Overview

The European Union General Data Protection Regulation (GDPR) provides requirements for companies that use or process data in the EU, or simply use or process data about EU citizens anywhere in the world outside of the United States. The reforms give European consumers rights and control over their personal information and imposes obligations on businesses to the extent that they collect personal information from EU citizens, regardless of where they reside, or individuals who reside in the EU, regardless of their nationality. 

For more information, refer to the GDPR publication: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679.

Netsurion Managed XDR for GDPR Compliance 

Netsurion Managed XDR combines SIEM, log management, proactive threat hunting, and guided incident response to effectively meet the requirements outlined in GDPR requirements. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents. 

By leveraging Netsurion Managed XDR, organizations can establish a robust cybersecurity framework that supports the EU GDPR requirements. This enables them to effectively manage risks, detect and respond to threats promptly, and enhance their overall cybersecurity posture. 

Using Netsurion Managed XDR to meet GDPR Requirements 

Conduct an information audit for EU personal data

Confirm that your organization needs to comply with the GDPR. First, determine what personal data you process and whether any of it belongs to people in the EU. If you do process such data, determine whether “the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.”

Netsurion Managed XDR supports by:

Alerting when sensitive data is accessed and by enforcing access and usage rights on PII (Personally Identifiable Information) whether it is at rest, in transit, received, handled, or shared. Additionally, Netsurion Open XDR delivers comprehensive audit trails that enable forensic data analysis, so that your organization can know “who” did “what”, “when”, and “how” with the data.

Inform your customers why you’re processing their data

Consent is only one of the legal bases that can justify your use of other people’s personal data. You can find the other “lawfulness of processing” justifications in GDPR Article 6. If you choose to process data on the basis of consent, however, there are extra duties involved. Finally, Article 12 requires you to provide clear and transparent information about your activities to your data subjects. This likely will mean updating your privacy policy.

Netsurion Managed XDR supports by:

  • Allowing Personally Identifiable Information (PII) to be automatically alerted, whenever it is received, handled, or shared in the form of an unstructured file (e.g. an email, Word or PDF document, Excel spreadsheet, PowerPoint presentation).
  • Providing a content, context, and metadata-aware policy engine that identifies PII, alerts on user actions to classify the file according to policy, applies protective markings and labels to identify the information, and decrease corporate liability.

Assess your data processing activities and improve protection

data protection impact assessment will help you understand the risks to the security and privacy of the data you process and decide ways to mitigate those risks. Next, begin implementing data security practices, such as using end-to-end encryption and organizational safeguards, to limit your exposure to data breaches. When beginning new projects, you must follow the principle of “data protection by design and by default.”

Netsurion Managed XDR support by:

  • Delivering a comprehensive audit trail that documents and traces any authorized and unauthorized access to confidential data.
  • Enabling enterprises to leverage Netsurion Open XDR to correlate events and generate dashboards, alarms and reports, knowing in real-time who is doing what, when, and how with classified information.
  • Detecting and alerting on sensitive data to help identify information requiring special handling, allowing for easily adding extra descriptors, customized tooltip texts for each classification, or custom-configured text labels for each security classification.

Make sure you have a data processing agreement with your vendors

You, as the data controller, will be held partly accountable for your third-party clients if they violate their GDPR obligations. So it’s important to have a data processing agreement that establishes the rights and responsibilities of each party. This includes your email vendor, cloud storage provider, and any other subcontractor that handles personal data.

Netsurion Managed XDR supports by:

  • Alerting users when sensitive data is leaving the organization to warn or prevent them from sending data outside of the organization.
  • Delivering a way to control access to sensitive information across a myriad of third parties. Netsurion Open XDR applies protection to e-mails, documents and any other file formats allowing safely sharing of sensitive information via any media.
  • Logging client and server-side events in a central database for audit trails and forensic analysis purposes.

Know what to do if there is a data breach

Articles 33 and 34 lay out your duties in the event personal data is exposed, whether through a hack or any other kind of data breach. The use of strong encryption can mitigate your exposure to fines and reduce your notification obligations if there’s a data breach.

Netsurion Managed XDR supports by:

  • Delivering a comprehensive audit trail that documents and traces any authorized and unauthorized access to confidential data.
  • Enabling enterprises to leverage Netsurion Open XDR to correlate events and generate dashboards, alarms and reports, knowing in real-time who is doing what, when, and how with classified information.
  • Detecting and alerting on sensitive data to help identify information requiring special handling, allowing for easily adding extra descriptors, customized tooltip texts for each classification, or custom-configured text labels for each security classification.