GDPR Doesn’t Need to be GDP-Argh!These 10 steps will ease the pain of compliance with the General Data Protection Regulation, the EU's new privacy law that goes into effect in a little over a year.
If your organization does business with Europe, or more specifically does anything with the personal data of EU citizens, you’re going to be living the dream (or perhaps nightmare) that is preparing for the General Data Protection Regulation (GDPR).
For many organizations, this is going to be a tedious exercise; even if you have implemented processes and technologies to meet current regulations, there is still work to be done to steer clear of penalties. And, as you might expect, infringement carries heavy fines: €20 million or 4 percent of your worldwide annual gross revenue, depending on the violation.
The regulation comes into effect on May 25, 2018, at which point organizations will be held accountable – immediately. It’s hard to say exactly how organizations are doing, but depending on which news you choose to read, it doesn’t appear that too many are ready. And for good reason.
For one thing, preparing for GDPR is likely to be a cross-functional exercise, as legal, risk and compliance, IT, and security all have a part to play. Some organizations will need to adopt new roles and responsibilities, such as appointing a data protection officer and nominating representatives within the EU to be points of contact.
So, with just over a year to get this sorted, what do you need to do?
If you’re just beginning your GDPR compliance quest, start by having employees attend a training to learn about the best practices for implementing GDPR. Training can also save you from the costly fines down the line, which, depending on the level of GDPR infringement, can amount to 4% of your organization’s worldwide annual gross revenue for the previous year.
You’ll also need to determine where the personal data of EU citizens physically resides, the categories of personal data you control or process, how and by whom it is accessed, and how it is secured. In addition, processes for access control, incident detection and response, and breach notification will also need review or implementation.
To help get you started, I’ve put together a list of 10 steps your company can take toward becoming GDPR-compliant:
Step 1: Encrypt data both at-rest and in-transit. Why? If you are breached but the personal data is rendered unintelligible to the attacker, then you do not have to notify the person whose data has been breached.
Step 2: Limit access. The idea of a “need-to-know-basis” has been around in the military for eons. The same process now needs to apply to personal data. Review who has access to personal data and why they have access, then revoke rights as necessary. When gaining consent to process personal data you will need to state the reasons for processing the data, and identify people who have access to the data. Shared admin accounts and overinflated user privileges are generally bad practices, but with GDPR they become totally unacceptable.
Step 3: Have a broad-based vulnerability management process in place. Make sure you’re scanning all devices on your network to maintain visibility into weaknesses in your infrastructure. If you have remote employees, don’t forget about them! Remote workers create additional risk because their devices can house sensitive data while they are connected to unsecured networks. Ensuring the ongoing confidentiality, integrity, and availability of all systems across your company is key.
Step 4: Backups. Backups. Backups. Make backups! Not just in case of a dreaded ransomware attack, but as a good housekeeping practice in case of storage failure, asset loss, natural disaster, even a full cup of coffee spilled on a laptop. If you don’t currently have a backup vendor in place, there are a number of server and database options available. Disaster recovery should always be high on your list, regardless of the regulations you are required to meet.
Step 5: Secure your web applications. Privacy-by-design needs to be built into processes and systems. If you’re collecting personal data via a web app, and still using http/clear text, then it’s likely you already have a problem.
Step 6: Pen tests are your friend. Attacking your systems and environment to understand your weak spots will tell you where you need to focus. It’s also better to go through this exercise with an opportunity to course correct, rather than wait for an attacker to point out your weaknesses by getting onto your network. You can do this internally or employ a professional team to perform regular external tests.
Step 7: Detect attackers quickly and early. Finding out that you’ve been breached after the fact is an all too common scenario. The Verizon Data Breach Investigations Report has called out compromised credentials as a top attack vector, yet many organizations still can’t detect when these credentials are used by attackers. User behavior analytics is one way to quickly investigate and remediate anomalous user account activity within your environment. Deploying deception technologies, like honey pots and honey credentials, is another strategy for spotting attackers early.
Step 8: Don’t ignore shadow IT. You likely have some approved cloud services deployed already, but unless you’ve switched off the internet, it’s also possible that there are unsanctioned services and apps occurring in your environment with data that needs to be protected.
Step 9: Prioritize and respond to the alerts your security products generate daily. Attackers can easily take advantage of the flood of information bombarding security teams every day. It’s great if you have a SIEM in place and have the capability to respond 24/7. (Attackers work evenings and weekends too!) But if you don’t have SIEM, or the time or budget to take on a traditional deployment, consider products or managed offerings that can offer round-the-clock protection.
Step 10: Don’t wait for an attack to engage an incident response team. GDPR stipulates that companies report personal data breaches to a supervisory authority within 72 hours of discovery. But aside from the reporting requirements, it’s critical to contain the attack and limit damage as quickly as possible. So If you don’t have dedicated IR capabilities in-house, at least have a clear and fast route to third-party services. That means, going through the process of vetting and engaging potential vendors and partners in advance in order to know exactly who to call with the necessary expertise should the worst happen.
[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]
Samantha is responsible for that ensuring Rapid7's international markets receive the proper solutions messaging, collateral, and information. She also trains sellers (internal and partners) on security concepts and solutions. She has nearly 20 years of employment experience ... View Full Bio