A GDPR Checklist: 9 Steps to Compliance
What is GDPR?
The General Data Protection Regulation (EU) 2016/679 or GDPR as widely known, came into effect in May 2018. The GDPR requires organizations to have procedures and process in place to monitor the effectiveness of data security practices, detect a breach and document evidence of compliance. Organizations that do not comply with this regulation could potentially face huge fines and risk reputational damage.
The GDPR’s main objective is to improve the security and protection of personal data. It is essentially a major adaptation to local data protection laws such as UK’s Data Protection Act of 1998, the German Bundesdatenschutzgesetz (BDSG) or the Belgian Privacywet embodied into a single regulation.
Who is impacted by GDPR?
The obligation to ensure adequate data management is placed on all entities that control or process data. An entity that determines the purpose and method of processing personal data is a data controller and the data processor is that entity which processes personal data on behalf of the data controller. The application of the GDPR regulation is relevant to any entity within the EU that processes data or entities outside of the EU that control, or process data related to EU residents or nationals.
The primary focus of GDPR is on Personal Data and Sensitive Personal Data. Personal data consists of data such as physical and electronic mail addresses as well as any digital identifier of a person. Sensitive data covers data elements that are more specific to an individual such as biometric details or health records.
For organizations that are already well vast in security controls, policies and procedures, the implementation of the GDPR regulation will not be overly tedious however for organizations that are not vast in data protection laws being replaced by GDPR, the path to compliance will require a lot of effort and commitment. This is especially true for a number of Small & Medium Businesses. The regulation puts the burden directly on these organizations to not only become complaint but to ensure ongoing compliance by implementing best practices and technological enablers.
The path to GDPR Compliance
Step I – Build an inventory of critical information system assets that store or process personal data allowing more rigorous controls to be applied.
All systems including network and mobile devices that process personal data are impacted by the GDPR regulation.
It is important that an inventory of all physical and virtual assets which process or store personal data is available. This requirement is usually seen as standard practice; however, it is not as easy as it sounds especially for Small & Medium Businesses. Organizations that encourage remote working and provide cloud infrastructure for employees find asset management even more challenging. Organizations need to be conversant of the fact that personal data processed or stored in non-sanctioned assets increases vulnerability for attacks. Fines can also be incurred as this will be a breach of the GDPR regulation.
A well-defined governance structure can help alleviate the potential breaches. It is important to perform routine checks on systems and network assets to ensure personal data isn’t stored or made available outside of the sanctioned IT landscape.
In order to assess your asset inventory management maturity level, ask yourself these;
- What assets are connected to your IT landscape at any given time?
- Is personal data processed or stored on such assets?
- What technological approach such as ports and protocols are utilized for transmission or accessing such personal data?
Step II – Conduct risk assessments and implement threat models tailored to your business needs and operations.
The application of an information security framework supports organizations in getting a better understanding of the risks their business may be exposed to. Industry recognized frameworks such as NIST, ISO or similar standards of best practice approaches are very beneficial.
GDPR does not specify a framework for risk assessments or threat modelling however organizations that align to industry recognized standards such as those mentioned above should be able to demonstrate compliance with Article 32.
As part of your evaluation for a risk assessment, ask yourself these;
- In the event of a data breach, can I provide evidence that appropriate security controls were in place?
- Is there a view on possible threats that the organization may face and probability of them materializing?
- Have high risk processes, systems or business units been identified?
Step III – Execute a vulnerability scan to identify areas with exploitation weaknesses.
Vulnerabilities in systems and applications occur daily. This therefore implies that vulnerability scanning for weaknesses should be performed regularly. These vulnerabilities could exist in tangible or non-tangible assets such as system configuration, business logic or processes, mobile devices etc.
Finding a vulnerability is just the start, what you do when one is encountered is key. It is important to assess if the impacted system or asset falls within scope of GDPR as well as its business criticality. Intrusion attempts are also to be assessed.
To be effective and gain maximum value, vulnerability assessments should be a continuous process of scanning and monitoring critical infrastructure that process or store personal data. This holds true for both on-premises and cloud infrastructure.
Upon discovery of vulnerabilities, ask yourself these:
- What is the number of individual personal data exposed?
- Has the vulnerable asset been exposed to intrusions?
- How is this vulnerability exploited by threat agents?
Step IV– Conduct regular checks and tests to be assured that security controls are working as designed.
Regular assessment and evaluation of security controls effectiveness requires a lot of effort. In organizations with large, disparate and complex IT infrastructure, this can become even more demanding. Therefore, making it a more cumbersome task to achieve.
These 3 techniques can help you achieve this feat:
i. Manual assurance – audits, assurance reviews, penetration testing and purple team testing
ii. Consolidated and integrated security products to reduce interaction points for management and MI
iii. Utilization of automated assurance technologies
These methods will allow your organization to gain a measure of confidence that your systems are secure as intended. It is worth high lighting that these activities should be an ongoing activity for the organization to perform at regular intervals.
