Countdown to GDPR – No need to panic; you’re already a pro
We’ve been hearing about the General Data Protection Regulation and its impending May 25 compliance deadline for months now, and most of the discussions have provoked fear, uncertainty and doubt (FUD) around the new data protection law.
It’s easy to see why many organizations are panicking; the GDPR imposes the most serious financial consequences of any privacy law to date (the most severe infringements will cost 20 million EUR or four percent of global revenue, whichever is greater). On top of that, non-compliance can result in lost customer trust and revenue.
But, while “GDPR-phobia” may be understandable, it’s not necessary.
Organizations have been working to comply with various government regulations for decades; the GDPR is just the latest law taking the world by storm. And the data protection methods needed to adhere to the GDPR are not new – in fact, they’re measures that have served as the foundation of information security and compliance efforts for more than 20 years.
It stands to reason that, if you know how to keep data protected, you know how to keep data protected under the GDPR. To prove it, let’s examine four GDPR technical measures designed to protect data as well as tactical best practices to achieve each. I’m willing to bet that you’re farther along the compliance path than you think.
GDPR Mandate 1: Take a risk-based approach to data protection and security.
This GDPR measure requires organizations to analyze their environment and determine the right data protection methods to remove as much risk as possible. And, as IT and security professionals, this is something we do day in and day out.
To identify and assess risk under the GDPR, you must first understand your existing network infrastructure as well as the hazards that could lead to GDPR compliance drift. There are three core elements of this orientation process that can help you determine your current risk landscape:
- Network Assets, Topologies and Policies – Knowing your assets is a fundamental component of any information security program, and it’s equally important for GDPR compliance. Knowing the inherent risks associated with each independent asset in your environment is critical to taking a risk-based approach to data protection and security. Network topologies reveal just how these assets can communicate and travel, and therefore signal transferable compromise and potential points of non-compliance. And network policies can help you move beyond what you have (assets) and how they relate (topologies) to what is allowed within context and framework.
- Vulnerabilities – Vulnerability awareness answers the question: Where could it happen? It helps you determine vulnerabilities that could impact GDPR compliance and enables you to evaluate your current position in the context of threats, exposures, attackers and security hygiene.
- Threat Intelligence – The final piece of the puzzle is determining what could be exploited and how. When you apply threat intelligence to your network assets, topologies, policies and vulnerabilities, you gain knowledge of similar assets compromised in the wild; how compromise could spread; which pathways are open to exploit; and the likeliest targets within the network.
With an accurate understanding of the current risk landscape, you can create a risk-based approach to data protection and security that aligns with GDPR regulations.
GDPR Mandate 2: Establish technical measures to validate that data is protected.
Articles 5 and 30 of the GDPR require organizations to demonstrate that data is protected. To validate compliance in this way, organizations must perform regular analysis and take action when security and compliance risks are identified.
There are five standard methods of analysis that can help organizations validate that their data is protected and GDPR-compliant – security configuration assessments, attack simulations, traffic flow analysis, quantitative risk scores and audits. Your organization is likely already using at least one of these processes already.
GDPR Mandate 3: Continuously monitor data protection measures.
In simple terms, this mandate requires organizations to continuously look at their network in real-time to see if all is well. Non-compliance does not happen immediately after calibrating networks to conform to regulatory guidelines. Rather, compliance drift happens over time – slowly and often without notice.
Knowing there is a tendency to drift, European Union regulators have included guidelines within the GDPR for continuous monitoring. Article 32 of the GDPR states that organizations must have: “a process for regular testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of [data] processing.”
Organizations are called to maintain ongoing, real-time, continuous compliance. Real-time monitoring, scaled data ingest (that supports high-throughput) and customizable reporting – all things that your organization is likely already doing to demonstrate continuous compliance with other regulations – can help you easily satisfy this GDPR mandate.
GDPR Mandate 4: Correct any protection failures and notify the authorities when compromised.
As you acknowledge your current state, take note of what could happen and monitor real-time network drift, you can put a bow on GDPR preparation with change orchestration that enforces security at every corner of the global network. This is the only way to correct protection failures under the GDPR regime.
Security control, the essential nature of orchestration, is specifically voiced in Article 28: “Any data processor must have technical and organizational control to ensure data protection and documentation.”
This can be a management burden because you have to account for GDPR standards with every change or provision to the network. However, orchestration gives you central control over thousands of network devices and firewalls, thousands of policies and hundreds of thousands of rules to meet compliance requirements and keep your network resilient. By taking compliance standards and automating policy change, you can be confident that data is protected in perfect harmony with GDPR.
People tend to fear what they do not understand. Even at this late stage there is still massive confusion surrounding the GDPR, and when paired with security vendor FUD, it’s easy to understand why so many organizations are worried about demonstrating compliance. However, taking the deliberate steps outlined above, you can plan for GDPR compliance in the same way you did for previous regulatory battles. The opponent might be different, but the preparation is the same.
If your organization prioritizes a strong security program, then you already have the tools you need to achieve GDPR compliance. And knowing that, you can shake off GDPR-phobia and replace it with confidence and assurance that data protection, security and compliance is attainable – even by May 25.