Threat Lifecycle Management (TLM) company LogRhythm has released its GDPR Compliance Module. The module comes with a set of prebuilt rules, alerts and reports linked to GDPR requirements. It is targeted at organisations who are concerned that they either do not have the right processes in place or who have yet to start on their GDPR work.
James Carder, chief information security officer and GDPR data protection officer at LogRhythm said: “Given the breadth of the GDPR, no single solution provides automatic compliance with all aspects of the regulation. In fact, there are more people and process requirements to the regulation than technology.
“The LogRhythm GDPR Compliance Module offers a simplified approach towards meeting this new regulation by providing a fundamental security framework designed to help organizations address the technology requirements of the GDPR. This framework helps organizations reduce risk, avoid fines and preserve their ability to conduct business in and with the EU.”
What does the LogRhythm GDPR Compliance Module address?
According to the GDPR Compliance Module webpage, it: “..addresses 16 technology-focused GDPR Articles – making it easier for you to meet and exceed regulations. You’ll realize immediate benefits from pre-built content, including rules and alerts, investigations, and reports.”
Those articles are:
Rights of the data subject
- Article 17: Right to erasure (‘right to be forgotten’)
- Article 18: Right to restriction of processing
- Article 21: Right to object
- Article 22: Automated individual decision-making, including profiling
Controller and processor
- Article 24: Responsibility of the controller
- Article 25: Data protection by design and by default
- Article 32: Security of processing
- Article 33: Notification of a personal data breach to the supervisory authority
- Article 34: Communication of a personal data breach to the data subject
- Article 35: Data protection impact assessment
- Article 40: Codes of conduct
Transfers of personal data to third countries or international organisations
- Article 44: General principle for transfers
- Article 45: Transfers on the basis of an adequacy decision
- Article 46: Transfers subject to appropriate safeguards
- Article 47: Binding corporate rules
Provisions relating to specific processing situations
- Article 90: Obligations of secrecy
Most organisations would expect to have processes for all of these areas at the moment. In such a case, the information from the GDPR Compliance Module is simply a checklist. For those organisations who have poor privacy and data protection controls, this list takes on a lot more importance. For example, there are some significant concerns from many companies as to how they enact the Right to be Forgotten.
Another area that has organisations concerned is what happens when data is sold, transferred out of country or used by a third party. Under GDPR, organisations need to show how data transferred is safeguarded or find themselves in breach of GDPR.
Alignment with existing tools
LogRhythm has identified four sets of pre-built content from the GDPR Compliance Module. These are:
- Lists: Log source lists, user lists, and location lists
- AI Engine Rules and Alerts: Identify and alert on actionable events
- Investigations: Dive deep into data for review and analysis
- Reports: Summary and detail reports
The idea is that customers will use its tools to build on these four areas. Among the tools it mentions are its AI engine, GeoIP configurations and Machine Data Intelligence (MDI) Fabric. This makes sense because those tools are already able to gather GDPR related information about the data.
GeoIP, for example, provides geographic information to data. Companies will be able to identify what data is subject to GDPR and what is not.
It is not just about knowing what data is subject to GDPR and where it is going. There is always the risk that data will be lost or stolen. GDPR gives organisations 72 hours to notify the relevant authorities when this happens. LogRhythm has integrated its Security Automation and Orchestration features with the GDPR Compliance Module. This will make it easier for organisations to identify the “at risk” data and act accordingly.
What does this mean?
The data protection market is awash with GDPR tools that are promising to “solve your GDPR problems.” It is important for organisations to realise that they cannot just buy in a tool and make GDPR go away. Unless you have the right processes in place, the tools will simply tell you that you are heading for trouble.
What LogRhythm has done here is tie its GDPR offering to its existing products. It is a free tool and that means existing customer can get it right away. However, it does make clear that you need to do a GDPR assessment first.
For those people who are not LogRhythm customers will this persuade them to invest in some tools to take advantage of the GDPR Compliance Module? It might and it might not. There will be a lot of companies who might be interested but not when it comes to changing their existing data protection tools.
It will be interesting to see how well LogRhythm do here. Will it be able to cash in as those organisations who haven’t started their GDPR journey scramble to get compliant? Like many of its competitors, LogRhythm will hope so. The bigger question is once customers have sorted out their initial GDPR compliance, will they stay with LogRhythm for the long term?