Organizations are just starting to come to grips with the new European Union privacy law, GDPR. Following a flurry of emails and website warnings asking people to acknowledge updated data use policies (which virtually no one reads anyway), the question is “What do we do next?!” Although the situation appears complex and unclear (because it is), it’s possible to chart out some reasonable next steps when it comes to IT security.
The first thing to keep in mind is that GDPR is vague when it comes to specifics for security. Article 32 is the key part of the law:
“The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
That’s it. While in theory there are provisions for how to refine this vague article into something more specific, none of that is in place yet. (If you want follow progress in this area, start tracking “GDPR Codes of Conduct”, and the process of BSI 10012:2017 to become an international standard)
However GDPR also contains a number of “recitals”. The recitals attempt to explain the basic goals of the law, and can be used to clarify things when the details (such as Article 32) are unclear. When it comes to IT Security, Recital 83 is key:
“…the [organization] should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.”
So our advice is to use this recital as your guideline. Implement a risk-based methodology to implement a control set that if operationalized and documented consistently should provide a reasonable security level. Then if something does go wrong, you can leverage the implementation of these controls to demonstrate a reasonable attempt to comply with GDPR.
Coincidentally, our ShadowPlex distributed deception solution goes a long way down this path, with multiple controls supported in a single, highly scalable solution:
- Network monitoring for threat behavior
- Threat identification
- Threat forensics and methods gathering
- Risk and impact determination
- Incident mitigation and containment
- Control testing
Want to know more? Check out our GDPR Whitepaper to learn more about GDPR and how Acalvio can help achieve compliance quickly and reliably, or contact us for a demo.