In 10 months from now, the new General Data Protection Regulation will come into force, bringing major changes in how to ensure the integrity, confidentiality and availability of personal data of European citizens. Datanet Systems can help you meet the mandatory IT security requirements of the legislative act, thus eliminating the risk of penalties.

Since May 25th, 2018, the new General Data Protection Regulation (GDPR) will directly apply to all EU Member States, without the need for transposition through country-specific legislation. GDPR, which replaces European Commission Directive 95/46, introduces a number of substantial changes regarding: the definition of data categories and the way they operate, consent and citizen’s rights on personal data, data processors’ obligations and the attributions of the supervision bodies, etc. The new regulation also comes with a new maximum ceiling on sanctions imposed on organizations that do not meet the stipulated requirements. Thus, the fines can reach up to EUR 20 million or 4% of the total turnover of the penalized organization.

Unlike the Data Protection Directive 95/46 / EC, cyber security is a field approached with much more strictness in the new regulation, in three distinct articles (Chapter IV, Section 2, Articles 32, 33 and 34), as opposed to one (Article 17) in the previous directive. The new security sector regulations stipulate prioritization of risks that may affect individual freedoms and rights, to the detriment of the financial risks of data processing organizations, and imposes the obligation of encryption and pseudo-anonymization of data. (GDPR defines the concept of “pseudonymisation” as the process by which personal data is processed so that the results obtained can no longer be attributed to a particular subject without the use of additional information.)

 

The obligation to report breaches

The obligation to report security breaches to the competent supervisory authorities is also a new element, if they affect the integrity, confidentiality and / or availability of personal data. (The Regulation defines “personal data breach” as security breaches leading to the destruction, loss, modification, unauthorized disclosure or access to personal data transmitted, stored or processed.)

The GDPR provides that the imposition of the notification condition applies to all organizations operating personal data, unlike the previous directive where the notification was mandatory only for certain areas of activity (telecom operators, Internet service providers, etc.). This is a change that extends the scope of the regulation and will be taken into account from next year by public organizations, financial and banking institutions, utilities providers, medical institutions, Cloud service providers, etc.

GDPR stipulates that a security breach should be reported “without undue delay” and no later than 72 hours after it is detected. The notification to the supervisory authority must contain at least four elements:

  • Description of the security breach nature, including the categories and volume of data affected;
  • Assessment of the likely consequences of breaching personal data protection requirements;
  • Presentation of solutions proposed to address the identified security problem;
  • Data protection officer’s contact details (Data Protection Officer’s existence is a mandatory condition only in certain situations

 

Detection remains the main problem

The GDPR procedures for notification of security breaches are clear, but the main issue for organizations is not the reporting mechanism but their timely detection, as their volume has increased by 40% in 2016 alone (ITRC Data Breach Report 2016).

According to the Mandiant M-Trends report for EMEA, in 2016 European organizations needed an average of about 15 months (469 days) to find a security breach.

This is a situation that many European citizens are still not aware of. For example, a recent study by Capgemini (Digital Transformation Institute Cybersecurity and Privacy Survey) shows that 83% of banking clients trust their provider’s ability to protect their personal data. But only one in five financial-banking institutions (21%) have the real ability to detect a breach, a quarter of them (26%) have already been victims of a security incident in the last 12 months, while almost half 49%) need between 3 and 12 months to fix the effects.

The problem becomes even more delicate, as GDPR states that if the risk of compromising personal data is assessed as high, organizations have the obligation to communicate information about the event and its effects to the affected person (Article 34). It is, therefore, very likely that these organizations are confronted not only with the risk of a consistent fine, but also with the loss of important clients, the deterioration of the organization’s image being rapid.

Preventing, detecting and resolving these types of security issues in a timely manner is one of Datanet’s main areas of expertise. The company can develop, deploy and customize integrated security systems capable of delivering complete IT infrastructure protection and reducing breach detection time.

For example, Datanet’s integrated architecture based on Cisco solutions can reduce the time to detect a security incident to 17.5 hours. Fortinet’s Security Information and Event Management (SIEM) systems implemented by Datanet provide businesses with a broad visibility on the infrastructures they operate, facilitating real-time identification of areas with potential vulnerabilities. Datanet’s portfolio of solutions is not only for large-sized companies, but also for small and medium-sized companies, which, for example, through Unified Threat Management (UTM) solutions, can benefit from extended protection at accessible costs.

 

Companies need expertise

Despite the important impact of GDPR, there are still many European organizations that do not yet know how the new regulations will affect their work.

Analyses made by IDC show that the GDPR topic is unclear for many organizations in member countries: 22% of the 700 European companies surveyed do not know the provisions of the new legislation, while more than half (52%) know information about GDPR, but cannot assess the impact on the operations they carry out.

Datanet Systems specialists can help you identify weak spots in your IT infrastructure and take the necessary steps to meet the new security requirements. Datanet has the necessary experience, a complete portfolio of security solutions and a team of certified specialists who assure design, development, delivery, commissioning and configuration, offering comprehensive consulting, maintenance and specialist training.

For further information, please contact us at office@datanets.ro.