The General Data Protection Regulation (GDPR) will affect every business in Europe. Those working in IT security and individuals responsible for data protection will need a firm understanding of the coming legislation and the implications this could have. The scope of the legislation, which comes into effect from May 2018, is huge and is likely to impact many professionals.
It will force many companies to re-evaluate their data security and the measures they take to safeguard personal information relating to staff and consumers. This can range from an individual's name and address to details such as usernames and IP addresses that can be used to identify them. Even for those experienced in IT security, there are a lot of legal undertones in the GDPR that could make this issue more complicated.
What is GDPR for?
The GDPR looks to regulate privacy and online security laws across the European Union (EU). Many jurisdictions have had their own rules on data protection for decades but the landscape has dramatically changed. The increase in online activity - and the potential financial gain behind it - has forced the 28-member bloc to introduce more rigorous laws.
It will replace the 1995 Data Protection Directive, which called for companies to introduce an 'appropriate level of security' to any personal data collected. Similar requirements are set out in UK law under Principle 7 of the 1998 Data Protection Act. However, a lack of clarity in existing legislation has led to some confusion about exactly what businesses are expected to do. Some companies viewed the introduction of encryption software that would provide better protection as too costly, and this has led to some serious breaches in data security.
Another section of the Directive that said organizations should judge the appropriate level of security based on the ‘risks inherent in the processing’ of personal data also caused problems. In the late 1990s, when the law was introduced, this was focused on potential financial losses that could be accrued through personal data theft, rather than the emotional or mental trauma.
Not only has the profile of non-material damage increased (see, for example Google vs Vidal-Hall, 2015) but the value of personal data has also changed. With the rise of customer profiling and analytics, as well as increases in cybercrime, GDPR aims to improve and clarify the rights of individuals in regards to their data.
What's it got to do with intrusion detection?
External breaches caused by criminals gaining unauthorized access to a network remains one of the leading types of incidents that compromise personal data. Verizon's 2017 Data Breach Investigations Report, for instance, noted that more than half of breaches (51 per cent) can be traced back to malware, and this is just one type of network intrusion that can lead to data being compromised.
A strong intrusion detection and prevention system (IDPS) is one of the best safeguards against these risks. These tools are able to monitor any traffic coming into and moving within a network and alert businesses if any suspicious activity is detected.
It differs from solutions such as firewalls that filter potentially malicious traffic coming into a network. An IDPS is installed within a business and can monitor traffic throughout the network, looking for any unusual activity and sending out alerts when anything suspicious is detected.
This should not be viewed as a replacement for firewalls, but instead as offering a range of unique benefits, such as the ability to detect types of attack vectors that other solutions cannot and greater customization that allows organizations to tailor the solution to their needs.
This needs to play an essential part in GDPR readiness, as it will enable companies to be far more proactive when it comes to defending against data breaches, and increase their chances of shutting down malicious activity before any data is compromised. With the penalties for failing to keep personal data secure set to increase significantly under GDPR, getting ahead of this with tools like IDPS can be hugely beneficial.
What does it mean for data breaches?
Avoiding a data breach is a core part of GDPR. It requires companies to have a documented data breach process and states that "data controllers shall without undue delay” notify the supervisory authority of the personal data breach. This should be done within 72 hours of the attack unless there is a "reasoned justification" to explain the delay or the leak is “unlikely to result in a risk for the rights and freedoms of individuals”.
Any data processors are also responsible for telling the data controller after a breach, who is then required to make a record of it and any actions taken.
If your data collection means there is a high risk that rights and freedoms could be affected, you also need to tell the individual concerned about the nature of the data breach.
The most important thing about the introduction of the GDPR is to start planning now, if you haven't already. There are a lot of things that could pertain to your business and some of them may take longer than you think to implement.
The UK's Information Commissioner's Office has published an overview of GDPR, detailing the key points and principles businesses need to be aware of for GDPR. There are a number of implications for businesses as a whole, but many will expect IT specialists to be at the forefront. From your point of view, you need to rigorously assess every level of your security, how you collect, store and delete personal data, and who has access to it. Intrusion detection must play a part in this, enabling you to meet your GDPR requirements by spotting, mitigating and reporting breaches as quickly as possible.