EU General Data Protection Regulation (GDPR) Compliance Solutions

The General Data Protection Regulation (GDPR compliance) protects the personal data of EU citizens regardless of the geographical location of the organization or the data. Organizations around the world must be compliant with GDPR by 25th May 2018. Changes to people, processes, and technology are required to ensure that personal data is correctly controlled, processed, maintained, retained, and secured. Penalties for infringement of the General Data Protection Regulation can be up to €20,000,000 or 4% of worldwide annual turnover, whichever is the greater amount. 

Article 5 of the GDPR mandates six principles related to the processing of Personal Data. Personal Data shall be: 

  • Processed lawfully, fairly, and in a transparent manner
  • Collected for specified, explicit, and legitimate purposes
  • Adequate, relevant, and limited to what is necessary
  • Accurate and, where necessary, kept up to date
  • Retained only for as long as is necessary
  • Processed in an appropriate manner as to maintain security

Additionally, new stringent requirements around personal data breach reporting require organisations to report breaches to a Supervisory Authority within 72 hours of breach discovery.

GDPR Compliance Toolkit

Preparing for the General Data Protection Regulation (GDPR) can be overwhelming. This toolkit can help.

Download Now

How Rapid7 helps with GDPR

Article 32: Know your network and identify weak points

Use InsightVM to conduct a thorough vulnerability assessment of risks across vulnerabilities, configurations, and controls, and prioritize risks for remediation based on threat exposure and business impact. Automatically audit your systems for compliance with secure configurations, password policies, and access control requirements via pre-built scan templates, or with the Custom Policy Builder capability. Custom Policy Builder enables you to create, modify, and augment common regulatory requirements like GDPR based on the unique needs of your IT environment.

Article 32: Test the effectiveness of your security measures

Simulate real-world attacks by penetration testing your defenses and evaluate the effectiveness of security measures at protecting personal data with Metasploit. Integrating Metasploit with InsightVM enables you to validate the exploitability of vulnerabilities in Metasploit and automatically prioritize for remediation in InsightVM.

Penetration testing services give you an attacker’s perspective of your eco-system, providing you with an understanding of how and where you are most vulnerable to security breaches and data exfiltration.

Article 32: Assess applications for vulnerabilities

Use InsightAppSec, our Dynamic Application Security Testing solution, to dynamically scan your web, mobile, and cloud applications for vulnerabilities (including those that allow unauthorized persons to bypass authentication controls), and generate interactive reports for remediation.  

Articles 33 and 34: Develop a top-notch Incident Response Program

Rapid7's Incident Response Program Development service will help you determine the people, process, and technology necessary to ensure your organization can move with speed and purpose in the event of an incident.

Articles 33 and 34: Monitor user behavior, detect attackers earlier, and investigate security incidents faster

InsightIDR provides the ability to tag systems containing personal data as “restricted,” then monitors all activity on these systems for unauthorized access. Leverage user behavior analytics to detect security incidents and accelerate investigations with instant user context, endpoint interrogation, and advanced search capabilities.

Articles 33 and 34: Incident Response that doesn’t sleep

Don’t have in-house 24x7x365 incident response capabilities? No problem. Rapid7’s Managed Detection and Response service can provide you with round-the-clock monitoring and incident response assistance. Early detection results in faster mitigation, which could make the difference between needing to report a data breach and having the ability to prevent attackers from reaching highly-coveted personal data.  

Compliance for Cloud Environments

When using Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud service provider (CSP), compliance is a shared responsibility between the CSP and the customer. You as the customer are responsible for configuring and using cloud services in a way that comply with the applicable directives contained within the GDPR framework.

InsightCloudSec enables you to automate compliance with GDPR. InsightCloudSec provides dozens of out-of-the-box policies as part of our GDPR compliance pack that map back to specific directives within GDPR. For example, InsightCloudSec’s policy “Database Instance Publicly Accessible With Attached Exposed Security Group” supports compliance with GDPR's Article 25: Data Protection by Design and by Default. You can immediately use the GDPR compliance pack to identify and remediate policy violations in real time.