A new EU privacy regulation called GDPR legislation is set to affect Australian businesses from May 2018, and fines for non-compliance can reach as high as 20 million euros, so it’s essential for businesses to prepare.
The General Data Protection Regulation (GDPR) aims to give control over personal data back to citizens and residents, and to simplify the regulatory environment for international businesses by unifying the regulation within the EU. Nearly every global enterprise will be subject to the GDPR legislation, because it applies to all organisations that conduct business in the EU, offer goods or services to residents of the EU, or monitor the online behaviour of EU residents. All these organisations are now responsible for protecting the personal data of EU citizens. This also now includes organisations that process personal data as well as the businesses that collect and use the data.
Privacy legislation is nothing new and Australia already has its own Privacy Act. Companies doing business with US organisations also have to comply with relevant regulations. However, it’s essential for Australian organisations to ensure they’re completely ready for GDPR.
The GDPR legislation aims to stimulate economic growth by cutting the costs and red tape associated with data handling in the multi-state European market, particularly for opportunities associated with big data. The risk-based approach to rules avoids burdensome one-size-fits-all obligations and encourages businesses to design security into new products.
There are no specific technologies mandated to prevent breaches and protect private data. Instead, organisations are expected to consider current technologies and best practices in designing their processes.
In any post-breach investigation, a company will likely have to defend its approach to security and privacy protection, and the technologies it will deploy. Therefore, it’s important to carefully assess, evaluate, and document security-related decisions, particularly around compliance and accountability, security strategies, plans and timeframes for reaching compliance, how compliance was validated, and how compliance will be maintained and measured.
Network visibility is crucial to complying with GDPR. It’s essential to see all traffic moving through the network and blind spots are commonly used as footholds for malware, which can lead to a data breach.
There are six key ways to prepare for GDPR:
1. Achieving visibility in the cloud
It’s important to achieve cloud-native access to traffic in both private cloud and public cloud, filtering and processing packets at the source, to eliminate the need to transmit packets back to a centralised monitoring location. This architecture supports greater scalability, network agility, and security.
2. Monitoring encrypted traffic
Cyber attacks are frequently embedded in encrypted traffic, so it’s important to decode and inspect encrypted traffic.
3. Identifying and masking personal data
This is essential and businesses should choose tools that let administrators obscure any data pattern they choose with an easy-to-use graphical interface or using pre-defined templates.
4. Testing security infrastructure
In addition to achieving visibility, organisations should validate that their network infrastructure is robust and defends against breaches. Test solutions help ensure correct implementations and configurations, and simulate network traffic at high volume, that includes personal data, as well as malware and other threats.
5. Deploying resilient security solutions
Resilient security solutions ensure businesses will still be protected if their security infrastructure suffers a temporary outage or the business needs to take a device offline for upgrade or maintenance. High-performance packet processors can share the workload and provide near-instant recovery in the event of a failure.
6. Integrating real-time application and threat intelligence
Pre-filtering known bad IP addresses and traffic out of the data that flows to security solutions will enhance the performance of tools and reduce the number of alerts the security team needs to follow up on.
Ardy Sharifnia, General Manager – ANZ, Ixia
