Get ready! The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. At the heart of the GDPR is a profound respect and desire for privacy with an aim to protect the rights and liberties of European citizens. The major principles and concerns of the GDPR include the following: Data protection officers or “DPO”, data privacy by design, data breach reporting, international data transfers, and compensation and liability, investigative, corrective, and advisory powers.
The GDPR updates and supersedes the European Data Protection Directive of 1995 and harmonizes pan-European privacy laws. Given the continuing increase of cyber threats, from criminals to nations states, the GDPR sets forth new policies and procedures, as well as steep fines for non-compliance.
Indeed. The GDPR has global implications and reach. Any organization that retains or manages data of EU citizens must comply, regardless of corporate locations or data architectures, in addition to companies that process data in Europe, regardless of data sovereignty. The GDPR includes broader definitions of personal data, including all personal data, personal behavior, online identifiers, cookies, IDs and IP addresses. It also affects free services and product offerings.
The GDPR continues to evolve and take shape. While it goes into effect May 25, 2018, the initial scope is still being set, and the data commission can expand and change GDPR requirements and guidance at will. Affected organizations are well advised to invest in monitoring public developments and to track various aspects as part of regular business operations and practices.
The GDPR tracks three basic areas: Assessment, Prevention and Detection. Even before May 25, 2018, organizations should conduct impact assessments as part of their regular IT security practices.
While there will be a focus on good hygiene (encryption, auditing, central administration, firewalls, change tracking, etc.), care and diligence respecting privacy as a first principle should be integral to organizations’ IT policies and practices.
The GDPR helps make what’s required clear across Europe. The principles of assessment, prevention, and detection are critical with or without the GDPR for reducing risk in a corporate environment. The addition of fines (up to 4% of worldwide turnover) makes this compelling for companies to avoid costs and fines.
A well-managed IT Security program that treats data privacy and protection as a core principle and seeks to fulfill the spirit of the GDPR will both minimize corporate IT-related risk and reduce the direct impact of non-compliance fines.
To demonstrate compliance, it is essential to prevent using traditional technologies (AV) and cutting edge technologies (NGAV) that can reduce the effectiveness of Zero Day attacks. However, the most important technologies are those that can detect and respond to adversaries and attackers (EDR) that might be using fileless malware, exploits, privilege escalation, beacons, backdoors, lateral movement, scanners, and other tools that completely bypass legacy technologies.
It is important to use technologies that can find “the needle in the haystack”: the attackers navigating corporate environments. This translates to having an Enterprise Attack Protection (EAP) strategy including integration with IT processes, risk management oversight, and overall corporate operations.
Cybereason complies with GDPR. Cybereason treats privacy protection and respect for citizen rights and privacy as a first principle. In IT security, in operations, and throughout the organization, care and diligence are exercised to exceed requirements from directives, regulations, and laws globally and when faced with new requirements to adapt quickly and predictably. Cybereason tools and technologies are designed for least harm and least operational impact, while preserving privacy and minimizing potential exposure. We welcome the opportunity to work with customers and partners to share our practices and to advance best practices.