GDPR implementation from a cybersecurity perspective
10 April 2017 | 0
As anyone who has pored over the EU General Data Protection Regulations (GDPR) in detail will know, the regulation is very broad in scope. Most of it relates to data but a small and significant proportion specifically covers IT security: Article 32 mandates the idea that the data controller or processor should implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
From a cybersecurity perspective, this means organisations will have to demonstrate security by default, or by design, if they are being audited for compliance with the regulation. If we take development as an example, GDPR will require secure thinking to be baked in from the start rather than bolted on at the end. This should cover secure application development, system hardening, documenting the various threats and vulnerabilities that may occur based on the system being built, and any measures being implemented to meet those principles.
Although the regulation does not prescribe any particular technology, the text suggests actions that organisations can take to improve compliance, such as a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
The regulation has recitals of interest and number 78 mandates that the technical security controls should provide a level of security that is appropriate to the nature of the data that is being held, as well as on the potential risk and impact if this information were to be disclosed. To assess the security of their data in line with GDPR, organisations will need to carry out regular technical assessment, patching and maintenance, vulnerability management, threat detection and prevention, asset and service profiling and visibility.
“GDPR means organisations will have to demonstrate security by default, or by design, if they are being audited for compliance with the regulation”
If this sounds like trying to hit a moving target, then that’s because it is. With increased adoption of the cloud, in addition to iterative development methods like Agile, applications change with increasing regularity. One company I spoke with recently had deployed almost 100 iterations of its product into the cloud over the course of a year. That’s probably a high number compared to the average, but it shows the trend and it tells us that it’s no longer possible to assess data security risk with a once-off test when the pace of change is so rapid. With new features comes the potential for new vulnerabilities to be introduced if unchecked.
This is where a managed service like edgescan can help organisations. It provides an ongoing and on-demand assessment of the data security risk through continuous vulnerability management. It meets the security challenge from a compliance perspective, saves on recruiting fulltime security staff, and is cost-effective.
Speaking of cost, there has been a temptation in the past to see security as a tax or overhead, but I argue there is a business benefit to improving security. Under GDPR, vendors must now show appropriate care for personal information when developing and designing products or services that hold personal data. If organisations can prove that the systems and services they supply meet the principles of GDPR through secure coding practices, I believe it will be a huge enabler that will win them more business as a result.
Eoin Keary, CEO, edgescan