A legislative milestone for the digital age

By Neil Thacker, Forcepoint Deputy CISO

The clock is officially ticking for organisations to get their data protection policies in order, now that the General Data Protection Regulation (GDPR) has been approved and is set to replace the EU Data Protection Directive.

The new regulation will come into effect in May 2018 and will require businesses to put a much stricter focus on data protection. The headline items for organizations that collect or process EU citizen records are:

  • Organisations must notify their supervisory authority of a data breach within 72 hours
  • The data subject will have the right to retract consent, request data erasure or portability
  • Organisations may face fines of up to 4% of their worldwide turnover, or €20 million for intentional or negligent violations

These increased sanctions mean it is vital that this new law be fully understood by a number of key stakeholders within the organisation, and that organisations start preparing as soon as possible.

There are five key steps to help organisations perform a basic assessment of their current data protection strategy and any potential gaps that need filling prior to a more comprehensive view of the GDPR.

1. Identify

The first task for any organisation must be to identify whether they are considered a data controller or processor. They must review the relevant obligations these carry, such as issuing notice to citizens and maintaining relevant consent from the data subject.

Businesses should make it common practice to regularly review existing and new business processes to identify Personal Identifiable Information (PII). They should identify where this data resides – whether it is at-rest, in-motion and/or in-use and maintain a record of processing activities and understand how this data is protected.

2. Protect

Once PII has been identified, organisations must then sure they adequately protect this data. Encryption and access control are common control standards, but managing encrypted data across multiple business processes is a hugely difficult task.

Data sovereignty and data lifecycle management are key to helping businesses ensure that EU citizen data is processed and stored appropriately. In addition to this, they also need to manage data flows to approved third party processors, monitor for accidental data leakage from negligent or malicious employees and protect against data theft from external agents.

3. Detect

If an organisation does suffer a loss of data then it is vital to detect the breach and identify if PII records were lost or stolen. If a data breach has occured, the business will be required to notify the necessary authorities within 72 hours of the discovery to initiate a full investigation.

The investigation will focus on identifying the source and destination of the breach through event and incident information from Data Leakage Prevention (DLP) and Data Theft Prevention (DTP) tools. Data forensics will help to pinpoint the stolen data, at which time the business will be required to issue notice to any affected data subjects.

4. Response

Incident response is critical to protecting data and protecting EU citizen data. In addition to the mandatory data breach notification requirement, organisations must also ensure they have implemented an effective incident response plan. This plan must be tested to ensure that employees involved in a data breach response are familiar with the reporting process and fully understand the new legislation and communication process in order to report a breach.

Picture Source (UK): Preparing for the General Data Protection Regulation, Information Commissioner's Office

5. Recovery

In the aftermath of a data breach businesses must ensure they maintain ongoing communication with the relevant authorities. This will ensure secondary loss factors are managed and keep affected data subjects regularly informed.


Data protection and the safeguarding of EU citizen data has always been an important requirement for organisations and the impending GDPR places even greater emphasis on the value of this data. It is therefore more important than ever for organisations to fully understand their role and apply the appropriate security controls that allow them to identify and protect this data. Having an established data breach plan in place will help organisations be familiar with the detect, response and recovery phases to ensure they limit the effect of the attack and have the relevant people, process and technology in place to continually deal with this new legal requirement.

For more information, watch the Forcepoint GDPR webcast: https://www.forcepoint.com/resources/webcasts/emea-general-data-protection-regulation-webcast

The final revision of the GDPR text with changes can be found here: https://www.scribd.com/doc/307465671/GDPR-Blackline-Comparison-of-12-15-and-4-16-versions

Join the CSO newsletter!

Error: Please check your email address.

Tags GDPRForcepointdigital agedata breachEU data centresviolationsdata protectiondtp Entertainment

More about DLPDTPEU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Neil Thacker

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts