The General Data Protection Regulation or GDPR has been ratified, and it will levy crippling penalties for non-compliance when it goes into effect on May 25, 2018. There are 11 Chapters and 99 Articles in the GDPR, and the PDF from the Official Journal of the European Union spans 88 pages. The regulation is expansive, and disruptive, and its goal is to strengthen and unify data protection for all individuals in the European Union. As a regulation, GDPR is enforceable by law and we are seeing a “data protection standard” mentioned alongside “fundamental rights” for the first time from any government.
No matter your geo-location, if someone in your organization accesses identifiable data in a sales play of a “subject” who lives within the EU or is an expatriate, as of May 25, 2018, your organization must comply with the GDPR. Any of the following items that could possibly identify a data subject must be audited and secured or risk penalties and litigation yet-to-be-determined — name, photo, email address, bank details, social media post, medical information, or computer IP address — even if they never become a customer. The regulation applies when the processing of the subject’s data is “related to the offering of goods or services, irrespective of whether a payment of the data subject is required.” Some exclusions apply, but the EU has made it clear that the data subject does not have to be a customer. If you handle any data that could identify the subject, you must comply no matter where you or the data resides.
Because of the punitive nature of the GDPR (up to four percent of annual revenue or €20 million, whichever is greater), for a non-compliance multiple offender, it has the potential to disrupt overall enterprise business strategy significantly. The GDPR will affect the bottom line directly, not merely set forth guidelines for IT discipline best practices as has been the trend for data security standards in the past. The initial fines falling under the GDPR will have a ripple effect across global markets, and unless preparation is taken now, there will be a mad scramble for enterprises to retroactively bring their workforces into compliance before the EU comes knocking.
CorreLog has reviewed the regulation and has identified two major courses of action that will better position your organization with compliance when the regulation goes into effect.
1) Follow best practices for SIEM and event log management across Windows/Unix and mainframe systems.
Those who are diligent with log management and general SIEM practices should stay the course. However, those with poor SIEM (Security Information and Event Management) capabilities across both mainframe and distributed platforms should be worried, as GDPR states that in the case of breach “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55…” Considering that the average time to discover a breach in 2016 was 191 days*, 72 hours seems like an impossibility.
To keep tabs on your data and who’s accessing (or even looking at) your data, you need a 360-degree view of all user activity in and around your data as it happens. At the heart of this SIEM practice is log management in conjunction with event correlation. The beauty of SIEM is that it paints a picture of normal user and system behavior, when anomalous activity occurs the SIEM can issue an alert in real time.
This visibility will give the Controller a path to validate the technical and organizational measures they are undertaking to maintain compliance in the event of breach, plus an audit trail of forensics with which to determine the who, what, when, and where of the breach.
All this event logging and event correlation must to be rolled up into a single view of data security truth within your IT Security Operations Center if you’re going to maximize the benefits of real-time visibility. Security industry pundits agree that breaches are inevitable, and the focus should be on real-time threat visibility with instantaneous notifications of a breach, followed immediately by corrective action to stem the bleeding (The EU, with the GDPR, believes this too!). What makes this all possible is a security policy based on 100 percent visibility of all activity across all network threat vectors your IT SOC (Security Operations Center). Following these SIEM best practices is essential to staying in compliance with the data breach timeline clauses in GDPR.
2) Get your legal team involved now.
There is no precedent of a four percent fine from a data standard managed by a government, or in this case, confederation of EU member states. No one knows how will the GDPR be enforced, or what recourse you will have when you go to mediation or trial. Navigating the GDPR is undoubtedly going to take you through uncharted legal waters which should trigger a response to get your legal team involved today. Until the first organization gets fined, fines and sanctions remain mysterious in severity and duration. The sooner you start preparing your organization, the better chance you have at avoiding being fined.
For those of you unsure of your organization’s capabilities for real-time, enterprise-wide visibility to user activity, privileged or otherwise, click here to download CorreLog’s whitepaper designed as an educational tool with some best-practices for helping your organization manage GDPR compliance.
CorreLog can be a valuable resource for a single repository of event log data across all systems, mainframe and distributed, with the real-time visibility to mitigate any trouble the GDPR may bring. But best practice SIEM means having the ability to see anomalous behavior as it, and most importantly, the ability to alert appropriate security personnel on the fly for any perceived threat. And you must also have this visibility from your mainframe.
Since 2008, CorreLog has been helping clients with data security and compliance auditing with best-in-class software solutions. We have a proven track record of securing data across both mainframe and Windows/UNIX systems in a multitude of industries including Banking/Finance, Healthcare/Insurance, Retail, CPG, and Government. For more information on CorreLog solutions, please visit www.CorreLog.com.
Read more about living with the GDPR in CorreLog's GDPR whitepaper found here.
*according to the latest IBM/Ponemon Institute “2017 Cost of Data Breach Study”