The recently enacted European Union General Data Protection Regulation (GDPR) requires organizations to take adequate measures to ensure the security and privacy of personal data of any European citizen. This supersedes the previous Data Protection directive. As a regulation—as opposed to a mere directive—it directly imposes a uniform data security law regime on organizations that need to comply.
Who Needs to Comply?
The GDPR is explicit on who needs to comply: the regulation states any organization touching and managing (collects, stores, processes and/or shares) the personal data of EU individuals. Personal data includes “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This is an extensive definition. For IT professionals, this could include MAC or IP addresses. Essentially, those who must comply are any data owners (“Data Controllers”) and data processors. This has a global reach, for affected organizations do not need to be located in Europe.
Why Should You Care?
Data breaches alone can impact your customer base and drive negative publicity with long lasting effects. The financial consequences of failing to comply with the GDPR are also steep, with fines of up to 20 million euro or 4% of global annual turnover. Interestingly, in the 2015 Ovum research report, Data Privacy Laws: Cutting the Red Tape, two thirds of the respondents say they expect the legislation to force changes in their European business strategy.
Planning for Compliance
While organizations have some controls in place to secure their data, many are not prepared for GDPR. In research from late 2015 (Ipswitch), over two thirds of IT professionals surveyed say they need to invest in new technologies or services to help prepare their business for the impact of GDPR. This compliance standard touches across all departments and personnel. Planning for GDPR compliance should start right away by assessing the current situation and the gaps that exist. For more advice on how to get started, read Tripwire white paper “Getting Up to Speed on GDPR.
How Tripwire Can Help
Tripwire is a leading provider of foundational controls for compliance, security and IT operations. GDPR requires that organizations implement adequate security measures to protect EU citizens’ data. Tripwire’s comprehensive foundational security controls deliver capabilities that are essential to the standard of adequate protection, including automation and integration to enhance the operational efficiency of these controls and maintain a high integrity state.
Tripwire makes demonstrating compliance with GDPR easy. Implementing the controls isn’t enough. You also have to be able to continuously demonstrate compliance. Tripwire can assess compliance of systems against these standards, and provide audit ready reporting. Tripwire can do so continuously, so you’re always prepared for an audit. Organizations can be confident, knowing that Tripwire already has a solid compliance track record with standards like PCI DSS, NERC, NIST and many others. Tripwire’s integrated solutions portfolio includes file integrity monitoring, configuration management, asset discovery, vulnerability management, and log collection. These capabilities support popular industry standard frameworks like the Center for Internet Security (CIS) Controls and ISO/IEC 27001/27002.
Much of GDPR requires visibility and monitoring of assets. Tripwire delivers continuous monitoring of cyber assets. Tripwire offers the ability to discover data that is not encrypted or identify unknown assets and their vulnerability and risk levels. Tripwire also offers audit trails to assist with investigations and to remediate back to pre attack status.