Preparing for GDPR in 2017…Discovery Questions

This is the first in a series of blog posts designed to help enterprise security and business executives prepare for GDPR throughout 2017. (Part 2, 3, 4)

The new General Data Protection Regulation (GDPR) will be a big business driver for security solutions in many industries this year. The size of the potential fines and the reputation damage of a reported violation could have a negative effect on business digital transformation initiatives. For many organizations, the question is “where to start” and “where do we prioritize”? Business leaders and security executives should take a critical look at their existing data security program and use these discovery questions as a start.

Is there a culture of data security and awareness in our organization?

Why is this important? It’s essential that all people from executives to users, administrators and developers be trained, certified and ready to develop a culture of data security and privacy by design with an organization. In many circumstances, preparing for the new regulation requires the appointment of a Data Protection Officer, responsible for organizational compliance and communication with supervisory authorities. Given the high fines levied for violations, GDPR will most likely require new internal reporting structures and development of a continuous compliance culture.

Do we know where our sensitive data or privacy-related data is stored?

Why is this important?  You can’t ensure the protection of data if you don’t know the key repositories, applications and business processes. Many data loss prevention programs fail because of this very issue. Today, data is everywhere but it increasingly stored on mobile devices and cloud systems, creating more exposure to attack or misuse. A key consideration should be to implement a continuous data discovery and classification program that involves a cross –functional team of business data owners, security operations team and data security professionals.

Do we employ encryption for data protection?

Why is this important?  Encryption is a key mitigation factor for potential data loss incidents and should be employed where possible to protect data at rest or in motion particularly on mobile devices such as laptops and data uploaded to cloud services. In recent surveys, it was determined that almost 20% of data uploaded to cloud storage sites included sensitive data. Each of these could have triggered GDPR violation. Additionally, organizations should have visibility over encryption status and should employ automated corrective actions on unencrypted devices or data flows.

Is there a current data loss prevention project in place or planned for this year?

Why is this important?  A data loss prevention program that includes host and network-based control points is essential to prevent or detect accidental and policy-based data loss incidents. In recent surveys, almost 10% of all data shared externally contains sensitive data, including personally, identifiable information. Additionally, organizations experience an average of 20 data security incidents per day. These incidents could each trigger a GDPR violation.

 Do we know where all of our databases are located and types of data stored?

Why is this important? Databases often house the crown jewels of an organization and particularly customer-related data. However, many organizations usually deploy only basic security controls, do not patch regularly because of application downtime and relay on administrators for activity monitoring. Additionally, many databases are deployed for testing and development with production data creating another risk for sensitive data exposure. Some key considerations for GDPR readiness should include a review of database security procedures, deploying additional protection against vulnerability exploitation attacks, and creating specific database breach use cases in security operations.

There are many other questions to think about. How do we account for Cloud Software-As-A-Service applications that house private data? How are we controlling privileges and privileged user activity, particularly with cloud services? Or does Security Operations have pre-planned data breach detection use cases? These are the type of questions organizations need to be answering in preparation for the General Data Protection Regulation.

Watch our video below to learn about the opportunities that GDPR creates for enterprises to turn security into a business driver, and get recommendations on key areas of focus to meet the GDPR requirements.

Join the conversation at @McAfee.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

Leave a Comment

ten + four =