GDPR: Putting your IT infrastructure in order

The aim of GDPR is to give people more control over, and the assurance of greater security for, their personal data. In addition, its intention is to simplify the regulatory environment for businesses internationally. It means that businesses will have to put the correct sanctions in place to better protect personal data – whether it is their employees’ or their customers’. With the rapid accumulation of personal data from cloud computing, the Internet of Things (IoT) and social networking, properly safe-guarding personal data has become a non-negotiable aspect of modern business.

As such, businesses must have the right capabilities in place in order to achieve full compliance. However, as many businesses have found out so far, it’s no small feat.

Getting your data secured before GDPR comes into play is crucial to avoiding fines which could cripple an organisation. For companies that don’t have visibility into what is going in and coming out of their network, the challenge lies in creating that visibility in real-time, in the most autonomous way possible.

A bumpy road ahead 

With new legislation comes a whole new set of challenges. The IT and technology sectors have long struggled to overcome a persistent skills shortage and, as the compliance deadline approaches, there are also rising concerns over the cost involved.

Organisations will need to shift their IT infrastructure to enable effective network monitoring, and encrypt personal data to ensure ongoing confidentiality, assessment and evaluation. As daunting as it may seem, the sooner that these new processes and structures are in place, the easier the transition between a pre-GDPR and post-GDPR world will be.

While some organisations may feel unable to cope with these new regulations, the hope is that GDPR may actually reduce legal complexity and ultimately enable businesses to expand operations across the European Union more easily.

It’s not if, it’s when

Complying with GDPR requires organisations to put the appropriate technologies, IT infrastructure and processes in place, to create robust systems that provide data protection, system assurance, breach notification, and the supporting details.

It’s not a case of if your organisation experiences a breach, but when. It is up to management and your IT teams to ensure it is ready.

While it may well fall under the responsibility of the IT, security and compliance team, the onus of GDPR compliance needs to be recognised across the board. In case of a breach, playing the ‘blame game’ will not only dismiss the seriousness of the situation, but also damage the corporate reputation and employees’ respect. Trust is easily lost, so companies need to rectify the incident quickly and efficiently. Organisations that can show how they comply with the principles – for example, by documenting the decisions they take about a processing activity – will have a better chance to remediate any loss or damages.

Detecting the weak signals of anomalous cyber behaviour inside the network requires real-time detection, and a robust system of behavioural analysis to highlight anything outside of what can be considered ‘normal’ behaviour.

While GDPR requires that ‘appropriate technical measures’ are taken to protect and manage the processing of personal data, using artificial intelligence (AI) can help organisation architecture and enable them to operate their GDPR solution at speed and scale.

Leveraging artificial intelligence to find hidden threats

AI enables automation which helps to enforce data handling standards by alerting cybersecurity staff when data is transferred between parties in a manner that violates or is not consistent with established practices.

After analysing, learning and understanding standard network behaviour, AI monitors for the anomalous movement of data between hosts, including the volume, and frequency of data movement in the relenless hunt for hidden threats.

When threats are detected, the AI can then provide insight into the host transmitting the data, including where it is transmitting the data, the volume of data involved and any specific technique used to send it.

Adopting a behavioural approach to detection supports the GDPR recommended use of data encryption and psuedonymisation (data protection by design) by focusing on network packet headers, cadence, frequency and volume, not the data payload, to negate the need for any form of data decryption, data routing or intrusive data monitoring/processing techniques. Encrypted traffic is no longer somewhere for bad actors to hide their work.

Speedy data breach detection and remediation

AI threat detection algorithms persistently listen, learn and watch network traffic to quickly spot hidden cyber-attack that have defeated or evaded defensive capabilities.  

Deploying AI-based monitoring and detection within the network also provides a means to validate and strengthen the effectiveness of perimeter defences. By highlighting threats in real-time that have prevented detection or have beaten existing systems, organisations can quickly detect and address any anomalies or potential breaches.

By Matt Walmsley, Director of EMEA at Vectra Networks


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.