Alien Vault’s Javvad Malik describes how GDPR will change organisations’ data breach responses.
While the countdown began more than a year ago, it’s only now that many organisations are preparing in earnest for GDPR – with the EU regulation coming into full force in just eight months.
Yet, for organisations with limited IT security resources – and sometimes only employing security staff part-time – the most pressing concern is often around the reporting timeline itself, and whether it is even possible for them to detect and report a data breach within 72 hours.
To help with this dilemma, let’s break down the practical steps involved in dealing with a breach, and propose a rough order in which to tackle them.
Preparation
By far, the most important step in meeting GDPR requirements is to lay the groundwork, and ensure that your organisation has put all the necessary policies and procedures in place well before May 2018, and also documented them, so that it can demonstrate the steps it has taken to achieve compliance.
Realistically, it is only if you have these systems already set up that you will be able to react quickly enough to hit the 72-hour deadline.
The first step is to identify and locate your organisation’s assets. In terms of GDPR, this means understanding where your customer data is stored, or could be accessed, including when it is used and processed by cloud applications.