The General Data Protection Requirement (GDPR) is essentially about privacy. It relies on cyber security controls to ensure that legitimately used Personally Identifiable Information (PII) is adequately protected against the numerousthreats that could serve to defraud or harm us as individual citizens.
GDPR covers 173 recitals and 98 articles. I want to bring your attention to one very important passage at the start of Section 2 is article 32 - ‘Security of processing.’ It’s makes a short but important point. It states that organisations should have adequate controls in place to protect any PII that’s required.
This is Cyber Security Awareness Month. GDPR is about being compliant, but it’s also about awareness for your company about GDPR and the implications of failing to comply.
The new regulations aren’t inherently complex or massively different to the aims of the Data Protection Act that came into effect in 1998. In the last 20 years the world has moved on, with the proliferation of data and the purposes to which it is used. It means we’ve got to update our approach to reflect the way PII is used and unfortunately abused.
Your organisation needs to know how the PII it hosts is used: how it comes into your business’ systems, is moved around and where it resides. By undertaking a data audit, you will highlight where you are most likely to be at risk. It’s almost certainly in the areas where you least likely expect data to reside. Without an awareness of the scope of the challenge, budgeting for and ultimately complying with GDPR is likely to be futile exercise.
There is a need to be aware of any attempts to breach your cyber security defences. As a forensics investigator, it is a failure to detect suspected breaches that generally leads to the pain associated with a data compromise. Picking up on threats as soon as they become apparent will generally neutralise the situation, putting you in a defensible position when proving you are compliant with GDPR.
Finally, you need to be aware of whom to call in the event of a suspected compromise. The sooner you engage your incident response partner, the sooner you will get on top of the situation and be in a position to stave off the fallout from a data compromise.
Foregenix has considerable experience in the field data compliance and incident response. We work with a range of solutions and services partners to provide the breadth of knowledge required to help your organisation achieve and maintain GDPR compliance.
GDPR will become EU Law on the 25 May 2018 and it will apply to all UK businesses regardless of the country’s status within the Union.