What is GDPR?
At its core, GDPR is a new set of rules designed to give citizens more control over their data. It aims to simplify the regulatory environment for business so both citizens and businesses can fully benefit from the digital economy.
The reforms are designed to reflect the world we're living in now, and brings laws and obligations across Europe up to speed for the internet-connected age.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and governments -- almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number and more all collected, analyzed and, perhaps most importantly, stored.
Commencing May 15, 2018, the European Union General Data Protections Regulation (EU GDPR) will affect every organization that processes the personal information of EU residents, regardless of where that organization is located. If your company is based in the U.S., for example, but sells to EU customers, you will still have to comply with the regulation.
The 261 pages of the GDPR contains a volume of detail. Hidden within are 5 key things you need to be aware of:
72-Hour Data Breach Notification
In the event of a personal data breach, data controllers must notify the supervisory authority. Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
There may be an exception if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will no doubt offer data protection officers and their outside counsel opportunities to debate the necessity of notification. A notification to the authority must “at least”: (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer’s contact information; (3) “describe the likely consequences of the personal data breach”; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If all of the information is not available at once, it may be provided in phases.
Organizations Need Better Breach Detection Solutions
Despite GDPR being very clear that organizations need to notify victims of a data breach within 72 hours, many businesses lack a proper plan for notification, and some still lack the appropriate tools necessary to detect a breach in the first place.
The binding time that previous regulations lacked is the most significant challenge organizations will face, as 72 hours is not a tremendous amount of time to perform what amounts to an entire crisis management response. In a smaller business, the key stakeholders may all be in the same building, but in a larger business there may be resources throughout the globe, all on different time zones.
Now that you know you have less than 3 days from discovery of the breach to notify the proper authorities, further complicating the process is the likelihood that you won’t have the full story. The scope of a breach increases over time; organizations learn more about incidents as investigations widen, but with only 72 hours, the time for this incident discovery is limited.
Failure to comply with the 72-hour breach notification requirement can result in significant fines. Dwell time that extends beyond 72 hours will also result in major penalties. How much you ask? The maximim fine is 4% of global revenue, which could translate into billions of dollars for multi-national corporations. Never has any legislated data protection regulation been this strict nor the fine this significant.
Achieving Faster and More Accurate Incident Response
Legacy data protection technologies like SIEM systems utilize third-party data, and it may take up to a week to detect and identify a data breach. At Holonet, we have developed our own organic data collector which does not rely on third-party log data input, thus enabling us to provide near real-time data anomaly detection.
Another issue that will keep Data Protection Officers up at night is likely to be “Did we miss anything?” Without knowing the full scope, it stands to reason that the extent of containment is also an unknown. It could be possible that attack window is still open and data is still escaping the business.
Most GDPR experts advise their clients to conduct data discovery and classification on their PII data. Clients could have spent millions discovering and classifying all the PII data they could think of. Until you know the full details of the incident, one cannot say that the threat has been eliminated. It is possible that the attacker, whether internal or external, has multiple methods to gain access and extract data, and could still be leveraging these alternate channels.
Holonet OnFire Can Help
OnFire automatically and actively scans and tracks PII sensitive data in motion 24 x 7 x 365. When sensitive PII data in motion is detected, alerts are immediately sent out to the security team. OnFire doesn’t not need to know where the data resides. Whenever anomalous / abnormal data movement occurs, OnFire will detect it and provide instant notification. In both cases, OnFire will be able to immediately identify “suspects” with our patent-pending Network Hologram technology, which functions like a digital camera in cyberspace.
HoloNet Security automatically uncovers the hidden relationship among four security vectors – users, devices, applications, and data, and reconstructs the relationship in such a way that every piece of sensitive data is linked to its actual user in real-time. Instead of going through weeks or months of manual procedures, security teams can simply “replay” and instantly see what has happened for any security incident investigation.