GETTING READY FOR

GDPR COMPLIANCE
Corporate readiness for the most
important change in data privacy
regulation in 20 years.
 GETTING READY FOR GDPR COMPLIANCE

This guide explains basic provisions of the new

General Data Protection Regulation (GDPR),
the most important change in data privacy
regulation in 20 years. This Getting Ready guide
explains what GDPR is, how it affects data
privacy and security, and how your business can
identify and implement changes required to be
in compliance with GDPR.

2
 GETTING READY FOR GDPR COMPLIANCE

THE ESSENTIAL GDPR FACTS

IN OUR DATA-DRIVEN
ECONOMY, DATA
PROTECTION IS CENTRAL TO
CUSTOMER TRUST. IT GIVES
WHO WHY
A COMPETITIVE ADVANTAGE If your business handles the personal data of Currently, each country in the EU has its own
TO BUSINESS, WHICH CAN European Union (EU) residents, you are subject data protection laws, so doing business in the
USE THEIR HIGH PRIVACY to GDPR, even if your business is located EU meant companies had to deal with different
STANDARDS TO ATTRACT outside the EU. It’s never been more important laws for each country. GDPR means one
AND RETAIN CUSTOMERS. to ensure that your data protection policies and consistent regulation for data privacy.
security technologies are effective, as well as in
Věra Jourová, compliance with GDPR.
EUROPEAN COMMISSIONER FOR JUSTICE,
CONSUMERS, AND GENDER EQUALITY

WHAT WHEN
The goal of the GDPR is to protect all EU GDPR goes into effect on May 25, 2018.
citizens from data and privacy breaches by Organizations must be ready to demonstrate
harmonizing data privacy laws across all compliance by that date.
European Union member states.

3
 GETTING READY FOR GDPR COMPLIANCE

GLOBAL IMPACT
THE GDPR WILL AFFECT Key Terms
NOT ONLY EU-BASED
ORGANIZATIONS, BUT MANY DATA CONTROLLER DATA SUBJECT
DATA CONTROLLERS AND Any business or organization that collects and An EU resident whose personal data is handled
PROCESSORS AROUND THE handles the personal data of EU residents. by your business.
GLOBE. WITH RENEWED
FOCUS ON INDIVIDUAL DATA PROCESSOR PERSONAL DATA
DATA SUBJECTS AND THE
A business that processes personal data on The new regulation covers a wide range of
THREAT OF FINES OF UP
behalf of a Data Controller. For example, if your personal data, including:
TO €20 MILLION OR 4% OF business uses a third-party cloud processing
ANNUAL GLOBAL TURNOVER service, that service is considered a Data ▶ Name, address, phone numbers, ID
FOR BREACHING GDPR, Processor for purposes of GDPR compliance. numbers, email addresses, and banking
ORGANIZATIONS HAVE LITTLE details
CHOICE BUT TO RE-EVALUATE ▶ Web data, including location, IP address,
MEASURES TO SAFELY cookie data, and RFID tags
PROCESS PERSONAL DATA.
▶ Health, genetic, and biometric data
Bart Willemsen
Research Director ▶ Racial or ethnic data, sexual orientation,
Gartner religious and political opinions

4
 GETTING READY FOR GDPR COMPLIANCE

KEY GDPR COMPONENTS

The GDPR updates and expands data privacy and protection in several ways.

SCOPE CONSENT
Any business that processes personal data The conditions for consent require companies to
of EU residents is now covered by the GDPR. use intelligible and easily accessible forms that
Previously, if your business was not located in clearly state the purpose of the data processing.
the EU, data privacy and protection regulations The ability to withdraw consent must be as easy
were ambiguous. Now, if you handle personal and simple as the ability to give consent.
data of EU residents, the regulation applies to
your business no matter where it is located. If
your business requires that you perform regular PENALTIES
and systematic monitoring of data subjects
If you are in breach of GDPR, your business
on a large scale, or you work with special
can be severely fined, up to 4% of your annual
categories of data, you will also need to appoint
global revenue or 20 million Euros (whichever
a Data Protection Officer responsible for GDPR
is greater). These penalties apply to both
compliance.
controllers and processors, so cloud processing
is not exempt from GDPR.

