In May this year, the EU began enforcing the General Data Protection Regulation (GDPR) with the aim of protecting the personally identifiable information of EU citizens. It applies to any organization that is based within or operates in the EU – any organization with operations, customers, suppliers or partners within the EU is liable.
As you’ll no doubt be aware, an organization found to be in breach of the regulation (for example, by failing to adequately safeguard customer data against a breach, or to report it to their supervisory authority within 48 hours) can face heavy fines: up to 20 million euros or 4% of annual turnover, whichever is the greater. With the stakes so high, it is critical that businesses ensure that their processes across the entire organization comply with the regulation – including network security.
Where GDPR meets network security
Three of the articles contained within GDPR are directly related to network security:
However, while GDPR sets out these standards that relate to network security, as of yet, the EU has not provided an approved implementation framework or reporting structure. As a result, there are no official or industry guidelines for how GDPR compliance audits should be conducted, nor is there any indication of specific steps that organizations need to follow to prepare for an audit following a breach.
Against this backdrop, it is incredibly challenging for organizations to know what constitutes ‘best practice’ when it comes to ensuring that their network security processes are compliant with GDPR. Typically, new regulations rely on implementation frameworks that are already utilized by other verticals and we can use such guidance here.
In the case of GDPR, the most relevant standard that is already widely adopted is ISO 20071. ISO 27001 covers many security best practices without specifying the type of information that needs to be protected. Furthermore, it requires organizations to implement measures that would equally apply to GDPR. As such, as an initial baseline for demonstrating GDPR compliance, AlgoSec recommends following the ISO 20071 network security standards and reporting frameworks.
Aligning network security with GDPR
Beyond looking to the ISO 20071 framework as a guide, companies can also find an easier path to compliance by using network security policy automation. For example, we have added out-of-the-box GDPR support in the latest version of our network security policy management, 2018.1.
At the click of a button, AlgoSec users can generate GDPR compliance reports for all applicable network security, obtaining an up-to-date, accurate snapshot of the organization’s compliance status. Security teams can immediately pinpoint gaps in compliance and get actionable recommendations for remediation, and proactively assess GDPR risk and compliance for every firewall rule change. Going well beyond continuous compliance, this feature also delivers a full GDPR-ready audit trail for every change.
Given the high cost of failing to meet the standards laid out in GDPR, it’s critical that organizations take the necessary steps to comply. By utilizing AlgoSec, organizations can automatically align network security with key articles in GDPR, while automatically generating the audit trail they need to demonstrate compliance – reducing the risk of incurring penalties in the event of a breach.
For more details on how AlgoSec can help address your GDPR compliance requirements click here.
Receive notifications of new posts by email.