The implementation deadline of May 25, 2018 has come and gone, and now enterprises across the globe are grappling with how GDPR affects their IT security strategies and operations.
In some ways, the new data privacy law is a wake-up call for many enterprises. Excluding some heavy regulated industries, like healthcare and finance, the penalties for improperly handling user data typically have boiled down to some bad press, some customer defections and the cost of getting back in their good graces.
Now that GDPR is in full effect, failing to safeguard private user data can mean step fines, even if the offending company isn’t based in Europe. Nobody wants to be the CIO who makes headlines for legal problems or millions in fines because their user data management and security strategies weren’t up to snuff. In fact, Facebook and Google are already making headlines for triggering first-day lawsuits under GDPR.
Ideally, companies have already audited their systems and technology platforms, and now possess a comprehensive understanding of exactly “where customer data is held and how it is managed,” said Mark Baker, Field Product Manager at Canonical, the firm behind Ubuntu Linux. After assessing their controls, IT leaders and compliance officers may come to realize that they need a little help wrangling and securing that data.
Security vendors step up with GDPR solutions
Not surprisingly, security vendors have stepped up to offer GDPR compliance solutions, often by repositioning data privacy and security technologies that aid regulatory compliance in general. Here are some of the ways security companies have repackaged their offerings into GDPR compliance solutions.
McAfee: McAfee Enterprise – now under the Trellix name after merging with FireEye – has come a long way from its antivirus roots and has positioned itself as a provider of GDPR-friendly products and services. Fittingly, the company is focused on the cybersecurity aspects of complying with the regulation, like the 72-hour breach notification requirement, which customers can meet with the help of its security operations solutions.
Symantec: Also famous for its malware-busting technology, Symantec has branched out into regulatory compliance with its aptly-named Symantec Control Compliance Suite. Supporting a range of regulations, including GDPR, the offering automates compliance assessments and reveals security gaps that can pose risks. Meanwhile, Symantec Data Loss Prevention and Information Centric Security help organizations keep a tight lid on personally identifiable information (PII).
TrustArc: Formerly TRUSTe, and known for its online security offerings, the company now provides a variety of products and services that can be used to ensure that a company’s data management, security and compliance policies abide by GDPR. TRUSTe’s portfolio includes solutions that aid enterprises in building and implementing a GDPR compliance program, and ultimately verifying compliance.
Bitdefender: Although GDPR doesn’t explicitly mandate the use of encryption, it’s considered an effective way of meeting many of the regulation’s security requirements. Bitdefender’s agentless GravityZone Full-Disk Encryption solution piggybacks on the encryption technologies built into Windows and macOS, BitLocker and FileVault, respectively, providing an essential layer of protection should a PC storing sensitive data go missing.
Sophos: While also banking on encryption as a GDPR-compliance tool, Sophos is focused on preventing breaches by blocking attackers that are wielding data-extracting malware and targeting servers and endpoint systems. To protect networks, the company’s XG Firewall appliances unmask attempts to steal data with the use of AI, or deep learning neural networks, to be exact.
Bitglass: Nowadays, there’s a strong chance that enterprises are keeping at least some sensitive information on third-party cloud services and applications. Bitglass’ Cloud access security broker (CASB) technology enables businesses to see where that data is being stored, control how it’s shared and ensure that they adhere to GDPR’s data residency and sovereignty provisions.
Forcepoint: The cybersecurity software provider, formerly Websense, is known for cloud and networking security solutions such as CASB, NGFW, web gateway and UEBA. Forcepoint has expanded beyond web monitoring and security and now offers solutions that aid businesses in identifying and mapping the personal data they have been entrusted with by automatically detecting PII that falls outside an organization’s data classification system. Wagering that not all personal information is stored in electronic documents, Forcepoint’s technology goes a step further by using optical character recognition (OCR) to find PII that may be lurking within the pixels of image files.
LogRhythm: Supplementing the wealth of data collected and analyzed by its Security Information and Event Management (SIEM) product, LogRhythm released a GDPR Compliance Module in early 2018. It offers users a set of alerts, rules and reports that are tailored to the regulation, helping IT security and compliance teams validate their compliance efforts and quickly address problems before they catch the attention of EU regulators.