By now you may have heard of GDPR, the new European General Data Protection Regulation. It’s a complex, and evolving piece of legislation that comes into effect in May 2018. It doesn’t matter whether your organization has any presence in the EU, or where your applications and data are processed and stored. If your organization holds or controls any data about an EU citizen, then you need to start thinking about being compliant with GDPR … and the sooner, the better.
Simply put, GDPR requires companies to implement entirely new processes and procedures around the collection and storage of personally identifiable information (PII). It defines PII as any information that relates to an EU resident’s private, professional or public life (IP address, banking information, email addresses, social media posts and so on). The focus of GDPR is on ensuring that PII is stored with a person’s permission, used for the specified purpose for which it was obtained, and for a duration that is consistent with the initial reason for obtaining the data.
Organizations found in non-compliance with GDPR will face heavy fines: €20 million or 4% of their global revenues per incident. This could mean millions, or even billions of dollars in fines for large companies.
A quick search online will reveal no shortage of lawyers, self-appointed “experts”, and vendors providing advice on what you should do about GDPR compliance. However, we find that too much of that advice jumps straight into technologies and activities. There are some more basic steps you should take before you start worrying about how GDPR impacts your systems, and here are our top four steps:
1. Awareness and Education
Nobody is going to lift a finger to support your GDPR efforts if they don’t know what it is. So start by educating your colleagues: What does the law require, and why is it relevant for us? What are the penalties for non-compliance? Which of our applications are likely to be in scope for compliance? Basic education is vital, not only to make people aware of the new regulation, but also to start thinking about how to allocate staff and financial resources for dealing with it.
2. Monitor the Situation
It’s important to understand that GDPR is very new, and to some degree vague. How it will be audited and enforced is yet to be fully determined. There is a lot of information available, but not much of it can be considered definitive. Nonetheless, if you are going to have a key role in GDPR planning, you need to try to read as much of this content as possible, to help you distill out the key points. You also need to stock up on coffee and read at least portions (ideally all) of the regulation itself. At the end of the day the actual language of the law is what counts, and by understanding that language, you put yourself in a much better position to work effectively with your peers, management, and vendors.
You also need to know that various EU bodies are slowly trying to clarify portions of the law, and they publish guidance periodically. So set aside a bit of time each month to see if there have been any updates, as these will start to clarify the situation and will help you in your planning efforts.
3. Start Hunting for the Data
Your eventual strategy for GDPR compliance will broadly have two components: processes and controls on your organization’s existing applications, and the processes that will be required when new applications are being rolled out. For the former, you need to start looking for in-scope data in your existing IT systems. Like all compliance situations, the more systems you determine are not in-scope the better, because these can be excluded from your compliance activities.
Of course, finding the in-scope data is the driver for evaluating how big your GDPR effort will need to be. To this end, data classification systems such as Check Point’s Data Security (DLP) blade can automate this effort, accelerating your ability to scope and bound your GDPR challenge. Check Point’s CheckMe is an additional innovative tool to help you asses risk in your organization.
4. Establish and Verify Robust Logging
All compliance regimens identify logging as a key control, and GDPR implementations will be no different. Therefore, a logical initial step is to review and verify logging activities on key applications and supporting infrastructure. This must include not just the logging itself, but automated or manual controls to review the logs periodically to identify unauthorized or malicious activity. It also must include logging of administrator activities on critical infrastructure. (Just this month, reports surfaced about a South American bank’s online sites being hijacked for hours by an attacker who compromised the bank’s DNS administration account.)
Check Point’s SmartLog and SmartWorkflow blades are examples of the enabling solutions required to meet the logging control objective. Used in conjunction with our security gateways and OPSEC partners, these solutions provide role-based policy change management, workflow approvals, and tamper-proof logging and log analysis. Control activities based on this combination will not only meet the requirements of a GDPR audit, they will maximize security effectiveness and minimize downtime due to configuration errors. By implementing them now, they can be used to uncover problem areas in time to remedy them before the GDRP compliance deadline in 2018.
If you want to get on top of GDPR, check out our whitepaper, entitled “The EU General Data Protection Regulation – Check Point for Efficient and Effective Compliance.”
Communicated by Check Point