The General Data Protection Regulation (GDPR) will officially go into effect on May 25, 2018 and will permanently change how every organization collects, stores, and uses personal data. Surprisingly, a recent study shows that over 80% of businesses don’t know the details or anything at all relating to the GDPR! Furthermore, roughly 97% of companies don’t even have a plan in place for when the GDPR takes effect.
What is GDPR?
This regulation will be implemented in all local privacy laws across the entire EU and it will apply to all companies selling to and storing personal information about European citizens including companies on other continents. Essentially, the GDPR is to provide citizens of the EU and EEA with greater control and security over their personal data.
The GDPR directive states that personal data is any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.
Even though the GDPR applies to all organizations in the EU, even non-EU established organizations will be subject to the GDPR. The financial implications for those who do not comply with GDPR are quite severe. According to the GDPR, lower level fines and penalties can be €10 million, or 2% of the annual global revenue of the prior financial year, whichever is higher. The higher level of fines can be up to €20 million, or 4% of the annual global revenue of the prior financial year, whichever is higher.
What is the GDPR’s impact on network monitoring and security?
Essentially, network traffic frequently includes data that could be considered private, such as one’s credit card information. One can assume that most data center operators have the right tools to monitor and secure their network, but one can never be certain. They still run the risk of being non-compliant in the event that their infrastructure receives the private data of EU citizens. So how is an organization supposed to remain GDPR compliant without compromising their security or network visibility? This can be especially challenging if your data center processes data from various regions and deploys multiple tools to do this.
It’s imperative that NetOps and SecOps are fully aware that data in their network may have traversed and may be traversing different countries. Therefore, there needs be a clear understanding of where the data gets stored and where it is sent.
How is cPacket compliant with GDPR?
cPacket’s solution provides beneficial features and functionalities to control access to network traffic as it traverses multiple environments, both within the datacenter and across geo-political regions.
To fully comply with the GDPR requirements and as a part of the security policies that govern our customers, cPacket adheres to strict security standards. Some of these policies (not exhaustive) are listed below:
- Physical safeguards: Data containing personal information is guarded via locked doors, locked file cabinets, controlled access to our facilities, and secure destruction of media containing any personal information.
- Technology safeguards: cPacket uses anti-virus and encryption software, as well as continuous monitoring of all our systems and data centers to ensure compliance with our security policies. We also complete periodic external vulnerability scans and an annual gap/risk assessment.
- Organizational safeguards: We regularly hold training and awareness programs on security and privacy to ensure that all employees understand the importance and means by which they must protect personal data. These training and awareness programs also cover topics on privacy policies and policy standards that govern how cPacket treats personal information.
cPacket’s solutions provide powerful and flexible options for administrators to create role-based access to control on a per-user basis, which users have access to packet traffic and from which links this access is permitted, if any. This first level of access controls who in the organization can access packets in the network.
To ensure sensitive portions of a packet are not exposed, several options are available. Administrators can configure simple packet slicing that removes the payload from packets at certain predefined or user defined offsets. This policy can be enforced on a port level or on a port group. An administrator can also configure Smart filters to select packets that match specific IP addresses/ports/protocols or other patterns in the header or anywhere in the payload. Additionally, a unique and powerful feature called ‘Special Action Filter’ can be enabled to ensure granular traffic pruning for performance monitoring and network troubleshooting needs. This feature ties into cPacket’s innovative Smart Filter technology, which allows full packet inspection of every byte in every packet in both the header and the payload, at wirespeed. This Dynamic Truncation, covered in our blog here, is an easy and more powerful feature than simple packet slicing at fixed offsets. In short, dynamic truncation removes TCP or UDP payloads while leaving the header intact. This is ideal for removing Personally Identifiable Information (PII) for GDPR, or for other compliance purposes in finance and/or healthcare.
Clearly, cPacket’s solutions provide a plethora of features that can ensure data privacy while remaining compliant. However, even though an organization is armed with the right tools and solutions, the onus is on NetOps/SecOps engineers as they must be aware of data protection, privacy and its implications.
The implementation of GDPR may be challenging, but by leveraging cPacket’s monitoring and security solutions, rest assured that your organization will be fully compliant with these new privacy and data regulations.
Ready to partner with cPacket? Contact us for more information.