PREPARING FOR

THE GENERAL DATA

PROTECTION REGULATION
(GDPR)

WHITE PAPER
WHITE PAPER: PREPARING FOR THE GENERAL DATA PROTECTION REGULATION (GDPR)

TABLE OF CONTENTS

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Individual Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Accountability and Governance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Breach Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Network Security Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

The Fortinet Solution Security by Design . . . . . . . . . . . . . . . . . . . . . . . 6

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2
 WHITE PAPER: PREPARING FOR THE GENERAL DATA PROTECTION REGULATION (GDPR)

PREPARING FOR THE

GENERAL DATA PROTECTION REGULATION
(GDPR)

The General Data Protection Regulation

(GDPR) is the European Unions response to the
INTRODUCTION massively increased role that technology now plays
in everyday life. GDPR was ratified by member
WHAT IS GDPR? states in April, 2016 and goes into effect on
The continuing digitization and globalization of our economy is becoming May 25, 2018. Although an EU regulation, it
increasingly reliant on the control and processing of personal data. And also applies to any organization regardless of their
while this presents enormous opportunities for business, it accompanies a physical location if they are collecting personal data
growing public awareness and concern for the importance of personal data of EU residents.
protection. The objective of the new regulation is to
ensure that adequate data protection is
According to a recent global survey by KPMG International, more than half
incorporated into the process of collecting
(55%) of consumers said they had abandoned online purchases due to
personal data by default and by design.
privacy concerns. The survey also found that less than 10% of respondents
This starts with collecting only the minimum amount
currently felt they had control over the way organizations handle and use their
of data needed for a specific purpose and when
personal data.
it is no longer needed the data is erased. Another
The European Unions General Data Protection Regulation (GDPR) is a important aspect of GDPR is that the data subject,
response to this concern. Acknowledging the value of such data, the the source of the personal data, is the owner of their
regulation imposes a cost to its collection, storage and usage by holding personal data. As the owner, the data subject must
organizations accountable for its protection and forcing them to return control be able to withdraw their consent to the collection of
and ownership to the individual. the data as easily as it was to give permission. The
data subject also has the Right To Be Forgotten
In contrast to the existing data protection directive 95/46/EC, which was
(RTBF) and to take their personal data with them.
translated into individual national laws, GDPR is a single regulation to
strengthen, unify, and enforce personal data protection across the EU. With GDPR also sets out the conditions of when
more stringent criteria, additional obligations, and higher non-compliance notification must be made in the case of a data
penalties (up to 4% of worldwide turnover or 20M Euros, whichever is breach and sets out two levels of penalties
greater), both the effort of attaining compliance and the risks associated depending upon the severity of the breach.
with non-compliance, will undoubtedly increase with GDPR. The good Due to the rapid change in technology, GDPR also
news is that it will, for the most part, be a consolidated effort covering an places the burden of continuous risk assessment
organizations data protection responsibilities across all EU member states. on the collecting organization data controller - and
requires that any outside organization processing
data data processor be GDPR compliant.
1
Legislators have provided local governments the ability to add or adapt provisions
to fit local data protection needs.

3
WHITE PAPER: PREPARING FOR THE GENERAL DATA PROTECTION REGULATION (GDPR)

WHO IS AFFECTED? the organization can precisely locate all instances of an

GDPR applies to any organization, in any country, that collects, individuals personal data across the entire infrastructure

stores, or processes the personal data of EU residents. This (sometimes referred to as the Where is my data? problem)

data can be from employees, business partners or prospects will be a major part of this challenge.

and customers. In regulation terminology, such organizations For some organizations, this will present an opportunity to
are defined as either controllers, who determine how and why streamline operations, eradicating unnecessary data collection
the personal data is processed, or processors, who act on the and limiting processing to only that which is essential to
controllers behalf. Both have increased obligations under GDPR, the core business goals. Either way, the transition to
and both could face penalties in the event of a breach. compliance is likely to be a significant undertaking.

