Well, if there’s one good thing to say about February, especially for those of us deep in the bowels of winter, it’s that January is finally behind us. However, it does bring the impending GDPR compliance date ever closer. February 25th 2018 marks the three month deadline, so there really isn’t much time left to get your GDPR houses nicely in order. We’ve been posting regular blogs on the subject for four months now, and if you’ve been following the series then welcome back! If this is your first visit, you might want to read more about the fundamentals of the General Data Protection Regulation (GDPR) as well as our November, December, and January articles first, and then head back here for more GDPR goodness.
Our February recommendations are all about checking your processes are up to scratch, as it’s good to know sooner rather than later if you need to make any amendments.
Firstly, perform a “right to be forgotten” drill. Under GDPR article 17 data subjects have a right to erasure of their personal data. This right is frequently referred to as the “right to be forgotten”, but like pretty much everything GDPR there are some nuances. We do recommend you engage with legal counsel on all facets on the regulation, and this particular article is a great example of how the untrained eye can get things wrong. As the ICO state on their website, article 17 does not provide an absolute right to be forgotten. If there are overriding legal factors, for example, then this right doesn’t necessarily apply. Should an individual be under investigation for murder, it would be somewhat troubling if they could successfully request that the police delete all personal information in their possession.
Assuming murder investigations aren’t your sole line of activity, it is possible that a person could validly request that you erase their personal data from your systems (and likely the systems of any 3rd party processors to whom you have sent this person’s personal data), so you need to have a solid process in place to perform this task. The legal firm Bird&Bird have created an excellent guide which goes into more detail on this subject. For many organisations, this will require creating a brand new process to ensure employees know how to handle and respond to such requests. Once you’ve documented your new process, give it a run through a few times to confirm it really is fit for purpose.
Next up, it’s time to give your security program a review. A decent penetration test will help you understand where your weak spots are, so that you can plan to address them. If you’re looking for strategic guidance on your security program roadmap, a cyber security maturity assessment can help you identify gaps, implement best practices, and align your program to the needs of your organization.
Breach reporting is now springing up in compliance regulations all over the world, and this goes hand in hand with having a solid incident response plan in place. Under GDPR, organisations have 72 hours to report a breach, and the clock starts ticking at the point of breach discovery. In a previous life, I spent a few years in incident response, and I can tell you first hand that 72 hours goes past very quickly indeed. According to the team over at Mandiant Consulting, in 2016 the average time to detecting that a breach was 99 days. So if you think about how much your team can accurately investigate within 3 days, even if you pumped them full of energy drinks and pizza, having the right tools and processes at their fingertips is vital to their success. If you’ve not given your incident response handbook a dusting off recently, now is good.
In previously mentioned previous life, I often heard organisations say during incident post-mortems that they need to conduct regular dry-runs of their incident processes. Then more often than not everyone just went back to doing their days jobs until the next time poop and fan came into immediate proximity. There are many ways to skin this proverbial cat too – a simulation such as a tabletop exercise, or purple teaming, where a pentest / red team go up against an incident response / blue team. If you’re looking for help with any of these activities, or indeed setting up your incident response program, our experts are ready to assist. Learn more about Rapid7’s incident detection and response services.
Finally, with around three months left in the GDPR preparation calendar, taking stock of where you are in your entire GDPR project is a good exercise to perform. Some tasks may have slipped out, some may be completed, and it’s possible some may have been missed from the original plan. You might be at the point where you think you’re good to go-go. I have to say I get nervous when I hear people say that they are “completely ready for GDPR”. A study by Veritas in 2017 had a whopping 31% of respondents report that they were already compliant. When Veritas dug further into the answers of those respondents, they discovered that many were deluding themselves into their state of readiness, and the real number was around 2%. A GDPR readiness assessment can help you avoid a GDPR facepalm moment, and get your plans on track before the regulation arrives.
If you’re looking for further information on GDPR please do check out our GDPR toolkit.
Watch the GDPR blog tag to keep up as we get closer to GDPR go-time.