Secureworks Methodology: General Data Protection Regulation (GDPR)

GDPR stands for General Data Protection Regulation, the most comprehensive overhaul of European data protection rules in over twenty years.

The new legislation will provide a single harmonized EU regulation with the expectation to standardize how an organization must manage personally identifiable information of EU employees and clients.

As of May 25th, 2018, GDPR will be in effect and operational.  In order to help organizations identify gaps and operationalize against GDPR mandates, Hadi Hosn, Global Consulting Solutions Lead, reviews the Secureworks approach to compliance using a four phased approach:

• Know your data and understand the scope of GDPR for their specific operation
• Assess the current state and identify gaps
• Build the right people, process and control strategies to meet GDPR requirements
• Test, operate and manage in line with GDPR requirements and remove the workload from the security function, allowing security and privacy to be business enabling

I'm Hadi Hosn, head of Governance risk and Compliance Consulting in EMEA for SecureWorks. I'm going to talk to you about the General Data Protection Regulation. 
GDPR, or the General Data Protection Regulation, is the first comprehensive overhaul of data protection regulations in the EU for 20 years. It's going to consolidate all of the different regulations across member states into a single, central source of standard. 

It is also the most lobbied regulation in history of the EU. It has had 4,000 revisions before the final draft has been released. It will be mandatory as of May 25th, 2018. All organizations that handle EU citizen information are in scope of this regulation, irrespective of where they are domiciled as an organization. Some facts and figures that we have seen at SecureWorks from the General Data Protection Regulation. 4% is a potential fine in relation to a breach of the General Data Protection Regulation. 4% of global turnover of an organization or 20 million euros. 72 hours. That is the amount of time you have as an organization to notify the regulator of a data breach from when you detect it. 

Given those key facts, organizations need to prepare for GDPR Secureworks has a four phased approach to help organizations on their GDPR journey. 
Phase one for us is knowing your data. As an organization, you need to know the scope of GDPR in your organization. What kind of personal information do you have? Where is that personal information? Who has access to it? Do you send it out to third parties? Map out the data flows of your personal data across the organization to understand the scope of GDPR and how it impacts you.
Phase two is conduct a current  assessment against the GDPR requirements. GDPR is specific in that it's a risk based methodology, but it mandates some specific approaches and controls you have to have in place as an organization.  Conduct GDPR assessments based on interviews, based on documentation review, maybe even conducting privacy impact assessments. All of those are required for you to build a current state understanding of your organization against GDPR. The output from phase two will identify your risks, your gaps, your weaknesses, against the GDPR regulation. 

Phase three is about building the program to address those gaps. You'll need to have policies in place. You need to have people in terms of Data Protection Officers (DPOs). You need to have some workflows of how you're going to handle GDPR across your organization. Some of this might require implementing point solutions like encryption or even having managed security services to help you detect and respond to breaches to personal information.

So Phase four of our program approach is Test, Operate and Manage your GDPR compliance program. This includes conducting regular penetration testing activities on the systems that handle personal information, having the right monitoring detection and response processes and controls in place to make sure you as an organization can detect an incident and can detect a breach to personal data you process and can respond back to the regulator within the 72 hours breach notification guidelines that are provided. 
Carrying out incident response tabletop exercises to test your notification procedures and to test how quickly can you detect an incident to personal data and notify the regulator is definitely an activity you need to proactively do as part of your GDPR compliance program.