Print this page
Sunday, 05 May 2019 12:26

FireEye Statement on the one-year anniversary of GDPR

Written by David Grout

David Grout, EMEA CTO, FireEye


Since adoption a year ago, the EU General Data Protection Regulation (GDPR) has changed the security landscape significantly. The regulation has allowed organizations to increase their security maturity and we have clearly seen an increase in breach notifications and have noticed a more open discourse of these topics, which were previously often "taboo" and poorly documented. When it comes to the Middle East, many of the organizations here have adopted their cyber security strategies to align with international standards. I believe regional firms also have a greater understanding of the importance of security governance and take it much more seriously than before.

When it comes to communication around data breaches since adoption, enterprise organizations have become much more transparent, including being more open to discussing breaches and notifications that were previously considered off-limits. In the documentation, organizations are now challenged to alter how they are handling data. They have had to transform from solely collecting masses of data to now learning how to manipulate that data into a way it can be properly documented.

Despite GDPR being generally well-grasped and understood, there are still challenges. For example, the human capital challenge. This is not a new issue to the cybersecurity field, but a heightened one now with the implementation of GDPR. Organizations must now appoint a Data Protection Official (DPO) and those DPOs really needs a team under them to manage the requirements of GDPR.

There’s also more to be done. I would like to see further clarification when it comes to Article 33 of the GDPR legislation which requires 72 hours notification time of any breach. The article needs a definition about what specifically requires a notification. For example, getting an alert about a potential breach is not the same as an incident, and both have different reporting requirements. This needs to be

Related items