What is GDPR and Does it Apply to Me?
All companies that handle EU citizens' data – affecting organizations worldwide, including North America – should be prepared to meet requirements of the General Data Protection Regulation (GDPR) by May 25, 2018. This new regulation imposes operational impacts, such as enhanced risk detection and new data breach response obligations, causing business leaders some angst and uncertainty about the expectations ahead.
GDPR is set to replace the Data Protection Directive 95/46/EC, which was adopted in 1995 to regulate the processing of personal data within the EU. Though in the past many companies adopted privacy processes and procedures that were consistent with the former Data Protection Directive, GDPR contains some new protections for EU data subjects.
The concerning reality for most is that companies will face significant monetary fines if the regulation is violated. Penalties will range from 2% to 4% of a company’s annual global revenue, or up to €20 million. Considering the intensity of this potential punishment, many C-level executives and Board members are placing this undertaking as a strategic priority.
What Requirements Should I Be Thinking About?
GDPR possesses seven key requirements, with the first six consisting of: (1) appointment of a data protection officer to monitor internal compliance of this across various functions, (2) execution of privacy impact assessments against high-risks data processing activities, (3) receipt of data subject consent regarding the types of data collected and how it will be used, (4) implementation of cross-border data transfers to provide alternative mechanisms that meet compliance, (5) allowance of a personal data erasure request by the data subject, and (6) capability of data portability for a data subject to transfer his/her personal data from one electronic processing system to another without controller prevention.
While this regulation places heavy emphasis on data compliance at the core, the next (and seventh) requirement is imperative to get right: breach notification. Companies will now be on the hook to discover and report a data breach within 72 hours. Many are asking, is my organization able to manage this process and its global impact within that given timeframe?
Breach Readiness is Imperative
In a crisis, being organized and informed enough to detect and properly communicate a data breach to affected stakeholders (and regulators) is a difficult task on its own. When combined with mandatory incident response processes and time sensitivity, the situation becomes much more difficult.
Leading organizations are preparing for this by executing, what we like to call, an incident response (IR) readiness journey. This can be accomplished through three phases: (1) assess and plan, (2) operationalize and (3) test and validate.
Assess and Plan
Understanding your cyber threat landscape and existing threat profile is key to building a strong plan. Start by using threat intelligence to focus on the most relevant, likely threats. Identify the attackers, realize the type of data they’re after, and recognize their capabilities.
Evaluating your current security program against critical security domains is next. Pinpoint which security domains are of primary importance to securing your business, and from there prioritize the domain efforts accordingly.
Then you can design and execute a change program, addressing the highest risk areas first. This should be a cross-functional effort with various business partners/committees including Legal, PR, and Information Governance to ensure enterprise-wide needs are met and shared accountability is established.
Having the right people, processes, and technology in place to respond to the actual breach is at the heart of this readiness journey.
Have detailed and necessary conversations to understand if your organization’s detection capabilities (technology, processes, expertise) will be able to live up to the GDPR standards such as being ‘state-of-the-art’. The best way forward is to adopt explicit data breach use cases and respective playbooks for all teams involved.
Analysis of alerts will methodically organize your remediation plan. Triage all alerts, and label them as a true positive or false positive. This will properly and directly trigger data breach incident protocols; failing to do so will leave a breach under addressed, increasing the probability of another attempt.
Establishing protocols for both internal, as well as external escalation of a data breach is vital. Formally document and become very familiar with who to notify, how to notify them, and exactly what supporting information/evidence to release.
Test and Validate
GDPR will require organizations to regularly test, assess, and evaluate the effectiveness of their security measures in place. You can effectively test and exercise your incident response plan by conducting tabletop exercises and red teaming. Tabletop exercises use mock scenarios such as confidential records being accessed and sensitive data removed from your network. Participants go through the process of discovering, identifying, prioritizing and addressing cyber issues, as they would during an actual attack. Red teaming tests your ability to critical data against theft by simulating the tools, tactics and procedures of real-world attackers.
Even companies who strongly believe they possess a sophisticated security program should test and validate their capabilities for due diligence to their Board.
To learn more about the new GDPR regulation and how you can ensure breach response readiness at your business, check out our "GDPR: Being Prepared and Response-Ready" webinar, or visit our GDPR website.