GDPR is putting data protection practices at the forefront of business agendas worldwide. For most organizations, this is a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to manage their compliance and risk obligations.
“Executive management will be responsible for ensuring that an organization meets its legal obligations to implement the GDPR’s requirements,” said Steve Durbin, managing director of the Information Security Forum. “An organization’s governance functions, including information security, legal, records management and audit should ensure they are familiar with the requirements of the GDPR and have the necessary people, processes and technical solutions in place to achieve compliance.”
Basic Strategies to Put in Place
If American companies have even one EU-based customer, they need to be GDPR compliant by May 25. With an overwhelming amount of data being regularly collected and stored by businesses, numerous stakeholders can come into contact with Personally Identifiable Information (PII). How can companies prepare?
According to Laurence Pitt, Juniper Networks’ Global Security Strategy director, there are basic steps every organization should do as they set up (or are putting the finishing touches) on their GDPR process. They include:
- Put someone in charge of data compliance. Under GDPR, this person is known as the Data Protection Officer (DPO) and is responsible for ensuring that your company is securing their data correctly. The DPO will also be responsible for the company’s compliancy process and continued compliance. Without a DPO, your company will risk failing to comply.
- Encrypt data. This may seem obvious, but it’s worth taking the time to review what you encrypt and where it is. This will likely mean running a full data audit. Data changes value over its lifecycle and an audit has benefits beyond just knowing ‘what’ to encrypt. You will also learn what data is being held and whether it can be archived or deleted. This is not just about encrypting at-rest data – consider in-motion data and network data protection methods as well. The latest encryption and CASBE tools can help here.
- Make sure you know who is accessing data, from where and when. With demands for 24/7 device access, it is very important to put controls in place to reduce risks presented by unauthorized access. Make sure that employee access methods are strong by utilizing password best-practices and multi-factor authentication. Businesses will also need to look at what is accessing data. Many organizations have third-party connections in place with partners and/or other applications. These will need to be continuously monitored for ongoing GDPR compliance.
- Establish an incident response process. Under GDPR, data breaches must be reported, in some cases within 72 hours of detection. An effective incident response process will put companies in a stronger position, should a breach occur, to understand what happened, the impact and how to mitigate repercussions.
Tools to Better Manage GDPR
GDPR is not something that organizations can walk away from on May 26. Once the best-faith actions are taken and strategies are in place for GDPR, they must be managed and maintained. Listed here are some products to help you become and stay GDPR compliant.
GDPR Validation: TrustArc launched an independent GDPR Validation service, enabling companies to demonstrate readiness and their GDPR compliance status to regulators, customers and other stakeholders. The TrustArc GDPR Validation is the latest addition to the TrustArc Data Privacy Management Platform suite of technology-powered privacy solutions. The process itself takes place within TrustArc’s Platform and is an iterative process between the organization and a TRUSTe Global Privacy Solutions (GPS) team member. The GPS team reviews the GDPR Validation Assessment provided by the organization against the applicable Validation’s requirements and identifies any gaps for remediation, which the organization will then complete, documenting the remediations and associated evidence in the GDPR Validation assessment record on the TrustArc Privacy Platform.
Luminate Security: Launched this past March, Luminate was designed with GDPR and privacy in mind. It is a software-as-a-service security platform that can be deployed in less than five minutes, and allows CISOs, CIOs and CTOs to securely manage access to all their corporate resources from any user's device, and from anywhere in the world. It seamlessly integrates with all cloud Infrastructure-as-a-Service and on-premises data center technologies. Users are granted one-time access to the requested application while all other corporate resources are cloaked without granting access to the entire network. This prevents any unauthorized lateral movements to other network resources and eliminates the risk of network-based attacks. The tool will address GDPR issues such as minimizing the collection of sensitive data, limiting access to sensitive data, securing communications surrounding sensitive data, and governance of sensitive data. Luminate only grants access to applications for which users have been granted permission while all other applications are cloaked to prevent unauthorized access.
Fortanix Self-Defending Key Management Service: The Self-Defending Key Management Service (SDKMS) creates a control layer between the data controller and the data processors to help meet GDPR requirements around data audit, control and erasure. The data processor is an entity that processes the personal data according to rules set by the data controller. The runtime encryption covers GDPR requirements such as access control, data erasure, data masking, key destruction and geo-fencing. SDKMS is cloud agnostic, built to scale, and provides software flexibility with HSM-grade security.
Kogni: Kogni is a data security product that enables companies to discover sensitive data in enterprise data sources (both cloud-based and on-premises), to secure data as it is ingested, and to continuously monitor data sources for possible breach and policy violations. It scans enterprise data sources, applying machine learning and computer vision to identify sensitive data stored in text and images from sources including Hadoop, NoSQL, S3, and RDBMS. This data is then secured as it is ingested into Hadoop using simple configurations and plug-ins for Sqoop, Spark, Kylo, Nifi, and Streamsets among others. Kogni then continuously monitors data sources and user behavior for anomalies and triggers detailed alerts on sensitive data proliferation and policy violations.
TigerGraph: TigerGraph offers the industry’s fastest graph analytics solution and supports GDPR with Real-Time Deep Link Analytics. Data will need to be stored and copied, and it will be need to be noted which applications are using it and for what purpose. TigerGraph can maintain a real-time map of all EU citizen data from the moment it is recorded and captured, where it is stored and copied, and detail its usage throughout the organization in hundreds or thousands of applications. As customers request access to their data via GDPR, TigerGraph can support the queries in real time, providing information lineage and usage data to analysts. What’s more, TigerGraph can also detect violations of use of EU citizen data that derives from permissible usage based on terms of service, as agreed by the customer during the data acquisition phase.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba