Industry Insights with Mark McGlenn

Advanced SOC Operations / CSOC , Application Security , Business Continuity Management / Disaster Recovery

What You Need to Know About GDPR Breach Disclosure, Response

Moving Organizations Toward Privacy by Design or Default
What You Need to Know About GDPR Breach Disclosure, Response

Incident response is a critical pillar of an effective endpoint security program, one that will gain importance as GDPR enforcement comes into play on May 25. Organizations must be ready to react if and when an incident occurs in order to meet the stringent requirements that apply during an incident.

Under Articles 33 & 34 of the General Data Protection Regulation, a personal data breach must be disclosed to supervisory authorities and data subjects "without undue delay and, where feasible, not later than 72 hours" unless certain conditions are met. The current average discovery to notification time frame is 29.1 days, so significant improvement is needed in order to comply with GDPR standards.

GDPR Data Risk Assessment

Evaluate your GDPR data risk with a free assessment highlighting potential areas of exposure.

Get My Assessment

Evidence of Active Risk Mitigation Measures

GDPR requires disclosure if an incident is "likely to result in a high risk" to the rights and freedoms of data subjects. In order to prove that an incident is not "high risk," organizations must prove that "appropriate technical and organizational" protections are in place or that subsequent measures have been taken to ensure risks are not likely to materialize.

Organizations need to move toward privacy by design or default, meaning that data protection measures must be implemented across all data processing activities and compliance must be constantly monitored.

Demonstrating adequate measures are in place to mitigate privacy risks is just as critical as securing the data itself.

Although encryption is one technology that renders data unintelligible to those not authorized to access it, organizations must be able to demonstrate encryption and other security applications were in place and working at the time of an incident. Regulators can require that organizations provide proof of compliance and risk management strategies. This is only possible if you have full and unobstructed visibility over your entire device fleet and the data the devices contain.

Rapid Response to Security Incidents

In the event of a security incident, organizations can avoid breach notification requirements if they can render the personal data unintelligible or inaccessible. Once a security incident occurs, rapid remediation is required.

There are two important stages to response: identifying suspicious activity (vulnerability management) and breach response. The first stage helps organizations pre-empt security incidents through resilient insight into suspicious activity, helping identify events that may be precursors to security incidents. This stage relies on the efficacy of the security application layer, which can be bolstered by self-healing technology, such as what Absolute offers, to ensure full application availability and integrity.

The second stage in response includes the effective implementation of the incident response plan. An IR plan will clearly define what constitutes an incident or a breach, the rules that apply in an incident, and the assets you have in play to respond and to investigate an incident. Organizations have relied on Absolute for years to remotely detect, recover and delete personally identifiable information from devices or in the cloud, a capability also required for GDPR's "right to erasure," and to ensure data is not maintained for longer than "strictly necessary."

For more on how to evaluate your GDPR data risk, check out our free assessment highlighting potential areas of exposure.

About the Author

Mark McGlenn

Mark McGlenn

Senior Manager of Risk and Compliance Services, Absolute Software

McGlenn is Senior Manager of Risk and Compliance Services for Absolute. He has more than 15 years of experience in internal audit, compliance testing, risk management, IT security, accounting, and fraud prevention. He has developed and managed risk-based corporate internal audit programs with a focus on compliance testing (SOX, PCI, AML) and process and internal control improvements. Leveraging best practices such as CIS Critical Controls, NIST CSF, NIST 800-53, McGlenn has designed cyber-security assessment procedures and performed engagements in both the public and private sectors. His unique experiences assist Absolute customers in addressing compliance concerns and securing the endpoint.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.