Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:30 AM
Connect Directly
E-Mail vvv

GDPR Doesn’t Need to be GDP-Argh!

These 10 steps will ease the pain of compliance with the General Data Protection Regulation, the EU's new privacy law that goes into effect in a little over a year.

If your organization does business with Europe, or more specifically does anything with the personal data of EU citizens, you’re going to be living the dream (or perhaps nightmare) that is preparing for the General Data Protection Regulation (GDPR).

For many organizations, this is going to be a tedious exercise; even if you have implemented processes and technologies to meet current regulations, there is still work to be done to steer clear of penalties. And, as you might expect, infringement carries heavy fines: €20 million or 4 percent of your worldwide annual gross revenue, depending on the violation.

The regulation comes into effect on May 25, 2018, at which point organizations will be held accountable –  immediately. It’s hard to say exactly how organizations are doing, but depending on which news you choose to read, it doesn’t appear that too many are ready. And for good reason.

For one thing, preparing for GDPR is likely to be a cross-functional exercise, as legal, risk and compliance, IT, and security all have a part to play. Some organizations will need to adopt new roles and responsibilities, such as appointing a data protection officer and nominating representatives within the EU to be points of contact.

So, with just over a year to get this sorted, what do you need to do?

If you’re just beginning your GDPR compliance quest, start by having employees attend a training to learn about the best practices for implementing GDPR. Training can also save you from the costly fines down the line, which, depending on the level of GDPR infringement, can amount to 4% of your organization’s worldwide annual gross revenue for the previous year.

You’ll also need to determine where the personal data of EU citizens physically resides, the categories of personal data you control or process, how and by whom it is accessed, and how it is secured. In addition, processes for access control, incident detection and response, and breach notification will also need review or implementation.

To help get you started, I’ve put together a list of 10 steps your company can take toward becoming GDPR-compliant:

Step 1: Encrypt data both at-rest and in-transit. Why? If you are breached but the personal data is rendered unintelligible to the attacker, then you do not have to notify the person whose data has been breached.

Step 2: Limit access. The idea of a “need-to-know-basis” has been around in the military for eons. The same process now needs to apply to personal data. Review who has access to personal data and why they have access, then revoke rights as necessary. When gaining consent to process personal data you will need to state the reasons for processing the data, and identify people who have access to the data. Shared admin accounts and overinflated user privileges are generally bad practices, but with GDPR they become totally unacceptable.

Step 3: Have a broad-based vulnerability management process in place. Make sure you’re scanning all devices on your network to maintain visibility into weaknesses in your infrastructure. If you have remote employees, don’t forget about them! Remote workers create additional risk because their devices can house sensitive data while they are connected to unsecured networks. Ensuring the ongoing confidentiality, integrity, and availability of all systems across your company is key.

Step 4: Backups. Backups. Backups. Make backups! Not just in case of a dreaded ransomware attack, but as a good housekeeping practice in case of storage failure, asset loss, natural disaster, even a full cup of coffee spilled on a laptop. If you don’t currently have a backup vendor in place, there are a number of server and database options available. Disaster recovery should always be high on your list, regardless of the regulations you are required to meet.

Step 5: Secure your web applications. Privacy-by-design needs to be built into processes and systems. If you’re collecting personal data via a web app, and still using http/clear text, then it’s likely you already have a problem.

Step 6: Pen tests are your friend. Attacking your systems and environment to understand your weak spots will tell you where you need to focus. It’s also better to go through this exercise with an opportunity to course correct, rather than wait for an attacker to point out your weaknesses by getting onto your network. You can do this internally or employ a professional team to perform regular external tests.  

Step 7: Detect attackers quickly and early. Finding out that you’ve been breached after the fact is an all too common scenario. The Verizon Data Breach Investigations Report has called out compromised credentials as a top attack vector, yet many organizations still can’t detect when these credentials are used by attackers. User behavior analytics is one way to quickly investigate and remediate anomalous user account activity within your environment. Deploying deception technologies, like honey pots and honey credentials, is another strategy for spotting attackers early.

