One year from today, the European Union’s General Data Protection Regulation (GDPR) comes into effect, bringing with it many strict requirements to protect user data and privacy. GDPR also requires organizations to be forthright about breaches when they occur. IBM expects its Resilient Incident Response Platform (IRP) to play a key role in this area.
“GDPR is a big beast and Reslient’s lens on this is focused on the privacy breach reporting aspects,” Ted Julian, vice president of product management and co-founder of IBM Resilient, told eWEEK.
Julian added that there are many different components to GDPR, including the ‘right to be forgotten’ that requires organizations to delete all information on a given user, which is an item that is not part of what Resilient is doing. Instead IBM Resilient is adding new capabilities to the Resilient Incident Response platform specifically for GDPR, including a preparatory guide, simulator and privacy module.
“GDPR is just a particularly big update of something that we have been doing since Resilient started,” Julian said.
Resilient Systems was founded in September 2011 and was originally known as CO3 until the company changed its name in February 2015. The company was acquired by IBM in February 2016.
Julian said that Resilient has always included data about personally identifiable information (PII) as part of the incident response platform, though GDPR has many specific nuances that are being addressed with the new capabilities. The GDPR Preparatory Guide is a new capability for Resilient and is something that it hasn’t done before for other compliance efforts. With the GDPR Preparatory Guide, Julian said there is information and checklists for various GDPR requirements. The guide is tied to the overall Incident Response Platform, providing users with workflows to help make the requirements actionable.
Understanding what is required by GDPR is one thing, actually being prepared to handle a privacy breach notification, under the GDPR regime is another. That’s where the new Resilient GDPR Simulation function will come into play, providing organizations with the ability to work through a simulated event to ensure they are prepared.
“A best practise for organizations is to run a simulation every quarter to test out something that perhaps the organization doesn’t have regular experience with,” Julian said. “In doing so, gaps can be found and the process can be improved, so when a real breach occurs the organization can be prepared.”
The Resilient GDPR-Enhanced privacy module further enhances the Incident Response Platform with specific rules for breach disclosure under GDRP. Julian said that different jurisdictions have long had various rules for when a breach needs to be publicly disclosed.
Julian explained that part of the value that Resilient provides provides is to map the breach disclosure regulations of a jurisdiction to the details of a specific incident. As such, a user inputs the number of records that were lost in a data breach, the nature of the data and where the records were stored. Then the Resilient system will make a determination whether or not disclosure is required. It’s also important to understand who needs to be notified in the event of a data breach, which is also information that is part of the Resilient system.
Among the biggest risks associated with GDPR is the penalty phase for non-compliance, which can reach to four percent of a company’s revenues. Though the risks associated with non-compliance are large, many organizations are still largely unaware of GDRP requirements.
According to a new study from the Data Protection Commissioner (DPC) conducted by Amárach Research, 59 percent of small and medium sized organization were unaware of the large-scale fines that could be imposed for non-compliance with GDPR. A study conducted by Varonis Systems today reported that 75 percent of organizations will struggle to meet GDPR regulations by the deadline, one year from today.