WHAT ARE THE IMPLICATIONS FOR GLOBAL

BUSINESSES? ACCOUNTABILITY AND GOVERNANCE
For most organizations, the implications are both significant The organization then needs to be able to demonstrate
and far-reaching, necessitating changes that encompass compliance through appropriate governance measures,
data processing workflows, organizational structure, business including detailed documentation, logging, and continuous
processes and ultimately, information and security technologies. risk assessment. There is an added expectation here of
data protection by design and by default, meaning that
security should, as far as possible, be an integral part of
INDIVIDUAL RIGHTS
all systems from the outset, rather than something applied
At its core, the GDPR defines the rights of the individual as in retrospect, although this clearly presents an enormous
they relate to data protection. These rights can be broadly challenge where legacy systems are concerned. Such cases
summarized as follows: highlight the essential role of network level security as the
first layer of defense, since until the huge number of legacy
Informed Consent
systems still in use can be redesigned with inherent data
The right to be clearly informed why the data is needed and
protection measures, it may be their only defense against
how it will be used. Consent must be explicitly granted and
data breach.
can be withdrawn at any time.
Due to the rapid pace of technological change - as
Access
witnessed in the domains of Internet, mobile devices,
The right to access, free of charge, all data collected, and to
applications and the digital economy for example - and the
obtain confirmation of how it is being processed.
subsequent evolution of cyber threats that will continue
Correction to exploit such changes, the regulation is necessarily
The right to correct data if inaccurate. vague here about the exact technology measures needed
to comply. Beyond the most obvious precautions of data
Erasure and the Right To Be Forgotten (RTBF) encryption, pseudonymization 2, etc., the GDPR uses
The right to request erasure of ones data. terms such as appropriate and state of the art to
convey the requirement for continuous risk assessment
Data Portability
and the updating of compliance measures. As new
The right to retrieve and reuse personal data, for own
vulnerabilities are discovered, the security technology or
purposes, across different services.
data protection practices considered compliant today may
need to be changed to remain compliant in the future.
The first challenge towards GDPR compliance is therefore
While this undoubtedly leaves room for legal challenges
to audit, and if necessary modify, the way the organization
over interpretation, organizations will nevertheless need
collects, stores and processes personal information in
mechanisms to ensure their efforts keep pace with the latest
accordance with these rights. Just reaching a point where
changes in technology and threats.