Step 8: Don’t ignore shadow IT. You likely have some approved cloud services deployed already, but unless you’ve switched off the internet, it’s also possible that there are unsanctioned services and apps occurring in your environment with data that needs to be protected.

Step 9: Prioritize and respond to the alerts your security products generate daily. Attackers can easily take advantage of the flood of information bombarding security teams every day. It’s great if you have a SIEM in place and have the capability to respond 24/7.  (Attackers work evenings and weekends too!) But if you don’t have SIEM, or the time or budget to take on a traditional deployment, consider products or managed offerings that can offer round-the-clock protection.  

Step 10: Don’t wait for an attack to engage an incident response team. GDPR stipulates that companies report personal data breaches to a supervisory authority within 72 hours of discovery. But aside from the reporting requirements, it’s critical to contain the attack and limit damage as quickly as possible. So If you don’t have dedicated IR capabilities in-house, at least have a clear and fast route to third-party services. That means, going through the process of vetting and engaging potential vendors and partners in advance in order to know exactly who to call with the necessary expertise  should the worst happen. 

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:


Samantha Humphries has 20 years of experience in cybersecurity, and during this time has held a plethora of roles, one of her favourite titles being Global Threat Response Manager, which definitely sounds more glamorous than it was in reality. She has defined strategy for ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/6/2017 | 10:49:55 AM
GDPR- proactive approach
GDPR is the real deal.  Companies will take notice after a few fines are levied. IT needs to look at all devices that can act as a risk gateway. Mobile is a clear candidate and organizations need to look at services beyond pen testing. Have all the security on the server side simply means that they have already broken down your front door. Secure the mobile applications that are being used on devices, especially those on BYOD. Encrypt and monitor them, creating a barrier that prevents access to your servers. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
4/5/2017 | 3:30:23 PM
Joe's take x3
Good tips.  My take on some of these items:

1) €20 million or 4 percent of your worldwide annual gross revenue, depending on the violation.

Good luck, I say, to EU regulators.  This is a hefty, scary max penalty.  In reality, I suspect that smaller enterprises/businesses have more to fear here than larger and more entrenched enterprises.  (I'm thinking now of the VW diesel scandal that, had US regulators gone full throttle, could have completely bankrupted and obliterated VW.)  For companies that regularly do business in the EU and aren't tech companies with which the EU already has a major bone to pick (e.g., Google, Facebook, etc.), there may be some leniency.

On the other hand, the first tests of this will show us just how serious the EU is when it comes to privacy matters, I suppose.  So while I have my pet theories, nothing surprises me anymore in the data privacy and data stewardship realm.

2) Encrypt data both at-rest and in-transit.

This advice -- which may be seen as a bit silly -- is an unfortunately important one, even in the US and in other more lightly regulated jurisdictions.  Even in the absence of regulations, the revelation of the lack of at-rest encryption in the case of a data breach -- even where it would not have actually helped mitigate matters any -- can be highly brand damaging.  (Remember the Anthem nee Wellpoint breach?)

3) Backups. Backups. Backups.

And -- more to the point -- SECURE your backups!  Seems like a "duh!" imperative, no?  Well, that "common sense" was lost on Adobe when they suffered their major breach of their backup systems, impacting over 150 million users.

I always have more to say on this topic because I work in the field, but for now I'll shut up.  3 bulletpoints in an Internet comment is enough for now.  ;)
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Contao 4.5.x through 4.9.x before 4.9.16, and 4.10.x through 4.11.x before 4.11.5, allows XSS. It is possible to inject code into the tl_log table that will be executed in the browser when the system log is called in the back end.
PUBLISHED: 2021-06-23
Use after free vulnerability in file transfer protocol component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to execute arbitrary code via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in Security Advisor report management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in file sharing management component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to read arbitrary files via unspecified vectors.
PUBLISHED: 2021-06-23
Exposure of sensitive information to an unauthorized actor vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote attackers to obtain sensitive information via unspecified vectors.