The General Data Protection Regulation (GDPR) is legislation aimed at protecting the personal data of European Union (EU) citizens. The GDPR applies to any company doing business with an EU organization or individual. If an organization offers goods or services, maintains offices, or operates a website in the EU, the GDPR likely applies.
The GDPR regulation affects security professionals in two key areas: reporting data breaches and data protection by design. This means organizations are subject to a specific obligation to include data protection considerations into their service, process, or product from the onset of operations — and not as an afterthought, as is often the case.
Under the GDPR, it is fundamental that a business must be able to identify when and understand how attackers compromised organizational defenses in the event of a breach. Given the considerable penalties, the failure to champion this capability could end up being financially crippling to companies affected by the GDPR.
This regulation dramatically raises the bar on data breach reporting, requiring organizations to respond within 72 hours of becoming aware of the breach. Organizations must urgently review and arrange operational and technological arrangements to satisfy this GDPR requirement.
Under the GDPR, data protection and processing safeguards must become part of the DNA of all systems and processes. Privacy must be one of the pillars of new application development and new processes, and not an afterthought or a last-minute workaround.
The GDPR is a major change to the way EU personal data should be processed. The GDPR is also universally applicable; if organizations want to do business in the EU, they will need to comply with the GDPR. In response, security teams need to develop a number of capabilities to meet the demands of the GDPR around breach reporting and data protection by design.
In 2017, it took organizations an average of 101 days to detect a compromise. Once detected, organizations spent an average of a week to respond. This represents a huge risk in light of the GDPR’s reporting requirements and the possible penalties that could follow.
The GDPR calls for the introduction of a number of organizational changes to manage data. This may include staffing additions, such as appointing a data control officer and a data processor officer. A data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. A data processor is the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Depending on the severity of the infraction, noncompliance with the GDPR can result in formidable consequences, including fines of up to €20m or four percent of an organization’s global annual revenue — whichever is greater. At first glance, GDPR compliance might seem intimidating. But, with some planning, it can be an achievable goal. Download the infographic to learn how your security team can effectively manage GDPR requirements.
The audit and compliance communities are frantically shuffling to understand this new regulation that requires a superior understanding of big data. The lack of industry-wide employees with a technical background and knowledge of big data creates a situation in which most organizations are unprepared to keep up with the GDPR compliance regulations.
When it comes to GDPR compliance, many security professionals don’t know where to start or how to accurately interpret the regulation. Learn the facts and key considerations needed to help your security team tackle the GDPR.
LogRhythm’s Compliance Module is included free of charge for LogRhythm NextGen SIEM Platform customers. The module utilizes several unique LogRhythm capabilities such as: