[BreachExchange] EU General Data Protection Regulation: Five Questions to ask your CISO

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 17 18:09:13 EST 2017


https://www.scmagazineuk.com/eu-general-data-protection-
regulation-five-questions-to-ask-your-ciso/article/630898/

The European General Data Protection Regulation (GDPR) comes into force on
25 May 2018, and it will have a huge impact on the way businesses store and
collect personal information belonging to persons located in the European
Union (EU). The regulation applies to all businesses that hold and process
data that was collected in the European Union, regardless of their location.

Before GDPR, the EU relied on the 1995 Data Privacy Directive. The Data
Privacy Directive proved hard to enforce, and compliance levels varied
across the EU. While countries like Germany and the Netherlands employed
rigorous controls, there were some countries with virtually no controls
whatsoever. The GDPR will tackle this issue and ensure all countries deploy
comprehensive controls to keep EU citizens' data safe.

The new GDPR rules are in the form of a regulation—imposing data protection
standards that should, in theory, be the same in all 28 EU Member States.
Any organisation that falls foul of the regulation will face fines that
could be as high as four percent of their global annual turnover or €20
million (£17 million), whichever is higher. Fines of this magnitude could
essentially put companies out of business. It is, therefore, critical that
organisations start getting their house in order now. However, this is not
a simple process, and many organisations will have to deploy technology
solutions to help them become compliant with the regulation.

To help organisations understand how the requirements of GDPR affect them,
here are five important questions which IT teams should be asking their
CISOs to help get their house in order:

Do we have a good understanding of the data we hold and where it resides?

One of the first things IT teams need to do is a Data Assessment Report.
This requires organisations to locate any sensitive PII data they are
holding and document how the data is collected. This detailed assessment
must be kept on hand and ready for regulatory inspection or compliance
audits.

However, one of the key challenges is finding that data. When you are a
large organisation, this will take more than just a call to your IT
department. This is one of the major challenges of GDPR and an issue which
all businesses must address.

Who has access rights to the private data and who does access it and why?

One of the clear requirements of GDPR is being able to limit who has access
to certain information and making sure that access is authorised and
reflects any changes within the business.  It's important to analyse
policies on data handling, including test data  usage, data  retention, and
data destruction.

It is also very important that businesses understand why someone is
accessing personal data. Just because they have a certain position in a
company does not automatically give them the right to access all data
sources.

How do we monitor who accesses the data, could we detect and investigate a
breach?

One of the biggest requirements of GDPR is that any company that
experiences a data breach must publicly acknowledge the breach and notify
the local Data Protection Authorities (DPA) in the member states where the
people affected by that breach reside. Businesses must notify the DPA
within 72 hours of identification or confirmation of the breach. They must
be able to tell them what data was breached, how many records were taken
and provide a member state specific report around the infringement. This
requirement essentially means all businesses need to be able to understand
who accessed the data, what activity they performed and when they performed
it. This is an area where it is important to have strong technology
solutions in place, so the business can easily provide the requested
information within the 72 hour window.

Do we know how we will minimise the volume of private data used in
non-productive systems?

GDPR requires businesses to minimise the data they retain, particularly
when they don't actually need it for day-to-day operations. If an
organisation does not need the data for business or compliance purposes
then the regulation states they should purge the data in a legally
compliant manner.

Do we know how we could prevent database data from being accessed of
transferred outside the country/ the EU?

The GDPR imposes restrictions on the transfer of personal data outside the
European Union, to third countries or international organisations, to
ensure that the level of protection of individuals afforded by the GDPR is
not undermined. This means that organisations will need a clear
understanding of where they are transferring data to and if the
jurisdiction in which the recipient is located is deemed to provide an
adequate level of data protection. Data monitoring technology will play a
key role in monitoring activity in real time to prevent data transfers from
occurring –even by accident.

Businesses must act now

The GDPR will greatly impact the way businesses collect, store and transfer
data, and it is imperative that organisations begin to lay the groundwork
now.

Preparation will include carrying out assessments of data, establishing
budgets for new technology and implementation of the new processes and
solutions to help businesses become compliant with the regulation.

This may seem like a daunting task for many organisations, however the
outcome will ensure a much more secure environment for personal data, which
can only be seen as a positive step.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170217/ed9d311c/attachment.html>


More information about the BreachExchange mailing list