Preparation for GDPR has been underway for the last two years. Although last month’s deadline has passed and GDPR is now in effect, there are still many companies in the EU and the rest of the world for that matter, that are still not 100% compliant. A recent survey by Spiceworks revealed that only 25 percent of US companies were thought to be compliant when GDPR went into force. Many of these companies are waiting in anticipation to see the first results and the impact the new legislation will bring once a new major breach has been uncovered. As we wait for that first announcement in the news, the chances are that many new breaches have most likely already occurred post-May 25th but are still yet to be detected and disclosed. Dixons Carphone may be the first, announcing a huge data breach last week involving 5.9 million payment cards and 1.2 million personal data records, but the breach was reported to have taken place last year, pre-GDPR, so the consequences are somewhat unclear.
GDPR is unique in that it is the first major regulation to focus on the end scenario, the impact and aftermath of a breach, especially to the individual, as opposed to focusing solely on the prevention and controls put in place by organizations to prevent a breach in the first place. What seems to have caused the most confusion is that there doesn’t seem to be that “one size fits all” approach for companies to meet GDPR compliance and there have been many different interpretations. Companies must be able to prove they have carried out the necessary risk assessments and put the appropriate policies, processes, and procedures in place given all the risks involved.
Historically it has been more common to associate security controls in conjunction with breach prevention, but today cybersecurity strategies have been turned on their head and security operations teams must assume that a breach has or will occur. It is no longer the “if” scenario and focus is now fully on the “when” scenario. This change in mindset puts incident response, in particular data breach notification and reporting processes, at the forefront of reducing the risk of a data breach as opposed to being an afterthought. Organizations under GDPR now have to notify EU authorities within 72-hours and have to prove that their security programs and responses were appropriate to the situation.
If you are not quite fully GDPR compliant yet, there is no time to wait. Here are 5 steps you should take without due delay.
1. Establish Roles and Responsibilities
Data Protection Officer (DPO) is the latest new job title being created within many organizations. Main responsibilities of the DPO include providing advice on security controls, processes and procedures within the organization, as well as acting as the main point of contract for the supervisory authority. The DPO is not the only role that may be required though, as a proper incident response plan will require many additional roles including an incident response coordinator, legal and compliance resources and human resources to name a few. Stakeholders within the organization will need to be aware of how to effectively put the plans into action. If you are yet to define roles and responsibilities, this is a key first step when tackling GDPR.
Under GDPR it is important to understand what data exists, where it is located, who has access to it and for what purpose it is being used. Only the minimum amount of data to perform the task should be collected and processed and it should not be retained for longer than necessary. If data within the company is unknown then it can’t be protected, putting the company at risk. Knowing where data exists is crucial during incident response and breach notification to ensure you do a comprehensive audit of your business and the data it holds.
To respond to a security incident, a thoroughly planned and documented approach is required to maximize its effectiveness. Without structure and documented processes and procedures in place, an incident response attempt could turn into complete mayhem. The process should comprise of the appropriate tools and tasks, as well as personnel required to respond to the incident, ensuring it covers all scenarios whether large or small. It is also important to document both the high-level plan, as well as the more detailed workflows for handling specific types of security incidents (e.g. runbooks and playbooks). Having this documentation and associated processes and procedures in place will help your organization to demonstrate that a formalized, repeatable process using an appropriate response was followed during a potential breach.
4. Test the Plan Regularly
Having a documented plan is one thing, but ensuring it works and is fully tested is another. GDPR not only requires that security controls are in place but also states that they should be tested and evaluated on a regular basis. This will most likely vary from organization to organization, but we would recommend it should take place at least once a year and include exercises such as breach simulations. As well as meeting this requirement under GDPR it also helps to ensure that all stakeholders within the incident response process are up to date and familiar with their respective role and responsibilities.
5. Ensure Reporting Practices and Proficiencies
The GDPR breach reporting and notification element is probably one of the most challenging aspects to comply with, as 72 hours is a relatively short window to detect, remediate, report on and notify all parties of an incident. Organizations need to be able to gather and analyze large amounts of data from multiple sources, as well as make sense of the data before notifying stakeholders internally and externally. Implementing automated procedures for collecting data and preparing detailed reports based on incident and forensic data is essential, as well as having documented processes in place for issuing notifications to potentially hundreds of thousands of individuals.
As we already know, data breach detection and incident response are never going to be a straightforward process for any organization but GDPR has now leveled the playing field to ensure that all companies are meeting the same baseline requirements or face the possibility of hefty fine and public scrutiny. It is now a critical time for organizations to ensure they have detailed and documented incident response plans and procedures in place to deal with any incident should it occur, as well as the tools they need to help them to more easily comply with the requirements.
If your security operations team is looking for assistance with its incident response program and tools to help the organization to demonstrate GDPR compliance as well as breach notification requirements, these useful resources may help. Read our DFLabs IncMan for GDPR solution brief and whitepaper about Increasing the Effectiveness of Incident Management to learn more.