RSA Says GDPR is More About Evidence-based Process Than Technology
Europe’s General Data Protection Regulation (GDPR) is, by name, just another information security compliance regulation requiring that organizations protect personal data from being stolen by hackers. As such, there should be little for organizations to do since most companies already do all they can to defend against breaches (albeit not always successfully). That, however, would be a total misunderstanding of this new regulation.
The emphasis on data protection has changed: it is traditionally designed to protect data from criminals; but this regulation is designed to protect data for the user. It is a subtle change with huge ramifications, because now users are in charge of their own personal information. They must explicitly agree to the collection of data for a specific purpose; and they can withdraw consent and require companies to delete that data.
This simple change means that data governance is now front and center, side-by-side with data security. Organizations will need to be able to prove user agreement to the collection of personal data; and must be able to demonstrate deletion of that data after demand. This also means that organizations must be aware of the location of all personal data at all times.
“GDPR is not just about technology,” Rashmi Knowles, RSA Field CTO EMEA told SecurityWeek. “I think the bigger part of GDPR is to do with process, and the process burden is going to be huge. One of the big new things is the whole personal data lifecycle — from getting consent and proving user consent, to processing user data and then deleting that data after processing it solely for the purpose for which it was collected; and being able to delete it at any time on the users’ request. Although some organizations already do that, a lot of companies don’t do it very well, and don’t have the evidence to prove they are doing it. GDPR is very much evidence based.”
There is another major change. Sanctions for non-compliance have been dramatically increased. While large corporations could simply accept the minimal fines from the existing Directive-based European laws as part of acceptable risk tolerance; under the Regulation fines are now geared, potentially, to seriously affect the bottom-line of non-compliant companies for many years. The regulators are taking GDPR very seriously, and they expect organizations to do the same. There is the implication that these regulators will not back away from imposing very heavy fines for the worst cases of non-compliance.
It is against the background of GDPR being as much about data governance as it is about information security that RSA has today beefed up its Archer governance suite specifically to aid compliance with the governance side — and more — of GDPR. “Ultimately,” it says in a statement released today, “GDPR is not just a Governance, Risk and Compliance (GRC) issue. GDPR spans the full enterprise and forces companies to adopt a healthier privacy and security risk posture in four critical areas: Risk Assessment, Breach Readiness, Data Governance, and Compliance Management.”
It is in these four areas that Archer, combined with RSA NetWitness and the RSA Data Risk and Security Practice can aid GDPR compliance. On risk assessment, RSA suggests that Archer’s components will help accelerate the identification of the linkage between risks and internal controls, potentially reduce the GDPR compliance gaps and improve risk mitigation strategies.
On breach response, GDPR requires that regulators are notified of a breach generally within 72 hours of the company becoming aware of the breach. Here, RSA says its NetWitness product will scan the entire network infrastructure looking for indications of a compromise. It uses, explains RSA, “behavioral analysis and machine learning to help better understand the scope and nature of a breach with improved visibility into the attack sequence, enabling faster notification.”
RSA offers its SecurID suite and Data Risk and Security Practice service to cover the mainstream governance side of GDPR. Compliance is no longer a destination, but a continuing state, it suggests. While under earlier European laws, companies needed only worry about compliance if they were breached, with GDPR they can be found non-compliant in data governance areas at any time. This suite of services helps an organization optimize a GRC program; put in place the processes to enable a prompt response to cyber incidents; prepare to meet the new 72-hour notification requirements; and plan and implement GDPR-compliant data access programs.
“Organizations will “see quicker reaction to emerging issues, create a more proactive and resilient environment, and reduce the churn in driving accountability towards GDPR compliance,” says RSA.
But while GDPR may be more about process and evidence, the technology side cannot be ignored. The term ‘breach’ is given a wider than usual scope under GDPR. “A breach in GDPR could be lack of availability,” Knowles told SecurityWeek; “so a successful DDoS — which may not usually be classed as a breach — could be classed as a breach in GDPR terms if users lose access to their data.”
In this sense, being struck by something like ransomware would prove a double-whammy. Firstly the victim gets all the disruption and cost of the ransomware, but secondly it is potentially and automatically in breach of GDPR. “If you can show that you are doing the right things, that you have the right controls in place,” says Knowles, “then the regulators are more likely to be lenient from the GDPR perspective. But on the other hand, if the ransomware could have been stopped had you applied the correct patches, the regulator might not be so lenient.”
GDPR compliance is a complex mix of security technology to protect the data, tied together with governance processes to manage the personal data lifecycle, backed up by the availability of continuous evidence to prove that you are doing the right things at all times.