What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation that requires an organization to protect the personal data and privacy of EU citizens for transactions regardless of the geographical location of organization and data. Changes to individuals, procedures, and technology are required to ensure that personal data is properly controlled, processed, maintained, retained, and secured. Penalties for non-compliant with the General Data Protection Regulation can be up to 4% of the worldwide annual turnover amount.

Security is just one aspect of GDPR compliance, and we identify that you will need to engage with multiple merchants plus conduct a host of assessments and process audit in order to completely cover all requirements. If you haven’t already done so, engaging with a partner is strongly recommended. GDPR was approved and finalized in 2016. The new law has become effective on May 25th, 2018.

Who will be complaint with GDPR?

The GDPR compliance will apply to any organization that deals with any personal data of an EU citizen. This means that organizations-based outside the EU that provides goods and services to individuals living in the EU will need to comply with the new law.

How to comply with GDPR?

Article 32: Requirement for controllers and processors to implement a level of security appropriate to the risk

Vulnerabilities and risk go hand-in-hand, securing assets, and their encompassing environment, that manages and processes personal data is an essential step in any security program. Ensuring you have the correct technology and procedures set up to gather the important data and prioritize it based on risk, which will help you to drive your remediation efforts. GDPR stipulates that organizations should ensure ongoing confidentiality, integrity, and accessibility of systems.

To comply with this article, the organization should be able to fulfill the following requirements:

1. Know your network and the weak points associated with it.
2. Evaluate applications for vulnerabilities.
3. Short of assets and time? Managed services are a perfect solution.
4. Have a process for regularly testing, assessing, & evaluating the effectiveness of security measures.

Articles 33 and 34: Notification of breaches

Personal data breaches have already proved costly for organizations that experienced them. The General Data Protection Regulation requires data controllers to report any breaches of personal data to Supervisory Authorities within 72 hours of discovery and depending on the extent of the breach, to affected data subjects without delay. Implementing a significant breach notification process will tick a compliance box, but this alone won't change your security posture or help you mitigate harm in the unfortunate event of a breach.

To comply with this article, the organization should be able to fulfill the following requirements:

1. Look from a hacker's point of view.
2. Develop a top-notch Incident Response Program.
3. Monitor client behavior, identify hackers prior, and examine security incidents quicker.
4. Provide incident response assistance that doesn't rest.

How GDPR works?

The GDPR Assessment assesses compliance with several industry requirements, as well as the following control sets and frameworks:

1. Center for Internet Security Top 20 Common Security Controls (CSC20)
2. NIST Cybersecurity Framework (NIST CSF)
3. NIST Special Publication 800-53 (NIST 800-53)
4. NIST Special Publication 800-171 (NIST 800-171)
5. Department of Energy Cybersecurity Capability Maturity Model (DOE-C2M2)
6. ISO/IEC 27001:2013 (ISO 27001)

Each of these control frameworks maps to one another and are intended to provide a structure under which your security program can measure its maturity and effectiveness—now and for what's to come.

How Nemasis achieve GDPR compliance?

Nemasis-VA helps you to conduct a thorough vulnerability assessment of risks across vulnerabilities, configurations and controls, and prioritize the risks for remediation based on threat exposure and business impact. Automatically audit your systems for compliance with secure configurations, password policies, and access control requirements. It scans your whole network and generates interactive and real-time reports for remediation.

Nemasis’s early detection results help in quicker mitigation, which could make the difference between needing to report a data breach and having the ability to prevent hackers from reaching highly-envy personal data. It uses user’s behavior analytics to detect security incidents and quicken investigations with instant client setting, endpoint interrogation, and advanced search capabilities.