A 9-Step Guide For GDPR Compliance

In May 2018, the General Data Privacy Regulation will take effect, significantly altering the way organisations handle and store data.

At 200 pages and 99 articles, the comprehensive regulation is primarily intended to strengthen security and privacy protections around individual data, which it enforces by subjecting organizations to stricter requirements, adding new requirements, such as breach notification, and increasing fines on organisations that fail to comply.

GDPR applies to all organisations that control or process data within the EU as well as those that control or process data related to EU residents. This means that, while GDPR is rooted in the EU, organizations in the US that handle data from EU residents are very much impacted as well.

Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance.

However, GDPR doesn’t provide specific technical direction, meaning that organisations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements. With this in mind, below are nine steps to prepare for the security requirements within GDPR.

Step 1: Implement a Security Information and Event Management (SIEM) tool with log management capabilities.

Article 30 of GDPR states that every controller must track and record all processing activities under its responsibility. To do this, organisations typically leverage a SIEM tool, which centralizes logs from applications, systems and networks, allowing companies to monitor all user and system activity and to identify any suspicious or malicious behavior.

Users can create a view of what has occurred to investigate suspicious behavior, including analysing what kind of attack method was utilised and looking at related events, source IP addresses, destination IP addresses and other details.

Organisations with data stored in the cloud should ensure that their SIEM tool can record activity not only on-premises but also across the public and private cloud infrastructure, as personal data held there also falls within the scope of GDPR.

Step 2: Create an inventory of all critical assets that store or process sensitive data.

Because GDPR covers all IT systems, networks and devices, organizations must maintain an ongoing inventory of where personal data is stored across the entire infrastructure. This seems simple on the surface, but can be a difficult task, especially in public cloud environments and in cases where employees are using BYOD or non-IT-sanctioned assets.

It’s worth noting that organisations with employees that process or store data on unapproved devices are still liable and subject to regulatory fines in the event of an attack, so it’s critical that all components of an organization’s IT system are identified and monitored. There are a variety of asset discovery tools available to help organizations continually keep track of where sensitive data is held.

Step 3: Undertake vulnerability scanning to identify weaknesses.

New vulnerabilities arise almost daily, whether they’re in software, system configuration, business logic or processes. Therefore, organizations must stay on top of these with regular vulnerability scanning. It’s also important to determine the threat level of each vulnerability by considering factors such as:

  • Does the affected system fall within the scope of GDPR?
  • How critical is the threat? (i.e. how many personal records could be exposed?)
  • Have intrusions or exploits been attempted on the vulnerable asset?
  • Is the vulnerability being exploited by attackers in the wild, and if so, how?

Here too, it is equally important to monitor cloud environments in addition to on-premises environments.

Step 4: Conduct risk assessments and apply threat models relevant to the business.

Organizations must identify and evaluate all of their security risks, not just vulnerabilities. Article 35 of GDPR mandates data protection impact assessments (DPIAs), and Article 32 requires companies to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

This mandate is intentionally broad so that organizations can leverage whichever information security framework provides the best understanding of the risks facing their systems. NIST and ISO / IEC 27001 are a few common and effective options.

Step 5: Regularly test your systems to gain assurance that security controls are working as designed.

Article 32 addresses the security of personal data processing by demanding that organisations create a procedure to regularly analyze the effectiveness of their security controls. This is by no means an easy feat (and becomes increasingly difficult as organisations grow and expand their technology stacks).
 
However, three possible strategies to validate the effectiveness of security controls include:

  • Using manual assurance (e.g., audits, assurance reviews, penetration testing and red-team activities).
  • Using automated assurance technologies.
  • Consolidating and integrating security products (so that fewer point products need to be managed and reported on).

It’s important to note that ensuring that systems are secured as intended is not a one-time effort; rather, it must be an ongoing, repeatable process.

Step 6: Put threat detection controls in place to ensure reliable and timely notification when a breach has occurred.

GDPR requires that organisations report a breach to the appropriate regulatory body within 72 hours of becoming aware of it. For high-risk incidents, impacted data subjects must be notified without undue delay (Article 31).

In order to be able to discover, adequately understand and respond to breaches so quickly, organisations must have threat detection controls in place to trigger immediate alerts around incidents. Users can then develop an understanding of the threat by collecting and correlating events, and referencing reliable threat intelligence, and then responding promptly as needed.

