GDPR and Breach Detection: How to Ask the Right Questions to Meet the GDPR Breach Notification Rule

iStock-165824022_gdpr-and-breach-detection-header

It is now less than four months before the General Data Protection Regulation (GDPR) becomes effective. This new data regulation of the European Union is designed to provide individuals with rights and protections over their personal data collected by business around the world. It aims to unify data protection regulation across all member states of the EU and applies to any organization that collects or processes personal data originating in the EU. Anyone who fails to comply with the GDPR could face huge fines as large as €20M (~$22M) or 4 percent of global annual turnover from the prior year.

One of the more notable provisions of the GDPR is Article 33 or the mandatory 72-hour breach reporting requirement. It dictates that in the event of a personal data breach, data controllers must notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.” In other words, organizations have only 72 hours to gather all the information and report data breaches to the relevant regulator. In any case, if notification is not made within the 72-hour window, the GDPR requests that the controller provide a reasoned justification for the delay. GDPR Article 33 also specifies what type of information the notification must include. At minimum, the data protection authority will expect to see:

  • Nature of the breach
  • Type of data affected
  • Approximate number of people and records affected
  • Name and contact details of the DPO (Data Protection Officer)
  • Consequences or projected consequences of the breach
  • Measures taken or proposed to address the breach

This new breach requirement poses a significant challenge for security teams. Many breaches are not discovered for weeks, months and sometimes years. And once breaches are discovered, understanding the impact – who has been affected, what data was breached, how it happened, and how to remediate the situation – within 72 hours is daunting.

What can organizations do to address the GDPR’s tough data breach notification requirements? Here are a few questions to ask that will help you get started.

Exactly Who Is Accessing My Data?

To ultimately detect and contain a data breach, you need to be able to answer this question and get a good understanding of who is accessing your enterprise data. By that I mean understanding the data access of ALL users within the organization, not just a subset of people, such as privileged users. Like it or not, anyone can become compromised or do careless things exposing sensitive data to risks. Therefore, it is important to have a handle on the actions of every user. Don’t just look at logins and logouts. You need to fully understand what users are doing with enterprise data, so you don’t miss the vital context associated with a breach incident.

Is the Access OK?

Once you have a clear answer to who is accessing your enterprise data, the next question to ask is whether the data access is appropriate for a specific user. You need to be able to discern what data access is considered appropriate and what not. Detecting suspicious data access can be challenging, as organizations must give their employees access to data so they can perform their job. Furthermore, there are often too many alerts to shift through, and security professionals have little context to identify and prioritize critical incidents as they are not database experts and don’t have deep knowledge of what is and is not okay.

Machine learning and behavior analytics automatically uncover suspicious data access events and effectively address those challenges by providing rich context and improving the fidelity of alerts. They allow you to cut through the noise and reduce the time to detect specific behaviors known to be inappropriate. At the end of the day, the solution should help determine what authorized, day-to-day data access looks like, and detect anything that might be abusive.

How Do I Respond Quickly?

Last but not least, a critical question to ask is how you can quickly respond to a potential breach. There are two ways to achieve fast incident response- 1) shorten the time to identify an illegitimate access to data, and 2) reduce the time in stopping any violation against your security policies. The ability to accurately detect and prioritize anomalous activities is the key to accelerate breach detection without causing business disruption. Meantime, the solution should collect all the breach details and allow you to provide a detailed report internally and to the regulator.

Additionally, GDPR requires that data controllers document not only the facts relating to the breach, but also its effects and any remedial action taken. Let’s say you detect abnormal data access, you may need to take some immediate actions. For example, you need to block or quarantine the user or machine that has raised an alert, so you can effectively contain the breach and demonstrate the actions taken as required under GDPR.

Addressing these questions will get you on the right track as you prepare for the GDPR breach notification requirements. And if you’re struggling to provide a clear answer to any of these questions, you now know where to start to improve breach detection and incident response efforts.

For more on how Imperva can help you meet GDPR requirements, read “Five Ways Imperva Helps You with GDPR Compliance.”