The General Data Protection Regulation replaced the European Union's 1995 Data Protection Directive in May 2018, significantly changing the rules surrounding the protection of EU residents' personal data. The GDPR is much stricter than its predecessor, with greater scope of coverage, including companies outside the EU, as well as new data breach notification requirements and administrative fines. Although most GDPR requirements concern data management, data security is also a pillar of the GDPR: the law requires security of data processing, accounting for the state of the art.
The Palo Alto Networks® Security Operating Platform can help with organisations' security and data protection efforts related to GDPR compliance by assisting in securing personal data at the application, network, endpoint and cloud levels. It can also assist in understanding what data was compromised in the unfortunate instance of a breach, but first and foremost, it will help organisations prevent data breaches from happening at all.
The GDPR aims to provide Europeans with greater say in how their personal data is collected and managed, particularly in light of technological advances over the last 20 years. Under the GDPR, individuals have many rights, including access, rectification and erasure of personal data held on them – the so-called 'right to be forgotten' – and the right of data portability. The GDPR also introduces data breach notification requirements and large administrative fines of up to 4 per cent of companies' annual global turnover.
The GDPR applies to entities that control or process personal data on EU residents. 'Personal data' is defined in the law quite broadly. In general, it is data that identifies or can be used to contact a person, such as name, email address, date of birth or user ID; identifies a unique device potentially used by a single person, such as an IP address or unique device ID; or reflects or represents a person's behaviour or activity, such as location, applications downloaded, websites visited and so on.1
The GDPR applies not only to entities established in the EU but also to entities established outside the EU if they offer goods or services to EU residents, or monitor the behaviour of EU residents that takes place within the EU. In practical terms, this means any provider of services that process EU residents' personal data must be compliant.
The GDPR represents a fundamental shift for personal data protection in the EU. It is much stricter than its predecessor, with greater scope of coverage, including companies outside the EU, as well as new data breach notification requirements and administrative fines.
The GDPR introduces mandatory breach notification requirements for personal data. Supervisory authorities must be informed, in most instances, if personal data is lost, stolen or otherwise compromised, without undue delay and, where feasible, not later than 72 hours after the data controller becomes aware of it. In certain cases, individuals must be notified as well. Notifications must describe a range of details about the breach, such as its nature, categories and number of personal data records concerned, likely consequences, and measures taken to address the breach and mitigate its effects.
Finally, the GDPR introduces administrative fines. The consequences of noncompliance, whether egregious or accidental, are severe: a potential maximum fine of 4 per cent of annual global revenue or 20 million euros – whichever is higher – for noncompliance with many of its collection, processing and administrative obligations, such as the requirement to get consent or various rules regarding data transfers to 'third countries'; and 2 per cent or 10 million euros – whichever is higher – for security and data breach notification-related obligations, amongst others.
The GDPR's mandatory data breach notification mandate, with potential resulting reputational harm, regulator investigations and significant administrative fines, has firmly placed personal data protection as a board-level concern.
The GDPR is likely to require substantial technology and personnel investments as well as business process changes for companies to come into compliance. The regulation will affect different groups within an organisation, including the legal department and chief information security officer, as well as business teams and product engineers that must implement 'privacy-by-design'.
It is important to note that the GDPR provides principles for the protection of data, such as transparency, accountability, lawfulness, right to be forgotten, privacy by design and so on, but it does not prescribe the exact technologies organisations must use to protect data. This sets a high bar for protection and requires the CISO and security teams to determine and apply the right approach to protect the information covered within the scope of the GDPR.
Cybersecurity is an essential investment to protect personal data and comply with the GDPR. Most GDPR requirements focus on data management, namely data collecting and processing. There are obligations to provide notice when collecting personal data, prohibitions on unauthorised data processing, requirements to keep records of data processing, a duty to appoint a data protection officer in certain instances, and rules regarding transfer of personal data to third parties and countries, amongst others.
This should not, however, overshadow the fact that data security is also a pillar of the GDPR, which has specific security-related language, as described in Figure 1. Furthermore, a key component of protecting personal data is keeping it secure – both from exfiltration by cyber adversaries and from internal leakage. Thus, as they prepare for the GDPR, organisations' investments in compliance activities as well as information management processes and technologies must be complemented with appropriate investments in cybersecurity.
Summary of Relevant Provisions From the GDPR
Summary of provisions
Security of data processing
Organisations must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Those measures must account for the state of the art.
Personal data should be processed in a manner that ensures appropriate security and confidentiality of the data, including for preventing unauthorized access to or use of personal data and the equipment used for the processing.
In assessing data security risk, consideration should be given to risks presented by personal data processing. Risks that should be considered include accidental or unlawful destruction, loss, alteration, and unauthorised disclosure of, or access to, personal data. [Recital, paragraph 83]
Data breach notification
Supervisory authorities must be notified if personal data is lost, stolen or otherwise compromised, unless the breach is unlikely to result in a relevant risk to the individual. Notification must happen without undue delay and, where feasible, not later than 72 hours after having become aware of the breach. In certain cases, individuals must be notified. Notifications must describe a range of information about the breach, such as its nature, categories and number of personal data records concerned, likely consequences, measures taken to address the breach and mitigate its effects, and other items. [Articles 33 and 34]
Supervisory authorities are to impose administrative fines for GDPR infringements, on a case-by-case basis. When deciding whether to impose a fine and the amount, the authorities are directed to consider many factors, including the degree of responsibility in implementing technical and organisational measures, taking into account the state of the art as per Article 32. [Article 83]
Figure 1: Summary of relevant provisions from the GDPR
Palo Alto Networks can help with organisations' security and data protection efforts related to GDPR compliance by assisting with:
Many of our products have capabilities and features that meet these needs.
The GDPR requires security of data processing, accounting for the state of the art. The Security Operating Platform secures data at the application, network, endpoint and cloud levels.
Reducing cyber risk and protecting data, including personal data, requires integrated, automated and effective controls in place to detect and prevent known and unknown threats at every stage of the attack lifecycle. Built from the ground up for prevention, the Security Operating Platform allows organisations to confidently pursue a digital-first strategy as they implement key technology initiatives within the cloud and mobile networks to protect their most valued data assets from exfiltration by cybercriminals and accidental data leakage.
The Security Operating Platform combines network and endpoint security with threat intelligence to provide automated protection and prevent cyberattacks – not just detect them. Our platform natively brings together all key security functions, including firewall, URL filtering, IDS/IPS and advanced endpoint protection. Because these functions are built into the platform with prevention in mind and natively share essential information across their respective disciplines, our platform ensures better security than legacy firewalls and antivirus, UTMs, or point products. In short, better security supports better data protection.
The GDPR calls for technical and organisational security measures that account for the state of the art. Legacy security systems, made up of cobbled-together point products, have proven inadequate to prevent the rising volume, automation and sophistication of cyberattacks. CISOs should review these legacy products carefully to determine if they meet the state of the art.
The threat landscape is constantly evolving, and as such, state-of-the-art technology must evolve to prevent new threats. The Security Operating Platform combines network and endpoint security with threat intelligence to provide automated protection and prevent cyberattacks, not just detect them. Contrary to legacy point products, our platform takes advantage of the collective intelligence of thousands of customers, technology partners and researchers sharing threat information. We build technology that prevents attacks at the key tactical and strategic places where cyberattackers need to act to be successful, and we update our global customer base with the latest protections in as few as five minutes. As a matter of scope, we generate more than one million new preventive measures each week as we identify new, or 'zero-day', cyberthreats.
With our platform, organisations can safely enable the use of all applications critical to running their businesses, confidently pursue new technology initiatives, and protect the organisation from both basic and complicated, multifaceted cyberattacks. For CISOs who want to say they have accounted for the state of the art, Palo Alto Networks should be amongst the security elements considered.
Prevention of data breaches, whether they result from hacking or accidental leakage, is crucial for compliance with the GDPR. Proper cybersecurity is essential to ensure your organisation's personal and business-critical data and applications remain protected.
Our platform enables four key prevention techniques relevant to data security that simultaneously contribute to GDPR compliance:
These prevention techniques are powered by WildFire, the industry's most advanced analysis and prevention engine for highly evasive zero-day malware and exploits. The cloud-delivered service employs a multi-technique approach that combines dynamic and static analysis, innovative machine learning techniques and a groundbreaking bare metal analysis environment to detect and prevent even the most evasive threats. WildFire goes beyond legacy approaches used to detect unknown threats, bringing together the benefits of four independent techniques for high-fidelity and evasion-resistant discovery:
Together, these techniques allow WildFire to discover and prevent unknown malware and exploits with high efficacy and near-zero false positives.
The GDPR applies to any organisation that processes personal data on EU residents, regardless of where the organisation is physically located. For many large or multinational organisations, personal data processing might take place in multiple locations, all of which must be compliant. Panorama™ network security management empowers organisations with easy-to-implement, consolidated policy creation and management of our next-generation firewalls. With Panorama, you can implement both centralised and regional policy, and easily delegate to regional administrators as needed or preferred. The key is the flexibility to implement policies according to business needs and specific regional laws. For example, a Panorama administrator can enforce security policies for firewalls located in a branch in Singapore or Brazil, even though the regional administrators in those locations may be unaware of a compliance need to protect data subject to the GDPR.
Data breaches can result from data exfiltration or leakage, and our platform can contribute to preventing both. The Security Operating Platform meets each critical stage within the attack lifecycle with a defence model to prevent data exfiltration – from the initial perimeter breach attempt to delivering malware or exploiting the endpoint, all the way to lateral movement through the network and attempts at data exfiltration.
To maintain GDPR compliance, it's critical to prevent accidental data leakage or sharing by your internal and partner communities of users across the entire infrastructure. End users are amongst the most common risks, particularly when using software-as-a-service, or SaaS, applications. Often untrained and unaware of the risks they bring, their actions can result in accidental personal data leakage.
Our platform prevents data exfiltration and leakage in several ways:
In addition, Palo Alto Networks AutoFocus™ contextual threat intelligence service can ingest third-party threat intelligence sources and turn them into prevention across our security platform through our MineMeld™ threat intelligence syndication engine. Once indicators of compromise are collected, MineMeld can filter, deduplicate and consolidate metadata across all sources, allowing security teams to analyse a more actionable set of data, enriched from multiple sources, for easier enforcement.
In the unfortunate event of a personal data breach, the GDPR requires notification of supervisory authorities, unless the event is unlikely to result in risk to individuals' rights or freedom. Notification must include a range of information, including what data was affected and what measures were taken.
Our platform can help maintain compliance with this GDPR requirement in the event of a breach. For example, AutoFocus provides the analytics details needed for remediation, helping to understand who the user was, what the threat was, the impact and the level of risk. All of this can help with notification requirements.
In addition, the next-generation firewall can be used to educate users via custom notification pages. System administrators can add their desired education messages to the notification pages so that whenever an accidental data leak is prevented, the end user is served a relevant message. For example, the message can include a link to the corporate data policies and best practices. This helps with overall prevention as well as education efforts that support notification.
Palo Alto Networks® Next-Generation Firewall:
GlobalProtect™ network security for endpoints:
Panorama™ network security management:
Aperture™ SaaS security service:
Traps™ advanced endpoint protection:
Palo Alto Networks Threat Prevention service:
URL Filtering with PAN-DB:
WildFire® malware prevention service:
AutoFocus™ contextual threat intelligence service: