Paper

Quo Vadis GDPR?

The Dawns of New Data
Accountability Principles
White Paper

Situation overview
After years of debate, preparations, and efforts to align with the new digital transformation and challenges, the GDPR (General Data
Protection Regulation) was finally approved by the EU Parliament on 14th of April, 2016. The regulation takes effect 20 days after its
publication in the EU Official Journal, and the actual date of enforcement is set for May25th 2018.
The fundamentals and key principles of the EU General Data Protection Regulation date back to 1995, when the Data Protection Directive
95/46/EC was enforced with the goal to harmonize the data privacy laws and regulations across Europe. However, the launch of the new
EU GDPR will come with changes to the regulatory policy to better reflect the current digital transformation that many organizations, and
society in general, are undergoing.
The changes bring additional responsibilities and obligations for companies, institutions, government bodies and other entities dealing
with personal data, but they also provide new rights for individuals, such as the right to obtain from the data controller confirmation as to
whether personal data concerning them is being processed, where and for what purpose.
This White Paper looks at the problems to be addressed by organizations dealing with high volumes of personal data, the internal
organizational challenges they will need to overcome on their path to becoming compliant, as well as the significant business and
technology processes required to meet the new obligations imposed by the GDPR.
This document also outlines how Bitdefender can help companies become compliant with GDPR, including a stepped approach to protect
against data loss, data theft and data breaches.

Implications for companies

The GDPR enforcement will have an important impact on businesses, as they will need to pay increased attention to the way they deal with
personal data. According to the http://www.eugdpr.org/, the key points of the GDPR as well as information on its impacts on organizations
are outlined below:
 Increased Territorial Scope (extra-territorial applicability) - Arguably the biggest change to the regulatory landscape
of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing personal data of
data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was
ambiguous and referred to data process ‘in context of an establishment’. 

 Penalties - Organizations in breach of GDPR can be fined up to 4% of annual global turnover, or 20€ Million (whichever is
greater). These rules apply to both controllers and processors, meaning that ‘clouds’ will not be exempt from GDPR enforcement.

 Consent - The conditions for consent have been strengthened, and companies will no longer be able to use long illegible
terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with
the purpose for data processing attached to that consent. 
As mentioned previously, the EU General Data Protection Regulation also serves to strengthen the rights of the individuals whose personal
data is contained, hosted and processed by third-party suppliers. These rights include, but are not limited to:

 Breach Notification - Under the GDPR, breach notification will become mandatory in all member states where a data
breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first becoming
aware of the breach.

 Right to Access - Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to
obtain from the data controller confirmation as to whether personal data concerning them is being processed, where and for what
purpose.

 Data Portability - GDPR introduces data portability - the right for a data subject to receive the personal data concerning
them, which they have previously provided in a ‘commonly used and machine readable format’ and have the right to transmit that
data to another controller. 

 Privacy by Design - Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal
requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the design of
a system, rather than an addition.

 Data Protection Officers – For companies whose core activities consist of processing operations that require regular
and systematic monitoring of data subjects on a large scale, or of special categories of data or data relating to criminal convictions
and offences, the appointment of DPOs will be mandatory.

[2]
White Paper

Confusion still persists among many companies

Recent IDC research shows that many organizations appear to have little or no understanding of the regulation or its scope, timeline or
impact, despite the risk of huge penalties of up to 4% of global turnover or €20 million, (whichever the greater), as well as potential lawsuits,
suspension of personal data processing and damage to reputation.
This is surprising, mostly due to the potential consequences businesses will face in case of non-compliance. Nowadays, costs of data
breaches appear to remain in the lower six-figure range, at least according to IDC’s survey.
Companies that have already started to prepare for compliance outlined the major challenges posed by GDPR, in their order of importance:

o Encryption and/or pseudonymization of data

o Data breach notification within 72 hours

o Data protection by design and by default

o Data portability

o Defining ‘state of art’ in processes and technologies

Despite these challenges, some organizations will use this opportunity to improve service and reputation, acknowledging that data
protection has become an increasingly important issue for staff, customers and suppliers.  
As governance and accountability will be critical to effective GDPR compliance, the ultimate responsibility will be at the top of the
organization, with a high implication at the board level. Businesses will need to risk-assess their data management systems, ensure that
individuals’ rights are protected by investing in appropriate systems and controls, check consents to understand what type of data they
can and cannot process, and ensure that a breach management process is in place. 

