Is the GDPR a game changer for detection and response?

The GDPR is effectively the first global data protection and privacy directive. When it comes into full force on 25 May 2018, there will be stringent requirements on organisations to detect and report breaches in a timely manner. If companies don’t have effective detection and response systems and processes in place, the fines can be devastating.

By Jo Best

Wed 6 Sep 2017 @ 14:39

The General Data Protection Regulation (GDPR) will become enforceable in May next year, bringing with it widespread changes to the ways organisations can collect, store, and process data from customers and partners.

One of the most significant stipulations contained in the GDPR relates to the way data breaches affecting EU citizens are handled. Data breaches are an everyday concern in 2017, but the outgoing legislation made no specific mention of breaches in its many paragraphs of regulations.

The GDPR is different. It sets a clear definition of what constitutes a “personal data breach” and how an incident needs to be reported.

If personal data has been changed, lost, or inappropriately accessed or shared, the breach will have to be reported to the local data watchdog – in the UK, that's the Information Commissioner’s Office (ICO) – within a 72-hour period after the organisation has discovered it.

Organisations need to tell their regulator not only how many people were involved in a breach and how much of their data was affected, but also what consequences the breach may have, how the business has dealt with it, and what actions it has taken to counter any negative effects.

If the data breach could also affect an individual’s rights and freedoms – for example, if it leaves them open to identity theft or means they are more likely to be discriminated against – those individuals will also need to be notified personally without undue delay.

Paying the penalty

Failure to meet the GDPR’s requirements will attract a stiff monetary penalty: up to €20m or four per cent of the organisation’s global turnover.

The ICO states: “In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.”

In short: companies have less than a year to make sure their breach detection and response technologies are up to the task of meeting the GDPR’s 72-hour notification requirements.

Breaches are a fact of life for many businesses. According to UK government research published in April, over half of companies fell victim to some kind of security incident or breach in the preceding year; for larger companies, that figure increased to seven in 10.

Separate research has found that 70 per cent of organisations that experienced a breach were notified of its existence by a third party – meaning that they lacked the right resources to detect the breach in the first place.

Had the GDPR already been in force, these companies would have been on the back foot in terms of both remediating the breach and alerting the regulator, spending precious time investigating the incident rather than fixing the problem.

For many businesses, the GDPR will be a good prompt to reassess their security procedures, and to put in additional measures to strengthen their data protection stance.

Faster detection and response essential

Two metrics likely to gain additional importance post-GDPR are mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR).

Both are indicators of the relative health of an organisation's security posture, showing how quickly they can identify and mitigate a breach. A decreased MTTD means an organisation can spot a potential threat or breach occurring more quickly; a reduced MTTR means it can begin to mitigate the problem as fast as possible.

According to research, organisations’ MTTD for breaches is dropping – from 229 days in 2014 to 205 days in 2015. However, the GDPR’s increased emphasis on data breach reporting will mean the public, and regulators, are unlikely to look favourably on those who let unauthorised third parties run riot on their networks for the better part of a year.

Reducing both MTTD and MTTR means there is a far smaller window for an outside attacker or insider threat to have unauthorised access to corporate data. This helps to minimise the damage an attack or threat can do – meaning fewer individuals, and less of their data, should fall within the scope of the breach.

And the faster any incident can be detected and mitigated, the more time an organisation has to investigate the incident and prepare the breach notification within the 72-hour deadline set by the GDPR.

For many organisations, the GDPR will signal a change in security priorities. While breach and incident prevention will remain significant, detection and response will be rising rapidly up the CISO’s agenda.

Get the facts and be prepared for the GDPR with our white paper.