Step 7: Monitor network and user behavior to identify and investigate security incidents in a timely manner.

It is imperative that organisations maintain an understanding not only of external threats but also of potential internal threats. Internal threats often stem from unauthorized data access.

To determine whether internal incidents are threats or not, it’s important to consider the context in which corporate data is accessed. For example, an abundance of Skype traffic in the sales team’s network is probably a normal part of operations, but a burst in Skype traffic in the database server that houses a customer list is likely an indicator of a security issue.

Monitoring user behavioral patterns also helps determine whether an anomalous incident should be considered a threat. An example of a tool that does this is NetFlow, which provides high-level trends related to what protocols are used, identifies which hosts use the protocol, and calculates the associated bandwidth usage. When used in conjunction with a SIEM, users can orchestrate alerts to be sent whenever NetFlow goes above or below certain thresholds.

Step 8: Have a documented and practiced incident response plan.

To meet GDPR’s 72-hour breach notification rule, organizations need threat detection controls and processes in place to alert them to incidents, but they also need a data breach response plan that allows them to quickly and accurately determine the scope of impact.

The first steps of the response plan should focus on investigating all related events to establish a timeline and determine the source of the attack and the steps needed to contain the incident.

It’s a good idea to prioritise, and document, all response and remediation tactics, as organisations will be required to inform regulators of all steps taken.

Step 9: Have a communication plan in place to notify relevant parties.

Finally, upon completion of these steps, organizations should evaluate whether personal data was breached to determine if reporting is required under GDPR.

If so, the notification that organisations are required to send to the regulatory body within 72 hours must include all of the following:

  • Describe the nature of the breach.
  • Provide the name and contact details of the organization’s data protection officer.
  • Describe the likely consequences of the breach.
  • Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.

If personal data has been impacted, organisations will also be required to inform any affected EU citizens of the incident in question.

Preparing for GDPR can seem like a daunting task, but organisations that follow the above steps and are equipped with the right security tools and strategies can rise to the challenge and strengthen their security, particularly their threat detection and response abilities, significantly along the way.

Information- Management:

You Might Also Read:

Will GDPR Protect Privacy Or Just Lead To More Hacks?:

UK Deal With EU On Post-Brexit Data Sharing:

 

« British Police’s First Cyber Dogs
Transforming Your Database »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

Guardian360

Guardian360

The Guardian360 platform offers unrivalled insight into the security of your applications and IT infrastructure.

Genua

Genua

Genua is a specialist in IT security services and solutions ranging from network and infrastructure security to encrypted comms and industrial automation.

Internet Storm Center (ISC)

Internet Storm Center (ISC)

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with ISPs to fight back against the most malicious attackers.

FinCom.co

FinCom.co

FinCom.Co is the world’s first automatic AML/ KYC screening system, for comprehensive compliance.

Gita Technologies

Gita Technologies

Gita Technologies works to create integrated solutions to the thorniest problems in the field of intelligence and cyber today.

ResponSight

ResponSight

ResponSight is a data science company focusing specifically on the challenge of measuring risk and identifying changes in enterprise/corporate networks using behavioural analytics.

High Security Center (HSC)

High Security Center (HSC)

High Security Center provide real-time threat protection. We protect your company from targeted and persistent attacks using technologies such as Machine Learning and Behavioral Analysis.

Cranfield University

Cranfield University

Cranfield Defence and Security are at the forefront of their fields, offering capabilities ranging from cyber security and digital warfare to robotics, forensic sciences and simulation and analytics.

Aleo

Aleo

Aleo is building the world's leading developer platform for enabling absolute privacy on blockchains.

First Focus

First Focus

First Focus is a managed service provider for medium-sized organisations.

Technology Mindz

Technology Mindz

Technology Mindz is a leading provider of cybersecurity services. We offer a wide range of services to help businesses. Our services are Identity and access management, Governance risk and compliance.

Databarracks

Databarracks

Databarracks deliver award winning IT resilience and continuity services. We help organisations get the most out of the cloud and protect their data, wherever it lives.

modePUSH

modePUSH

modePUSH is a cybersecurity company focused on end-to-end breach response from Digital Forensics to Restoration across the enterprise and cloud environments.

OpenZiti

OpenZiti

OpenZiti is the world’s most used and widely integrated open source secure networking platform. OpenZiti provides both zero trust security and overlay networking as pure open source software.