We’ve Got You Covered
Our built-in security capabilities address critical areas of GDPR compliance:
- Intrusion Detection: detects malicious traffic that could result in data breaches
- Vulnerability Scanning: reduces attack surface by identifying improper configurations and missing patches/updates
- IP Reputation Management: effective first-line-of-defense in blocking IP addresses associated with threat actors
- Web Application Firewall: provide effective detection and blocking of traffic associated with malicious application behavior such as cross-site scripts, SQL injection.
- File Integrity Monitoring: monitors unauthorized changes to critical files
- O/S Patching: addresses O/S vulnerabilities
- Malware Protection: protects systems from viruses and malware
- O/S Log Management: records history of important O/S events for response and forensics investigations
- Security Dashboard: facilitates documentation of security posture and incident communication
- Incident Response: provides quick and prioritized response to incidents
What is GDPR?
The General Data Protection Regulation (GDPR) is a set of mandated activities aimed at strengthening data protection for EU citizens. In regard to data protection, GDPR includes a specific article for data security – Article 32: Security of Processing.
Article 32 is risk-based, like HIPAA. As a result, in lieu of prescriptive security controls, Article 32 provides four broad-level, proactive requirement for organizations processing EU citizen PII.
Article 32 requirements:
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The pseudonymization and encryption of personal data
- The ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Which organizations are affected?
The GDPR is applicable to every organization that collects or processes data pertaining to EU citizens – regardless of where the organization is located.
What is the penalty for noncompliance?
GDPR levy severe penalties (up to 4% percent of a company’s global turnover or €20M, whichever is higher) and supersede all existing legislation.
GDPR introduces a set of core requirements for organizations controlling or processing personal data for EU residents. These regulations are intended to protect the rights of EU citizens with respect to their personal data. GDPR compliance requires both organizational and technological measures.
Learn more about the specific requirement of GDPR and what they mean for your organization.
Notification of Data Breaches
Once an organization becomes aware of a data breach of personal or sensitive personal data, it has a 72-hour window to notify the relevant supervisory authority of the breach. Additionally, they must individually notify data subjects of any breach that presents a high risk to their individual rights and freedoms.
Ability to Demonstrate Compliance
Organizations must understand the security requirements prescribed directly or indirectly by the regulating party to demonstrate compliance. They must also align their environment and data with the secure cloud controls that meet these specific requirements.
Right to Data Portability
Data subjects have the right to data portability, which means they can request the personal data they have supplied to a controller. Data must be delivered in “a structured, commonly used and machine-readable format” in order to transfer aforementioned personal data to another data controller.
Right of Access
Data subjects have the right to know if and when their data is transferred to a third country or an international organization. Safeguards are required to ensure ongoing protection of the data after transfer.
Right to Erasure (Right to be Forgotten)
A data subject has the right to request the erasure of personal data held by a data controller, subject to certain conditions. This action requires that organizations establish a clear legal understanding of why they are processing data, the appropriate legal basis, and when required, a technological ability to erase all affected data promptly.
Security of Processing
Data controllers are required to implement technical and organizational measures to ensure an appropriate level of security is in place for processing activities. These activities include, but are not limited to, pseudonymization, encryption and regular testing of organizational and technical measures.
Transfers of Personal Data to Third Countries or International Organizations
The GDPR outlines specific requirements governing when and where personal data can be transferred to third countries or international organizations.