IBM Incident Response Preps for EU GDPR (General Data Protection Regulation)
GDPR was approved by the EU Parliament in April 2016 and takes effect May 25, 2018. The regulation replaces the Data Protection Directive 95/46/EC and is designed to streamline data privacy laws across Europe, according to the EU Parliament.
In preparation for GDPR, the new IBM Resilient incident response capabilities include:
- GDPR Preparatory Guide: Offers a step-by-step guide to help organizations prepare for GDPR.
- GDPR Simulation: Enables an organization’s security analysts to rehearse the actions they may need to take if they experience a data breach under GDPR.
- GDPR-Enhanced Privacy Module: Provides organizations with access to a database of GDPR-related guidelines and regulations.
GDPR: Preparing Now
IBM will continue to add and update GDPR guidelines and regulations to its IBM Resilient global privacy module, the company said. IBM and MSSPs face multiple hurdles as they attempt to assist customers with GDPR.
Indeed, key points of GDPR include:
- Increased Territorial Scope: GDPR applies to all organizations processing the personal data of data subjects residing in the EU, regardless of location.
- Consent: Data consent requests must be provided “in an intelligible and easily accessible form, with the purpose for data processing attached to that consent,” the EU Parliament indicated.
- Penalties: Organizations that fail to comply with GDPR can be fined up to 4 percent of annual global turnover or €20 million (roughly $25.92 million), whichever is greater.
GDPR Will Have “Significant Impact”
GDPR represents “the most important change in data privacy regulation in 20 years,” the EU Parliament stated. However, few organizations are prepared for GDPR, according to an April 2017 survey conducted by independent research firm Ponemon Institute and Citrix Systems.
The survey of more than 4,200 IT, security and business professionals revealed 74 percent of respondents said they believe complying with GDPR will have a “significant negative impact” on their organizations.
Also, the survey showed 33 percent respondents said they are still unaware of GDPR, and only half have allocated budgets and started to prepare for the May 2018 GDPR compliance deadline.
“Our research shows that most companies globally do not feel confident in their ability to comply with data breach notification requirements,” Ponemon Institute founder Dr. Larry Ponemon said in a prepared statement. “To get ahead of these challenges, organizations should be proactive about establishing processes and owners for ensuring compliance with the new requirements.”
How to Prepare for GDPR
- Teach key stakeholders about GDPR.
- Identify the personal data that you can store.
- Remove any unused personal data that is no longer required.
- Develop an organizational chart that assigns roles and responsibilities based on GDPR.
- Update security policies and protocols.
- Incorporate GDPR into standard business practices.
- Establish clear-cut policies to detect and respond to a data breach.
- Learn about all of the rights related to data processing included in GDPR.
- Identify any special organizational requirements and plan accordingly.
In addition, an organization can collaborate with a managed security services provider (MSSP) or other security experts to address security gaps before GDPR goes into effect, HelpSystems indicated.