GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly. Here’s what every company that does business in Europe needs to know about GDPR.
GDPR Explained: Drivers
Nowadays, the main concern of the international community is data privacy. Every time we buy a product online, pay our taxes or use a service, we have to hand over some of our personal data. Clearly, cyber theft of the data exposes us to significant personal risks.
Even without our knowledge, information about us is being generated and captured by companies and agencies we are likely to have never consciously interacted with. Big data analysis techniques enable organizations to track and predict individual behavior and can be used for control and persuasion.
Taken together with the growing public concern, data protection principles were devised in more than 100 countries worldwide.
GDPR Explained: Scope
All organizations having customers, business partners or employees in EU fall under the scope of the regulation.
We’ve identified 6 groups of GDPR proposals related to cybersecurity:
- Data Subject Rights
To be informed about processing of the personal data, to have access to the data, to be forgotten, to be notified about a data breach, and so on. The rights along with privacy principles dictate the implementation of security controls and managing personal data lifecycle.
- Privacy Principles (Privacy By Design and Privacy By Default)
Companies should implement in their systems such privacy principles as integrity and confidentiality, accountability and compliance, data minimization and others by design and default.
- Data Protection Officer Duties
DPO duties include advising organization of their obligations pursuant to the regulation and monitoring compliance with the regulation. Thus, organizations shall provide ways and means to DPO for monitoring compliance of IT systems.
- Data Protection Impact Assessment
DPIA includes such tasks as identification of data flows, evaluation of security controls, assessing effects of a presumed data breach and mitigating privacy risks.
- GDPR Technical Cybersecurity Requirements
In Article 32, GDPR requires that “controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. They mention 4 classes of the measures:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Data Breach Notification
Organizations shall monitor access to personal data and effectiveness of security controls in order to detect data breaches in their systems. If a data breach is likely to result in a risk to the rights of natural persons, the organization shall notify supervisor authority. If the risks are high, the organization shall also notify affected data subjects.
GDPR Explained: Tasks
These proposals imply performing a set of security tasks. The following figure illustrates the idea:
Once an IT system is identified to be in the scope of GDPR, we shall assess data processes of the system. That means to identify personal data processed in the system, find users having access to the data, evaluate security controls, and identify risks to data subjects in case of the data breach.
The second step is mitigating identified risks: restrict access to personal data, implement security controls, and configure blocking and erasing rules for personal data.
The third step is to detect breaches and respond to them. We have to monitor access to personal data, detect ongoing cyberattacks, and prepare incident response plans.
It’s noteworthy, that GDPR in many different ways requires monitoring access to the data and effectiveness of security controls. I expect we’ll see a large number of GDPR-related use-cases in SIEM and incident management tools.
Advantages over a Traditional Server
There are a large amount of Advantages of Virtualisation
>Save on expensive hardware upgrades
>Save on electricity bills for server
>No need to worry over power outages
>Eliminate the risk of hardware failures
>No more Virus concerns
>More environmentally friendly
>Improve business continuity
>The ability to expand quickly without buying extra hardware
>Become GDPR Compliant