A CISO Perspective on GDPR

May 23, 2018 | John McLeod
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

There’s much talk about the General Data Privacy Regulation (GDPR) taking effect on May 25 and its impact on US companies with European operations. As more and more information has been collected electronically over the years, it’s become necessary to mandate that companies better protect this information from being breached. With this mandate, the days of collecting and storing personal information are gone. Every company’s journey to GDPR is unique, but we can learn from each other. As a CISO who has been actively involved  in AlienVault’s journey, I’m sharing my perspective on how to approach GDPR and what I see happening after the regulation is enforceable.

While some companies may be done with their GDPR journeys, others may not be. According to a recent study, 60 percent of US companies weren’t ready for the new regulation to take effect. I get it. With 99 Articles to absorb, it takes time to understand what GDPR means, develop a plan, and put processes in place to ensure compliance.

If you’re in the majority of companies that haven’t fully complied yet, don’t panic. After May 25, if you show regulators good faith and keep moving your company’s process forward to improve your data protection posture, you may avoid a fine.  Here’s how sanctions will work:

6 Steps to Improve Your Odds of GDPR Compliance Success

  • In approaching GDPR, the first step is to create a data inventory that includes where data is stored and why you are collecting/processing that data. Think about all the data that comes in and out of your business; this might not be as easy to do as you think.
  • Categorize the data into personal, non-personal data, and special category. In doing so, it’s important to know how the European Union (EU) classifies personal data. Their definition is broader and includes location data such as IP addresses.
  • Keep the data inventory process simple and remember to continuously update the inventory to ensure compliance with the 72-hour breach notification expectation in GDPR.
  • Compile a Risk Register to understand what assets and vulnerabilities exist. Work with third-party experts (legal and risk management) to create a gap analysis of what security and legal controls are needed to minimize risk.
  • For high-risk data, conduct a Data Protection Impact Assessment (DPIA) to help you find and fix problems. Your Supervisory Authority should have a list on the kind of processing operations which require a DPIA.
  • Consult a law firm to determine if you need a Data Protection Officer to manage data audits, train employees and act as a point of reference with European Regulators.

Image source: https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-role-edpb_en.pdf

As I look ahead to this summer, I expect individuals or “Data Subjects” to invoke the “Right to be Forgotten” under GDPR with various companies. The companies must act on those requests or individuals can file a complaint with the Supervisory Authority or “complaints officer.”

I also foresee class action lawsuits, likely against the bigger social media companies. However, every company should prepare for “Right to be Forgotten” requests, which could present operational and compliance issues. Individuals will want proof their data has been deleted. Determining how this will work takes time.

Finally, I believe the EU will produce “clarifying” information to the Articles, which will be much appreciated!

For additional guidance on GDPR, these webcasts may be helpful:

http://ow.ly/HntZ30jVbYJ

http://ow.ly/5KrL30jVcah

Also, if you need help with Asset Discovery or Threat Detection, try USM Anywhere

John McLeod

About the Author: John McLeod, AlienVault
John is the CISO at AlienVault, responsible for cyber security in the enterprise and our products. John is a former Air Force Special Agent with over 20 years of experience in information security including but not limited to criminal, counter-intelligence, fraud and computer crime investigations. Prior to joining Alienvault, he served as the Director of Information security for National Oilwell Varco. His experience includes management roles for Halliburton, Mandiant, Guidance Software, and Mantech International. The US Intelligence community recognized him for his work in steganography. As a consultant, he responded to some of the highly publicized cyber-attacks, including: Moonlight Maze, Titian Rain, Night Dragon, TJX and Operation Aurora. He holds a B.S. in Information Systems Management from the University of Maryland University College, and M.S. in Network Security from Capitol College in Maryland. Additionally, he is a Certified Information Systems Security Professional (CISSP).
Read more posts from John McLeod ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL