25 May 2018 is an anxiously awaited deadline. What can you do to ensure your organization is ready for the General Data Protection Regulation (GDPR)? To start, what is the GDPR? It is, put simply, a new European Union privacy regulation that will permanently change the way you collect, store and use customer data.
GDPR took a long time coming, to say the least.
The European council held two conventions in the 80’s and 90’s acknowledging that the usage of computers had grown exponentially. In the wake of these conventions, the UK created a Data Protection Act in 1984, and another in 1998, with other countries following suit. Unfortunately, these acts were largely incompatible with each other.
Jump ahead to the early 2010s and the need for common law was sorely needed across Europe. The General Data Protection Regulation was proposed and then negotiated within the EU council and European parliament. The European parliament, then the council, reached an agreement following extensive negotiations. Eventually, in 2016 the regulation was fully adopted and put into place. A two-year implementation phase was decided, which brings us to May 25, 2018.
So, do you need to worry? If you have personal data of EU citizens, then the answer is yes, the GDPR affects you. Is it a concern? Only if you’re not prepared.
Want to learn more about GDPR for cybersecurity teams? Read the Definitive Guide now.
The 4 Key Elements of GDPR
Without further ado, here are the 4 things we recommend you prepare for. Though we aren’t lawyers and are solely focused on accelerating incident resolution, we’ve done our research:
- Right to be Forgotten
The Right to be Forgotten is the most talked about aspect of GDPR. It means that any customer or client has the right to have their personal data removed, deleted, or destroyed with a simple request. To top it all off, it must be done without delay.
Read Article 17 of the GDPR
- Assigning a Data Protection Officer
Under GDPR, data controllers have to assign a Data Protection Officer (DPO) who must: inform, advise, monitor and act as a contact point to supervisory authorities. Now the big question that everyone has been asking is: do I need a DPO? There have been rumors that SMEs do not need one (unfounded rumors by the way)! Here is a helpful decision tree to help you understand whether you need one or not.
Read Article 37 of the GDPR
- Data Portability
GDPR is all about giving the power back to individuals to have more control over their personal data. Here’s where article 20 comes into play: it is there to make sure data can be requested and then received in a common, machine-readable format. Remember the Tinder user who asked for her personal data, and received 800 (paper!) pages of data 18 months later? Well that won’t cut it anymore under GDPR. So to confirm, by data portability, GDPR means: sending the consumer a digital file which includes all the personal data collected on them.
Read Article 20 of the GDPR
- Reporting Security Breaches
The largest concern to security incident response leaders? Any security breach which puts personal data at risk will have to be reported within 72 hours. Any company that does not comply will be liable to fines. Your security incident response plan and strategy will be at the center of this question. Breaches will need to not only be detected, but validated, contained, and acted on very quickly. After all, 72 hours is only 3 days!
Read Article 33 of the GDPR
Want to respond to security breaches within 72 hours? Find out how now.
Resolve to the Rescue
There’s no single solution for compliance to GDPR as it affects data across the enterprise, with major implications and fines. So, what do cybersecurity teams need to do?
Not all cybersecurity breaches are created equal. Not all need to be reported to an EU consumer – just the ones where specific personal data has been breached – like religion, political affiliation, and other personal details.
Resolve, the leading security incident response platform, can play a critical part when it comes to data breach reporting requirements. Resolve accelerates the time it takes to validate a detected alert and prompts initial investigation when a personal data breach occurs.
Upon determining a personal data breach has occurred, the organization must within 72 hours:
- Find out the categories and approximate numbers of data subjects and personal records concerned
- Determine the likely consequences to individuals of the data breach
- Decide the measures to take to address the breach, including mitigating adverse effects
- Communicate the above to the appropriate EU data protection authorities
When a company has to notify their customers of a data breach within 72 hours, wouldn’t it be nice to say the threat has been responded to? With Resolve’s playbooks, automation, and orchestration, cybersecurity teams can play a part in the notification aspect of the GDPR. With Resolve, security operations teams can determine appropriate next steps.
To learn more about the General Data Protection Regulation and the implications to cybersecurity teams, read the Definitive Guide eBook and learn three ways accelerating security incident response will help your SOC comply.