When assessing your security posture, ask yourself these;
- What level of confidence do I have in my information security tools?
- If a tool or systems fails, is there automatic alert in place?
- Are the information security tools being implemented and utilized as intended?
Step V – Implement threat detection controls so that you are reliably alerted of breaches in a timely manner.
The GDPR regulation requires that breaches are reported with 72 hours of awareness. In the case of high-risk breaches, the data controller is obliged to notify data owners without delay – Article 31. Typically, time to compromise is usually in minutes whereas time to discovery can be weeks or months. It is therefore of paramount importance that threat detection capabilities that enables timely discovery is in place.
An important feature of any threat discovery capability is collection and correlation of events in a timely manner, including threat intelligence analysis based on historic events thereby providing threat insight.
Be aware that threats can be discovered in a wide variety of instances across an IT infrastructure such as endpoints, data traffic analysis, perimeter etc. Controls should therefore be implemented taking this into consideration for threats to be discovered in a timely manner.
When assessing your threat detection capability, ask yourself these;
- Is there an ability to identify and respond to breaches as soon as they occur?
- Is there an appreciation of the threat types common to your industry?
- Is the breach reporting process common knowledge across the organization?
Step VI – Implement threat detection controls so that you are reliably alerted of breaches in a timely manner.
One of the key focus of GDPR is to ensure personal data is collected and processed as intended. Therefore, it is also of paramount importance that data access by users is monitored with an ability to understand the context of use.
There are several behavioural pattern monitoring methods. One of which is NetFlow analysis – providing high level trends related to protocol in use, protocol host and bandwidth usage. The combined benefit of utilizing NetFlow with a SIEM is the generation of alerts and alarms based on set thresholds.
When assessing network monitoring capabilities, ask yourself these;
- What does normal traffic look like, is this known?
- Can it be detected if an authenticated user is extracting customer data?
- Would an alarm be triggered if there is a spike or drop in traffic?
Step VII – Implement threat detection controls so that you are reliably alerted of breaches in a timely manner.
As part of the GDPR compliance steps, organizations should have a proven plan in place to detect and respond to potential data breaches. If an incident such as an attack or intrusion, a streamlined incident response approach can help you react quickly and effectively to minimize potential damage caused by the breach.
The scope of the impact of an attack or attempted breach can be easily investigated if a unified threat detection and controls capability are in place. This will enable a speedy response as part of the incident response plan and hence accurately determine the scope of the breach. All related incidents should be investigated in order to get an accurate holistic picture of the breach and contain it as required.
Once contained, it should be determined if a breach or attempted breach of personal data has occurred in order to decide on fulfilling one of the GDPR regulation requirements – reporting a breach. The actions taken in response to the incident should be documented. These actions are expected to remediate the incident. All documented steps should be provided to the regulator and all impacted data owners notified
To confirm the viability of your incident response plan, ask yourself these;
- Are all stakeholders familiar with the processes as documented in the incident response plan?
- Is the incident response plan rehearsed to ensure its suitability for the organization?
- Is the plan well documented and kept up to date?
Step VIII – Document your communication plan on notifying impacted stakeholders.
When a breach occurs, organizations are required to report to the regulatory body with 72 hours of being aware. In the case of high-risk breaches, the data controller is obliged to notify data owners without delay.
Data owners should be informed of:
- The nature of the breach
- The name and contact details of the organization’s Data Protection Officer (DPO)
- The measures taken or intended by the data controller to rectify the breach and mitigate its impact.
When assessing your communication plan, ask yourself these;
- Can GDPR in scope systems and processes be identified in the case of a breach?
- Are the contact details of regulatory body easily accessible?
- When required, is there a consistent method to contact impacted data owners?
Article 31 stipulates that, for high risk events, the data controller must notify data subjects without undue delay
Step IX – Utilize a Security Information and Event Management (SIEM) tool with complaint log management features.
A SIEM tool is a fundamental security capability that organizations should possess. A SIEM tool will allow an organization to monitor user and system activities with the aim of identifying malicious or suspicious behavior. Logs are centralized from applications, systems and the information system network. Events are correlated and alerts initiated when undesirable activities are detected. These events are investigated to get an understanding of the anomaly pattern thereby building an intelligent view of the occurrence. Data processed via cloud technologies should always be considered. Personal data stored in the cloud is within scope of GDPR hence the ability to monitor data processed both in an on-premises and cloud infrastructure is fundamental. An organization’s SIEM tool should have the capability to maintain a record of activities across these infrastructure types
In order to assess your GDPR compliance maturity level, ask yourself these;
- Is there capability to centralize, analyze and store log data for all Information System environments?
- Are real time alerts generated when suspicious or malicious activities occur?
- Can raw log data be securely stored ensuring its integrity?
Article 30 of the GDPR states that each controller or their representative shall maintain a record of data activities under its responsibility.