General Data Protection Regulation (GDPR) Compliance Automation
Various countries and regions are adopting big data compliance regulations to protect their citizens and this trend continues as depicted in the General Data Protection Regulation (GDPR). The European Union (EU) has issued legislation focusing on the right to privacy of personal data, while still maintaining breach security and incident response objectives. Through the first iteration of the Articles, the rigorous rules immediately impact businesses processing EU personal data through enforcement of data subject rights and fines for non-compliance. GDPR replaces the Data Protection Directive 96/46 previously enforced by EU countries. To empower the Data Protection Officer (DPO), a new role required through GDPR, the organization needs to revamp security standards, policies, and procedures to ensure rights of the data subject are integrated in these components. LogRhythm has integrated our SIEM technology, advanced analytics and real-time alarms to assist the organization and DPO in the pursuit of GDPR compliance.
GDPR Specific Terminology
| Term | Definition |
|---|---|
| Automated Decision Making | The predictive processing or strategic analysis of personal data to anticipate subject behaviour (profiling) |
| Breach Notification | The specific reporting requirements of a breach without undue delay, but no later than 72 hours after becoming aware of the breach to the Supervisory Authority. Communication of the breach to the Data Subject is required if anticipated impacts may result in a high risk to the rights and freedoms of the natural person. This should also include required breach information and appropriate remediation actions to be taken |
| Binding Corporate Rules (BCRs) | Personal data protection policies to be adhered to by Data Controllers or Processors that are established by the Member State around the transfer of personal data |
| Data Controller | The organization defines the scope, purpose, and methods of processing personal data |
| Data Processor | The organization that undertakes processing as contacted by the Data Processor |
| Data Protection Authority | The national authorities are tasked with the protection of data and privacy through monitoring and enforcement of regulations established within the EU |
| Data Protection Impact Assessment | A risk-based assessment methodology to determine an organization’s systems and business processing that may be exposed to risk in the absence of mitigating controls |
| Data Protection Office | A new position is created for an individual appointed within the organization to independently ensure adherence to policies and procedures set forth by GDPR |
| Data Subject | A natural person whose data is being processed by a data controller or processor |
| Privacy Impact Assessment | An analysis tool of an organization’s exposure to privacy risks based on the processing of personal data and the policies put in place to protect personal data |
| Pseudonymization | A procedure in which most identifying fields within a data record are replaced by one or more artificial identifiers |
| Right to Access | The data subject’s rights to access or receive information about their personal data that a data controller or processor is utilizing (Subject Access Rights) |
| Right to Rectify | The data subject’s rights to have inaccurate personal data corrected without undue delay by the data controller or processor |