5
 GETTING READY FOR GDPR COMPLIANCE

DATA SUBJECT RIGHTS

GDPR provides more rights to EU residents in how their personal data is collected and handled.
In many cases, this will affect how your company does business with your customers.

BREACH NOTIFICATION RIGHT TO BE FORGOTTEN

When there is a data breach that may affect the When data is no longer relevant to the original
“rights and freedoms of individuals,” notification purpose or the data subject has withdrawn
must be done within 72 hours of the breach. consent, the person can request erasure of that
Data processors must notify data controllers personal data.
without undue delay when they discover a data
breach. These elements should be included in DATA PORTABILITY
your disaster recovery program.
The data subject has the right to receive
personal data concerning them and transmit
RIGHT TO ACCESS
that data to another controller.
Data controllers must provide a copy of personal
data when the data subject requests it. The PRIVACY BY DESIGN
information must be free of charge and in an
electronic format. Data Controllers may hold and process only the
data necessary for work (data minimization)
and limit access to that personal data to those
needing it for the processing.

6
 GETTING READY FOR GDPR COMPLIANCE

3 STEPS TO BECOMING GDPR

COMPLIANT
Implementing GDPR will require changes to how your business collects, uses, and stores customer
data. In addition, when customers exercise their data rights, you will need a response plan and
process in place to release that data or remove it entirely. Your security and IT teams can take the
lead in securing data and updating related processes. From Marketing and HR to Finance, every
department must be involved preparing for GDPR.

1 2

IDENTIFY CURRENT PERFORM A GAP

PRACTICES ANALYSIS
▶ Audit the data and data flows used by your ▶ Determine what data is required going
business, including sources, how data is forward and what data can be removed. The
used, how long it is retained, and if any of it less data you need to secure, the easier it
is handled by third-party data processors. will be to comply with GDPR, and this also
reduces your data exposure in the event of a
▶ Look at the hardware infrastructure, disaster data breach.
recovery, and other elements of data
security within your business and with any ▶ Understand where the data is stored and
third-party data processors. how accessible it is to meet requests from
data subjects.

▶ Work with every department to identify the

required software and systems changes to
comply with GDPR and how your team can

7
support these efforts.
 GETTING READY FOR GDPR COMPLIANCE

3
BUILD YOUR ROADMAP
Your specific steps to GDPR compliance depend on the type of business you’re in and what personal
data you have or need to operate. Place data protection at the core of every decision you make, so
your efforts form a long-term commitment to user privacy and data security.

▶ Update data management and security ▶ Identify which department will work with
processes involving personal data, including requests from EU residents, and then
storage and long-term retention. develop the processes to meet the new
GDPR rights for data subjects. In addition,
▶ Create audit trails for data collection and you will need to determine which EU
processing, especially hand-offs to third- member state is your supervisory authority.
party data processors.
▶ As part of your business continuity plan,
▶ Be transparent about what data you build a clear process for responding to data
collect and why, so that everyone in breaches quickly and efficiently.
the organization and your customers
understand that data protection and privacy
is a key priority for your business.

▶ Contact EU residents asking them to opt-in

or give explicit consent when needed to be
on your existing marketing lists of customers
or prospects. Consent text must be clear
and informative, explaining how and when
their data will be used.

8
 GETTING READY FOR GDPR COMPLIANCE

HOW MALWAREBYTES
KEEPING PERSONAL DATA
CAN HELP
SECURE AND PREVENTING Malwarebytes helps address the problem GDPR Our solution combines best practice detection
DATA BREACHES IS A is designed to eliminate—the breach itself. With layers to deliver leading endpoint security with
FUNDAMENTAL TENANT Malwarebytes, organizations can take proactive simplified management and minimal end-user
steps to protect their data and maximize the impact. This creates an interlocking web of
OF GDPR. MALWAREBYTES
value of their compliance investments. techniques that work together to not only block
SOLUTIONS HELP malware but also its deployment and execution
COMPANIES ATTAIN THIS Malwarebytes makes it easy to achieve effective on the endpoint.
PRINCIPLE WITH BEST- endpoint protection that optimizes your IT
IN-CLASS SECURITY AND resources and cost efficiency.
REMEDIATION SOLUTIONS.
Ed Brown
Vice President & General Counsel
Malwarebytes

9
 GETTING READY FOR GDPR COMPLIANCE

PROTECTION LAYERS
Our platform delivers the following real-time protection layers:

Web Protection
Web Protection Anomaly Detection Machine Learning
Web protection protects users by preventing Anomaly detection machine learning proactively
access to malicious websites, ad networks, identifies viruses and malware based on
Application Hardening scammer networks, and “bad neighborhoods.” anomalies from known and good files.

Application Hardening Payload Analysis

Exploit Mitigation
Application hardening reduces the vulnerability Payload analysis is composed of heuristic and
surface, making the computer more resilient, behavioral rules to identify entire families of
and proactively detects fingerprinting attempts known and relevant malware.
Application Behavior by advanced attacks.
Ransomware Mitigation
Exploit Mitigation Ransomware mitigation is a behavior monitoring
Anomaly Detection Machine Learning Exploit mitigations proactively detect and block technology that detects and blocks ransomware
attempts to abuse vulnerabilities and remotely from encrypting users’ files.
execute code on the machine, which is one of
Payload Analysis the main infection vectors nowadays. INCIDENT RESPONSE LAYER

Application Behavior Thorough Remediation

Ransomware Mitigation Application behavior ensures that installed In addition to real-time protection layers, our
applications behave correctly and prevents them solution delivers automated, accurate, and
Remediation from being abused to infect the machine. thorough remediation. This provides your
organization with critical coverage for the entire
attack lifecycle – from initial infection attempts
through an actual infection.
matching-based signature-less

10
 GETTING READY FOR GDPR COMPLIANCE

GDPR-Ready Security Capabilities

The table below provides an overview of Malwarebytes’ key capabilities that help you meet the security outcomes of a GDPR-ready organization:

PERSONAL DATA EMPLOYEE PROTECTION DATA CENTER PROTECTION INCIDENT RESPONSE

PROTECTION ▶ Delivers protection against ▶ Incident response layer
▶ Protects your data by preventing
▶ Rules- and AI-based protection malware from gaining a foothold malware and unknown threats delivers automated, accurate,
layers work together to form an on your endpoints for the servers across your and thorough remediation to
interlocking web of endpoint environment eliminate manual, ad hoc efforts
▶ Delivers effective offline
protection that safeguards your
protection with our signatureless ▶ Shortens attack dwell time
customer data
layers when your employees are
▶ Improves speed of detection
▶ Provides most comprehensive not at the office
and response with integrations
real-time detection with seven
▶ Web Protection layer protects to your existing security
protection layers
your employees from connecting orchestration tools
▶ Provides critical coverage for to malicious websites
the entire attack lifecycle–from ▶ Ransomware Protection
initial infection attempts through prevents your data files from
an actual infection becoming encrypted and held
for ransom

▶ Restores user devices after a

malware infection

▶ Supports multiple platforms,

including Mac, Windows, and
Android

11
SUMMARY
For most organizations, GDPR is a game-changer, and
getting compliance-ready should be top of mind for your
organization’s business and security leaders. It’s important
to prioritize new programs and solutions that ensure
your organization is ready for the enhanced regulatory
environment.

Malwarebytes helps organizations focus on the security

essentials of protecting personal data by using multiple
layers of pre- and post-execution engines to stop malware
and other threats before and after they execute.

LEARN MORE:
MALWAREBYTES.COM/GDPR

©2018 Malwarebytes