GDPR

GDPR's Impact on Incident Response

Beyond user privacy, we’ve seen GDPR impact companies in other ways.

May 25, 2019 will mark the one-year anniversary of the date the General Data Protection Regulation (GDPR) went into effect. As the most far-reaching data privacy regulation ever, GDPR has certainly made an impact on companies around the world – forcing them to up their game when it comes to protecting the personal data of European Union (EU) citizens. 

But, beyond user privacy, we’ve seen GDPR impact companies in other ways too. One of the most important, from my perspective, is the effect it’s had on incident response. 

The 72-Hour Window

Article 33 of GDPR specifies that organizations must report a breach to the supervisory authority within 72 hours of detection. In the world of cybersecurity, 72 hours is no time at all. And if this alone isn’t stressful enough, there’s more: It’s not sufficient to simply report the breach; companies must include information detailing the nature of the breach, the approximate number of data subjects and personal data records impacted, the likely consequences of the breach, and measures taken or proposed to address the breach and its negative effects.

Without a pre-defined incident response plan and the right technology, people and processes in place, meeting this 72-hour window is impossible. Weeks, months, or even years is a more accurate timeframe. But as unrealistic as 72 hours might seem, failing to meet this deadline can result in heavy fines, loss of consumer trust and a damaged reputation. Rather than risk severe penalties such as these, organizations are reassessing their operational readiness to detect and respond to a breach, so they can make the 72-hour window an achievable goal.

Here’s a look at some of the most effective ways companies have revamped their incident response programs over the past year to meet GDPR’s stringent breach notification regulation: 

Technology: Implementing network visibility, policy orchestration, and data collection and analysis technology 

The only way organizations can provide the level of detail into a breach specified by GDPR is by having the right technology in place. And it all starts with visibility – because you can’t protect (or get information about) an asset if you don’t’ know it’s there.  

This is why many organizations are implementing network infrastructure monitoring technology that provides complete network visibility into data at rest, data in transit, and data in process.  But it doesn’t stop there, visibility must be sustained for all assets residing across each computing environment (on-premise, virtual, hybrid-cloud, multi-cloud, etc.). 

Once companies have an accurate understanding of the endpoints, data, and other resources living on their networks, they can create the proper zones of control, bringing each under the right network policies and access rules with automated policy orchestration. Policy orchestration helps security teams achieve continuous security and compliance with regulations like GDPR, because it enforces appropriate access rights for all corporate assets. In the event of non-compliance, policy orchestration technology makes it easier for security teams to identify where the violation occurred. Remember, as it relates to GDPR, identification, classification and protection of personally identifiable information is paramount to compliance. 

Last, but certainly not least, to meet the 72-hour breach notification deadline, companies must have technology that automates data collection and analysis. This capability is important, because, in the event of a breach, security teams must be able to quickly obtain the answers the supervisory authority requires, including how the breach happened, its duration, who it affected, the damage it caused, etc.

In today’s dynamic IT infrastructures, trying to derive these answers manually is impossible, period … never mind doing so within 72-hours. With the right technology automating these processes, though, security teams can get the information they need almost instantly.  

People: Assembling an incident response team

When it comes to incident response, there are a lot of moving parts – from performing data collection, investigation and analytics processes, to mitigating damage, to communicating to the data protection officer (DPO) and other relevant parties. That’s why it’s a good idea to assemble a breach response team beforean incident occurs. Clearly define each member’s roles and responsibilities, so they can immediately jump into action in the event of a breach. Not only will this help with GDPR breach notification requirements, but it will also help limit the negative effects of a breach.

Processes: Implementing data protection impact assessments

Data protection impact assessments are an important part of GDPR; data controllers are required to perform assessments to identify risks to user data before beginning data processing activities. But conducting post-breach impact assessments is also important, because they allow the incident response team to determine if other information is at risk, from either a security or compliance perspective. Developing these post-breach impact assessments early on and having them at the ready can help response teams execute them quickly following a breach to prevent other system attacks and network compromises. 

GDPR Strengthens Incident Response

In today’s cybersecurity landscape, it’s no longer a matter of “if” a company gets breached, but “when.” Limiting the damage of a breach is the next best alternative to preventing a breach in the first place, and an effective incident response strategy allows companies to do just this. 

While strong incident response is certainly not the primary purpose of GDPR, it sure is a nice bi-product of the legislation – one that allows organizations to not only meet the 72-hour breach notification deadline, but to contain damage and mitigate additional risk in the process.


Featured

  • Accelerating a Pathway

    There is a new trend touting the transformational qualities of AI’s ability to deliver actionable data and predictive analysis that in many instances, seems to be a bit of an overpromise. The reality is that very few solutions in the cyber-physical security (CPS) space live up to this high expectation with the one exception being the new generation of Physical Identity and Access Management (PIAM) software – herein recategorized as PIAM+. Read Now

  • Protecting Your Zones

    It is game day. You can feel the crowd’s energy. In the parking lot. At the gate. In the stadium. On the concourse. Fans are eager to party. Food and merchandise vendors ready themselves for the rush. Read Now

  • Street Smarts

    The ongoing acceptance of AI and advanced data analytics has allowed surveillance camera technology to shift from being a tactical tool to a strategic business solution. Combining traditional surveillance technology with AI-based data-driven insights can streamline transportation systems, enhance traffic management, improve situational awareness, optimize resource allocation and streamline emergency response procedures. Read Now

  • The Progress of Biometrics

  • Next-Gen AI for Smart Cities

    The future of smart city technology is not being shaped in Silicon Valley — it is taking root in Dubuque, Iowa. With a population of about 60,000, this mid-sized city has become a live testbed for AI-driven traffic management thanks to a unique public-private collaboration led by Milestone Systems. Project Hafnia demonstrates how cities can transform urban mobility and safety through Responsible Technology—without costly infrastructure overhauls. Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.