Bitdefender response to GDPR

IDC recommends the following five step approach on the journey to GDPR compliance supported by integrated data management platform
and a cross-functional data governance team.

 Understand the purpose and minimize personal data intakes.

While many consulting companies recommend to start GDPR preparation from the data mapping and data discovery, commencing
with such a laborious endeavor may significantly delay the overall GDPR project especially when unstructured and dark data
comes into consideration. IDC recommends to start working out with business stakeholders what personal data intakes are vital
for business and work towards minimization of personal data intakes. This will significantly simplify the next step.

 Define your “state of art”

Define procedural and technological controls you deem sufficient to protect personal data (see GDPR article 32). Pay special
attention to securing unstructured data e.g. by encrypting it. Another area of attention be breach detection capabilities, including
unauthorized/unusual access to personal data.

 Develop and thoroughly test the incident response process.

Include partners and third parties (e.g. cloud service providers) in your incident response plans and tests. Keep in mind that
certain data breaches require notification of the data subjects in addition to Data Protection Authority (DPA) notification (see
GDPR article 34).

 Establish properly supported data governance

Data governance should be a result of business functions cooperation with Information, Data, and Security Architecture facilitated
by the Data Protection Officer. When choosing technical and procedural controls special attention should be paid to the products
and services that improve data security posture by introducing new and or improved capabilities across multiple disciplines.
Increased visibility and central management are examples of such capabilities.

[3]
White Paper

 Perform data mapping and data discovery activities

To eliminate unused (dark) data collected and align strength and efficiency of the relevant data protection security controls
conduct a data discovery. The main purpose of this activity is to ensure none of the data collection and data processing capabilities
are missed in the initial intake minimization phase.

The second step of this approach refers to the use of the best technology at hand and within the affordable budget in order to align with
the GDPR requirements.
Bitdefender is well-positioned to provide companies with the best technological tools that help them to become GDPR compliant. Thus,
Bitdefender’s approach to protecting personal data consists of a four step journey:

 Identify what Personal Data you store and process

 Evaluate what risks your data is exposed to

 Set procedurals and technical controls to mitigate the risks

 Enhance visibility and the ability to detect and respond to incidents

Technology wise, Bitdefender’s layered response helps companies become compliant with GDPR security requirements by offering
protection against data loss, data theft, including targeted attacks and enhanced visibility into data breaches.

[4]
Protection against
data loss – lost/
stolen devices
White Paper

Key facts: According to Verizon’s 2016 Data Breach Investigation Report (DBIR), 554 million data losses were recorded in the first half of
2016, alone. The report also revealed that this type of data breach is common for healthcare organizations, making up almost half (45%)
of healthcare data breaches, with many data losses resulted from lost or stolen devices.

Bitdefender’s response: GravityZone Full-Disk Encryption

GravityZone Full Disk Encryption is leveraging the encryption mechanisms provided by Windows (BitLocker) and Mac (FileVault), taking
advantage of the native device encryption, to ensure compatibility and performance. There will be no additional agent to deploy and no key
management server to install. The solution provides:

 Encryption management from the same cloud or on-premise console used for endpoint protection

 Native encryption for Windows (BitLocker) and Mac (FileVault), avoiding performance issues with no new agent required

 Simple deployment of Full Disk Encryption to endpoints and management of restore keys from the console

 Encryption specific reports that help companies demonstrate compliance

 Pre-boot authentication enforcement

[6]
 Protection against
data theft – targeted
attacks
White Paper

Key facts: According to the same Verizon report, there were 1,616 social attacks in 2016, approximately half (828) of which had confirmed
data disclosure. In 95 percent of cases, attackers followed up a successful phish with software installation. That’s to be expected, given
most social attackers’ motivations and targets. Two-thirds of these actors chase financial gain, whereas a third are in it to conduct
espionage. Both these motives involve the theft of credentials, personal information, and trade secrets.
Bitdefender’s response: Bitdefender’s layered next-gen endpoint protection platform is designed and built from the ground up to protect
against elusive, advanced targeted attacks. Several layers of security provide protection both at the pre-execution (Hyperdetect, Sandbox
Analyzer), on-execution (Advanced Anti-exploit and Application Control), as well as a breakthrough technology for datacenter specific
protection (HVI- Hypervisor Introspection).