2
Pseudonymization is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms

4
 WHITE PAPER: PREPARING FOR THE GENERAL DATA PROTECTION REGULATION (GDPR)

BREACH NOTIFICATION interpreted when evaluating the best response to any detected
event.
GDPR also introduces a new obligation on organizations to
notify relevant authorities of any personal data breach3 likely Any solution worthy of the term, State of the Art, will not only
to result in a risk to the rights and freedoms of individuals . 4
need to overcome the above challenges, but continually adapt
Where that risk is deemed high, notification must also be to changes in the usage of technology and in the evolving threat
extended to the affected data subjects. Notifications must landscape.
be made without undue delay and where feasible, within 72
hours of the event discovery.
REPORTING BREACHES WITHIN 72 HOURS
Even in the absence of any explicit reference to specific data The first challenge to the GDPRs breach notification requirement
protection and network security technologies, the transition is to detect when a qualifying breach has taken place and
to compliance must begin with ensuring that the underlying determine which assets might be at risk. Almost by definition,
network is sufficiently protected across all possible attack any successful external security breach must have either
vectors. evaded detection entirely, or was not detected quickly enough.
This means it either exploited an attack mechanism unlike
any previously encountered, or the flags that it did raise were
NETWORK SECURITY CHALLENGES missed.
MAINTAINING STATE OF THE ART DEFENSES
Indeed, in 2016, the average time taken for organizations to
Keeping pace with the evolving threat landscape is a become aware of a typical breach was almost five months5.
challenge even without the GDPRs stipulation for State Fortunately, the GDPR 72-hour notification window opens at the
of the Art defenses. The enormous revenue from cybercrime, moment of detection, not the moment of intrusion. Yet since the
not to mention its potential for state-sponsored terrorism, financial impact of a breach correlates strongly with the length of
ensures a level of resource and innovation that can be hard time the hacker has access, shortening the time to detection is
for any individual company or even national government still imperative.
to match.
Initial Breach
Intrusion Detection
Part of the problem comes from the way cyber security has Window of
opportunity
evolved, with the discovery of each new attack vector spawning
yet another security solution to be added. Although each
T0 T1
such addition may fulfil its role as intended, it does so mostly in
isolation, with little or no interaction with the rest of the Since it is clearly impossible to detect the undetectable, security
security infrastructure. This is not only hard to manage, but administrators should accept and prepare for the inevitable,
can easily lead to gaps and inconsistencies in the response to occasional intrusion, while striving to minimize such occurrences
new threats especially across a multi-vendor environment. and hasten their detection through every means possible. As
previously noted, the GDPR does not require notification for all
The challenge is compounded by the adoption of trends such
security breaches, only those that present a risk to the rights
as mobility, cloud computing, and the Internet of Things,
of individuals. Consequently, if the data accessed through a
all of which expand the effective attack surface, exposing new
breach has been adequately obfuscated through encryption or
vulnerabilities, and eroding the traditional concept of a
pseudonymization, and if the duration of unauthorized access is
network border.
kept short, then the risk to those rights should be minimal.
One response to new threats is to increase processing and
controls, but as anyone familiar with airport / border security Initial Intrusion
Intrusion Detection
can testify, increased controls can soon lead to unacceptable
chaos and delay. Additional processing also adds complexity,
multiplying the number of data points to be aggregated and
T0 T1

3
A personal data breach is defined here as any security violation resulting in the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
4
GDPR Article 32, Security of Processing
5
2016 M-Trends Report

5
WHITE PAPER: PREPARING FOR THE GENERAL DATA PROTECTION REGULATION (GDPR)

However, the fact that a specific attack profile has not been THE FORTINET SOLUTION
encountered before does not necessarily render it undetectable. SECURITY BY DESIGN
With the right combination of distributed traffic analysis
While GDPR compliance is not something that can be achieved
and threat intelligence, together with technologies such as
through technology alone, the provision of State of the Art
sandboxing, previously unseen attacks can still be blocked.
network security is clearly an essential first step. To reduce
The challenge for such advanced detection techniques is to
exposure to the potentially crippling implications of a serious
distinguish the relevant signals from all the other noise.
data breach, it is necessary to minimize both the number of
This challenge is similar to that faced by antiterrorist network intrusions, and their time to detection. And it is here
organizations throughout the world who must extract the that Fortinet can contribute most to an organizations overall
tell-tale signs of an unfolding attack from the actions and compliance efforts.
communications of thousands of surveillance subjects across Underpinning the Fortinet solution is a new approach to security
multiple jurisdictions and national boundaries. Without extensive in which all key components of the security infrastructure are
collaboration and automated pattern recognition technologies, woven together into a seamless fabric.
such efforts would stand little chance of success.
FORTINET SECURITY FABRIC
Similarly, the traditional approach to network security of
Built upon three key properties - Broad, Powerful, and
having multiple isolated solutions report to, and then rely on,
Automated - the Fortinet Security Fabric offers a unique
the decision-making abilities of a single human administrator,
response to the challenges of protecting todays borderless,
is rapidly becoming untenable. As both network complexity
high bandwidth and complex networks from the rapidly evolving
and the frequency of security events increase, a degree of
menace of cyber-attack.
collaboration and intelligent automation across the security
infrastructure is essential.

Advanced Threat
NOC/SOC
Intelligence

Client Cloud

Network

Access Application

Partner API
THE FORTINET SECURITY FABRIC

6
 WHITE PAPER: PREPARING FOR THE GENERAL DATA PROTECTION REGULATION (GDPR)

BROAD
Designed to cover the expanding attack surface of a modern enterprise network, the Fortinet Security
Fabric provides protection, visibility and control over every part of the environment, from wired
and wireless endpoints, across public and private cloud assets, to the datacenter, and even to the
applications themselves.

Combined with dynamic network segmentation that logically separates data and resources, the Fortinet
Security Fabric can reach deep into the network to discover new threats as they move from one zone
to the next. This broad deployment and deep visibility is a crucial step to compliance, by helping
monitor internal traffic and devices, preventing unauthorized access to restricted assets, and limiting
the spread of intruders and malware.

Furthermore, the benefits of the Fortinet Security Fabric are not limited to the Fortinet portfolio
of security solutions. With open application programming interfaces (APIs), open authentication
technology, and standardized telemetry data, a growing ecosystem of Fabric-Ready Partners is
emerging, enabling organizations to integrate existing security and networking investments into their
own Fortinet Security Fabric.

POWERFUL
With the processing power of many traditional security appliances failing to keep pace with increases
in network bandwidth and threat complexity, organizations are often faced with an unacceptable
compromise. Either they must reduce the level of protection, which risks intrusion via an uncovered
attack vector or through an unsecured part of the network, or they must accept a drop in application
performance across the network.

By offloading security and content processing to dedicated, custom-built Security Processing Units
(SPUs) that combine hardware acceleration with highly optimized firmware, Fortinet products have
become the fastest in the industry, enabling organizations to establish comprehensive security without
compromising on performance.

AUTOMATED
In addition to broad visibility across the entire attack surface and the processing muscle to delve deeper
into every packet, the Fortinet Security Fabric can also muster the combined intelligence of its distributed
components to rapidly correlate events and coordinate a fast, automatic response appropriate to the level
of risk.

As rapidly as new threats are detected, the Fortinet Security Fabric can automatically isolate affected
devices, partition network segments, update rules, push out new policies, and remove malware. And as
an organizations network grows and adapts to changing business needs, the Fortinet Security Fabric will
grow and adapt with it, automatically extending the latest security policies to new devices, workloads,
and services as they are deployed, whether local, remote or in the cloud.

7
WHITE PAPER: PREPARING FOR THE GENERAL DATA PROTECTION REGULATION (GDPR)

SUMMARY vision that harnesses the collective power and intelligence

of Fortinets portfolio of security solutions to deliver benefits
For many organizations, the initial transition to GDPR
greater than those of its parts.
compliance is likely to be a lengthy and challenging process.
Furthermore, as the digital revolution marches on bringing
Designed around scalable, interconnected security, combined
technological advances to both sides of the cybersecurity arms
with high awareness, actionable threat intelligence, and open
race, that compliance will require regular reevaluation based on
API standards, Fortinets security solutions provide seamless
continued reassessment of the risks.
protection to the most demanding of enterprise environments

Fundamental to this ongoing process will be the role of and have earned the most independent certifications for

network security in preventing intrusion and minimizing the security effectiveness and performance in the industry. These

risk of serious breach, by reducing the time taken to detect solutions, the realization of the Fortinet Security Fabric vision,

new threats. To achieve this requires a broad, powerful, and close gaps left by legacy point products and provide the broad,

automated approach to security. powerful, and automated end-to-end protection demanded by

todays organizations across their physical, virtual and cloud
The Fortinet Security Fabric is a collaborative technology environments.

GLOBAL HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE LATIN AMERICA HEADQUARTERS
Fortinet Inc. 905 rue Albert Einstein 300 Beach Road 20-01 Sawgrass Lakes Center
899 Kifer Road 06560 Valbonne The Concourse 13450 W. Sunrise Blvd., Suite 430
Sunnyvale, CA 94086 France Singapore 199555 Sunrise, FL 33323
United States Tel: +33.4.8987.0500 Tel: +65.6513.3730 Tel: +1.954.368.9990
Tel: +1.408.235.7700
www.fortinet.com/sales

Copyright 2017 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common
law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance
and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether
express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same
ideal conditions as in Fortinets internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this
publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to
change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
67717 0 1 EN