Article 30 of GDPR states that each controller, and where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
The Security Information and Event Management (‘SIEM’) is typically a fundamental security tool for many organizations. By implementing a SIEM, companies can monitor all user and system activity to identify suspicious or malicious behavior. This is achieved by centralizing logs from applications, systems, and the network and correlating the events to alert where undesirable activity is detected.
- Do you have a way to centralize, analyze, and store log data from all your environments?
- Are you alerted in real time to any suspicious or anomalous activity?
- Do you have a way to securely store raw log data and to ensure its integrity?
It’s important to inventory all assets and locations that process or store personal data, a task that seems simple on its surface, but is often an area where organizations struggle. This is especially true in dynamic IT environments, such as public cloud and in cases where employees are using BYOD or non-IT-sanctioned assets. It’s worth noting that your company could be exposed to attacks and regulatory fines if employees process or store personal data on unapproved devices.
- What assets are connected to my environment at any given time?
- Do those assets process or store any personal data?
- What ports and protocols are used when transmitting or accessing personal information?
Vulnerability scanning, penetration tests
- How many personal records could be exposed?
- Have any intrusions or exploits been attempted on the vulnerable asset?
- How is the vulnerability being exploited by attackers in the wild?
DPIA, as determined in the regulation, is extremely important for an enterprise to conduct risk and threat analysis in order to find out about the deficiencies which may potentially be used for breaches and attacks. Data Protection Impact Assessments are also required to be presented to supervisory authorities. DPIAs can be implemented to understand the risks faced by the enterprise and its undertakings. Furthermore, DPIAs shall not be understood as existing and specified procedures and systems. There are existing security frameworks through which DPIA can be conducted, most commonly used ones are NIST, ISO / IEC 27001. It is advised for organizations that have to conduct Data Protection Impact Assessments that they make use of a security framework that is widely and internationally recognized and familiar to third parties, in particular to supervisory officers.
The security controls and assessments will be made in the guidance of Data Protection Officers. DPOs are pointed out to be independent officers who work for the preservation and least level of exposure of data subjects’ information, who also only report to the highest level of management of an organization.
Security evaluations are fundamental for compliance to GDPR. It goes without saying that an organization frequently should test the vulnerability levels of its systems. Bigger the organization is, it may be more difficult to measure the vulnerability levels as the system gets complex, there will be more ways for penetration and attacks. The IT team of the organization, therefore, should also be designated proportional to the size of the organization, so that necessary controls, penetration tests and checks can be undertaken accordingly, easily and thoroughly.
The controls and evaluations can be carried out through three methods primarily:
- Manual assurance. Audits, penetration testing and so on.
- Consolidated and integrated security products, so that fewer point products need to be managed and reported on.
- The use of automated assurance technologies.
Still, it must be self-reminding that the assurance and evaluation process should be treated and implemented as an ongoing permanent process.
GDPR requires the organizations to notify the regulatory bodies within 72 hours of being aware of the data breach. As soon as the breach is detected, GDPR also requires the processor to notify the data subjects concerned regarding the situation, details and risks. It has been noted deeply concerned that actualized data breaches so far in the last decade, show that detection and awareness have been taken generally after days sometimes weeks after the breach or attack.
That is why a qualified and trustworthy automated detection program is advised for quick resilience and prevention of possible further harms. Threat intelligence software are also trending in the sense. They manage the database and concerned branches to comply with the procedures of GDPR while also warning the managerial level of the breach. It also resists as much as it is designed to do against the attack, but the most important feature is that threat intelligence or detection software report the incidents as they occur.
Data processing and its requirements are key principles to GDPR. Despite that step 6 foresees that incident evaluation and monitoring process should be ongoing, organizations are not entitled to access many kind of information internally or externally, especially if the information is classified as sensitive information. Nevertheless, an organization should follow some steps to ensure its security while complying with the regulation:
- Analyze the traffic in the database of your organization and its possible sources.
- Follow the ‘normal’ trends of your ordinary customer
- Adopt a threat intelligence and monitoring system that can easily differentiate between different behaviors causing similar traffics in your database.
You may justify your undertakings of processing and monitoring data on the basis of a legitimate interest as you may suspect that there is a breach threat against your organization. GDPR strictly under certain circumstances allow for that, but if no legitimation foreseen in the regulation for monitoring is present, then you will face heavy fines because of non-compliance.
Have a response plan. It has been so far often witnessed that after the detection of a breach, officers and managers seem to panic and not react the way the customers would feel safer. This emotional reaction extends the time for counteractivity to restore order in the systems and provide resilience. It is then wise to keep an incident response plan that is easily accessible, maybe in print.
Adopting a Security Information and Event Management system is also a recommended option for the purposes.
If breach is actualized, you should:
- inform the data subjects effected about the details of the incident without any delay
- inform the regulatory bodies at most 72 hours of being aware
- inform parties involved (employers, data subjects, regulatory bodies) about the steps taken to fix it.
Data Protection Officer will mostly be in charge under such a case as DPO’s job is to provide resilience and response while complying with GDPR and reporting to supervisory bodies. Relevant parties should be notified under the guidance of DPO about the details of the breach or attack.
The notification is required to include some details about the incident. It is important that the notification about the incident is very much concise, direct and perceivable. It will include a brief and clear explanation about the nature of the breach, state the name and contact details’ of the organization’s Data Protection Officer, indicate the probable results of breach to raise the awareness of effects to the subjects and lastly note the measures and steps taken to address the incident.
This article is based on Information Commissioner Officer’s ‘Preparing for the GDPR – 12 Steps to Take Now’ article, Alien Vault’s ‘GDPR Checklist: A 9 – Step Guide’ and International Association of Privacy Professionals’ ‘European Data Protection – Law and Practice’