Hyperdetect Sandbox Analyzer

It offers prevention at pre-execution

 It offers automatic submission of suspicious files from

endpoints for sandbox analysis
It leverages machine learning + advanced heuristics

It provides Options to blocking or monitoring  mode 

It stops sophisticated threats (PowerShell, file-less attacks, shelter

attacks, unknown ransomware) verdict in real-time


It provides maximum detection accuracy without false positives

 It provides Insight into behavior of unknown files


It offers Flexible settings to optimize aggressive protection with 

 It assures enterprise-wide protection
low false positives

It delivers full visibility into suspicious activities



Anti-exploit Application Control

It protects commonly used Microsoft and third-party applications

 It validates applications that run on the end-point


It focuses on attack tools and techniques

 It helps stopping ransomware, advanced targeted attacks or

zero day malware
It serves as an additional layer of security for unpatched known

and zero-day vulnerabilities

IT works out of the box and designed for precision



[8]
Enhanced visibility
on data breaches
White Paper

Key facts: A study carried out in 2017 by Ponemon Institute on the cost of data breaches showed that the average time to identify a data
breach is 191 days, and the average time to contain the breach is 66 days. In the case of EquifaxqEŸÿÿ, the data breach occurred from mid-
May to July 2017, was discovered at the end of July and was publicly disclosed in early September.
Bitdefender’s response: Visibility is key to tackling inside threats and data breaches. If discovered early enough, the efforts and related
costs required to respond to and mitigate internal threats resulting from data breaches could be substantially reduced. Bitdefender’s
layered next-gen endpoint protection platform was built from the ground up based on the principle of adaptive security, which means that,
besides prediction, prevention and detection technologies, the security suite includes dedicated visibility tools such as Endpoint Security
HD Insight and Security Analytics for EDR
.

Endpoint Security HD Insight Security Analytics planned for EDR

It allows for remote detonation  (Sandbox)
 It detects spikes in malware activity


It provides better context on threats

 It detects botnet/C&C connections


It connects threats with threat actions

 It detects suspicious file downloads (targeted attacks)


It offers enhanced endpoint optics for future analysis 

 It detects suspicious process execution (file less attacks)
and further actions 
It detects anomalous application/ system behavior (data

It exposes suspicious threats (HD reports)
 exfiltration & lateral movement)

detect insider threats (malicious user/ compromised user


account)

[10]
White Paper

Synopsis
GDPR has become a reality, and soon all companies will need to implement the necessary measures to become compliant. The process
itself is complex, involving several steps such as an assessment and gap analysis of the data privacy maturity, a detailed roadmap to
address the new legislative requirements, a comprehensive map for security testing, audit and process evaluation and a continuous
communication loop for constant compliance and improvement.
Amid all these initiatives, companies will need to invest in technology as the main facilitator to achieve compliance. GDPR addresses
defining the state-of-the-art technology attributes for managing structured and unstructured data with a strong focus on data protection
and privacy.
Through its integrated, layered next-gen security solution, Bitdefender is perfectly positioned to help companies becoming compliant by
offering a set of technologies that seamlessly responds to the most rigorous GDPR requirements.

[11]
 BD-Business-Oct.31.2017-Tk#: crea1826

Bitdefender is a global security technology company that delivers solutions in more than 100 countries through a network of value-added alliances, distributors and
reseller partners. Since 2001, Bitdefender has consistently produced award-winning business and consumer security technology, and is a leading security provider in
Bitdefender-Whitepaper-GDPR-crea2140-A4-en_EN

virtualization and cloud technologies. Through R&D, alliances and partnership teams, Bitdefender has elevated the highest standards of security excellence in both its
number-one-ranked technology and its strategic alliances with the world’s leading virtualization and cloud technology providers. More information is available at
http://www.bitdefender.com/

All Rights Reserved. © 2017 Bitdefender. All trademarks, trade names, and products referenced herein are property of their respective owners.
FOR MORE INFORMATION VISIT: enterprise.bitdefender.com