It has been nearly 3-months since GDPR went into effect. In some ways the impact has been notable for everyone as we have all seen a ton of “privacy policy” notifications to agree to. What may not be as noticeable is its impact on Security Operations Manange Service Providers. These businesses are designed to aggregate customer data from hundreds, even thousands, of companies and organizations respectively and monitor their data for indications of a cyberattack or security breach. There are few managed services that need to understand the impact of GDPR on their business as much as those that are Security Operations focused.
Data Movement across Geographies
Perhaps the single largest impact GDPR will have on MSSPs is the rules regarding movement of data – especially for U.S. based MSSPs with European customers. While GDPR does not prevent moving personal data out of Europe, there are significant certifications and requirements to do so. So much so, that MSSPs are likely better-off opening a SOC in Europe and keeping the data on-continent. Doing so both decreases the regulatory requirements and increases the appeal for European companies to do business with you.
However, even setting up a SOC in Europe is not without its headaches. While GDPR is concerned about Europe as a whole, individual countries also have their own privacy protections in addition to GDPR. Germany is known to have some of the strictest privacy laws out there, for example. Doing your due diligence as to which country in which you should build your SOC will prevent difficulties and increased costs later on.
72 Hour Breach Disclosure
GDPR requires that data breaches be disclosed with 72 hours of discovery. This poses significant challenges for information security teams due to the time it takes to both validate and investigate an incident. It can take quite a while to understand the scope and depth of a breach. While this requirement does increase the immediate workload in order to become and stay compliant, smart companies will create policies and build repeatable processes and procedures for quickly and accurately validating and scoping an incident. Some key procedures include:
- Incident Response Plan
- Incident investigation procedures
- Rapid log querying and pulling, with advanced search capability
- Creating and maintaining an asset and application inventory
- Communication flows and thresholds between the SOC and customer (both internal SOC and MSSP)
Designated Data Protection Officer
Traditionally, MSSPs have had little need to have a privacy / data protection officer or even regulation that they needed to adhere to aside from standard security certifications (PCI, SOC2, etc), however with GDPR MSSPs need to certify that they are compliant and properly storing and handling personal data. MSSPs will also need to designate a Data Protection Officer (DPO) to oversee compliance.
The DPO is responsible for:
- Informing management and employees of their privacy obligations
- Overseeing impact and compliance assessments
- Monitoring ongoing compliance and data protection procedures
- Being the privacy point of contact for the organization, customers, and regulators
The DPO can be an existing, dual-hatted individual, however, it is likely that it will require a full-time employee depending on the amount of data being processed and stored and size of the organization. On top of that becoming and maintaining compliance to GDPR increases costs considerably and violation of the regulation is likely to be even more expensive. Thus it is important to not just designate a Data Protection Officer, but give that individual a budget and empower him/her to make a real impact. Such a strategy may cost a little more in the short-term, but could save the company considerable money and pain in the future.
Conclusion
While GDPR is another layer of regulation and even bureaucracy levied on MSSPs, it is here to stay. All worthwhile MSSPs should already be taking the privacy and protection of their customer’s data very seriously as it is. Rather than feeling burdened or frustrated with the required adjustments, if we view it as an opportunity to improve our processes and procedures and look for ways to use GDPR as a strategic advantage, the added costs will be worth it and will ultimately not just protect the privacy of European persons, but your company as well.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.
