GDPR

GDPR's Impact on Incident Response

Beyond user privacy, we’ve seen GDPR impact companies in other ways.

May 25, 2019 will mark the one-year anniversary of the date the General Data Protection Regulation (GDPR) went into effect. As the most far-reaching data privacy regulation ever, GDPR has certainly made an impact on companies around the world – forcing them to up their game when it comes to protecting the personal data of European Union (EU) citizens. 

But, beyond user privacy, we’ve seen GDPR impact companies in other ways too. One of the most important, from my perspective, is the effect it’s had on incident response. 

The 72-Hour Window

Article 33 of GDPR specifies that organizations must report a breach to the supervisory authority within 72 hours of detection. In the world of cybersecurity, 72 hours is no time at all. And if this alone isn’t stressful enough, there’s more: It’s not sufficient to simply report the breach; companies must include information detailing the nature of the breach, the approximate number of data subjects and personal data records impacted, the likely consequences of the breach, and measures taken or proposed to address the breach and its negative effects.

Without a pre-defined incident response plan and the right technology, people and processes in place, meeting this 72-hour window is impossible. Weeks, months, or even years is a more accurate timeframe. But as unrealistic as 72 hours might seem, failing to meet this deadline can result in heavy fines, loss of consumer trust and a damaged reputation. Rather than risk severe penalties such as these, organizations are reassessing their operational readiness to detect and respond to a breach, so they can make the 72-hour window an achievable goal.

Here’s a look at some of the most effective ways companies have revamped their incident response programs over the past year to meet GDPR’s stringent breach notification regulation: 

Technology: Implementing network visibility, policy orchestration, and data collection and analysis technology 

The only way organizations can provide the level of detail into a breach specified by GDPR is by having the right technology in place. And it all starts with visibility – because you can’t protect (or get information about) an asset if you don’t’ know it’s there.  

This is why many organizations are implementing network infrastructure monitoring technology that provides complete network visibility into data at rest, data in transit, and data in process.  But it doesn’t stop there, visibility must be sustained for all assets residing across each computing environment (on-premise, virtual, hybrid-cloud, multi-cloud, etc.). 

Once companies have an accurate understanding of the endpoints, data, and other resources living on their networks, they can create the proper zones of control, bringing each under the right network policies and access rules with automated policy orchestration. Policy orchestration helps security teams achieve continuous security and compliance with regulations like GDPR, because it enforces appropriate access rights for all corporate assets. In the event of non-compliance, policy orchestration technology makes it easier for security teams to identify where the violation occurred. Remember, as it relates to GDPR, identification, classification and protection of personally identifiable information is paramount to compliance. 

Last, but certainly not least, to meet the 72-hour breach notification deadline, companies must have technology that automates data collection and analysis. This capability is important, because, in the event of a breach, security teams must be able to quickly obtain the answers the supervisory authority requires, including how the breach happened, its duration, who it affected, the damage it caused, etc.

In today’s dynamic IT infrastructures, trying to derive these answers manually is impossible, period … never mind doing so within 72-hours. With the right technology automating these processes, though, security teams can get the information they need almost instantly.  

People: Assembling an incident response team

When it comes to incident response, there are a lot of moving parts – from performing data collection, investigation and analytics processes, to mitigating damage, to communicating to the data protection officer (DPO) and other relevant parties. That’s why it’s a good idea to assemble a breach response team beforean incident occurs. Clearly define each member’s roles and responsibilities, so they can immediately jump into action in the event of a breach. Not only will this help with GDPR breach notification requirements, but it will also help limit the negative effects of a breach.

Processes: Implementing data protection impact assessments

Data protection impact assessments are an important part of GDPR; data controllers are required to perform assessments to identify risks to user data before beginning data processing activities. But conducting post-breach impact assessments is also important, because they allow the incident response team to determine if other information is at risk, from either a security or compliance perspective. Developing these post-breach impact assessments early on and having them at the ready can help response teams execute them quickly following a breach to prevent other system attacks and network compromises. 

GDPR Strengthens Incident Response

In today’s cybersecurity landscape, it’s no longer a matter of “if” a company gets breached, but “when.” Limiting the damage of a breach is the next best alternative to preventing a breach in the first place, and an effective incident response strategy allows companies to do just this. 

While strong incident response is certainly not the primary purpose of GDPR, it sure is a nice bi-product of the legislation – one that allows organizations to not only meet the 72-hour breach notification deadline, but to contain damage and mitigate additional risk in the process.


Featured

Featured Cybersecurity

Webinars

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3