • Network and host-based intrusion detection to detect malicious activity on your network.
    • File integrity monitoring (FIM) to detect changes in critical files and suspicious user activity.
    • Log management to conduct forensic analysis of events using digitally signed raw logs for evidence preservation.
    • Security information and event management (SIEM) to correlate security events from across your network.
    • Integrated threat intelligence and response guidance to prioritize the most significant threats targeting your data, applications, and users.
    • Compliance report templates for GLBA, FFIEC, PCI, as well as custom reporting.
    • Continuously updated detection capabilities that allow you to automatically detect emerging threats.