In just one month, the European Union's (EU) General Data Protection Regulation (GDPR) goes into effect. Businesses that aren't prepared for the May 25 deadline — and Gartner estimates that more than half won't be even by the end of the year — are in for a rude awakening if they mismanage data belonging to users in the EU.
The stringent new rules on user data privacy and security not only apply to EU-based organizations, but also to companies that do business in the region, which includes countless web applications and online services with European customers. Penalties for mishandling user data can reach as high as four percent of an organization's global annual revenue.
After settling on a GDPR compliance strategy, it's time to look for technology vendors and software solutions that are up to the challenge. Here's some advice on what to look out for while assessing your organization's GDPR readiness and evaluating products that can help.
- Automated data protection
- Managed file transfer
- Data mapping
- Privacy impact assessments
- Individual rights compliance
- Pseudonymization technologies
- GRC solutions
When it comes to meeting GDPR security requirements, Bogdan "Bob" Botezatu, senior security threat analyst at Bitdefender, said it's time to pawn off the manual labor to machines.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
"Use a solution that automates manual data protection processes and offers better visibility of data flowing in and out of your company. Your solution of choice should also be a layered one that yields protection against data loss, data theft, including targeted attacks, and offers enhanced visibility into data breaches," advised Botezatu.
For effective GDPR compliance, IT and business leaders should be prepared to set new security standards for their organizations, perhaps high ones.
"Define procedural and technological controls you deem sufficient to protect personal data. Pay special attention to securing unstructured data, e.g. by encrypting it," added Botezatu.
When it comes time to implement GDPR-friendly processes and IT solutions, it's up to data protection officers to ensure that they all work in tandem to safeguard user data.
"Data governance should be a result of business functions cooperating with teams focused on information, data, and security architecture," Botezatu said. "The best leader to facilitate this is the Data Protection Officer. When choosing technical and procedural controls, special attention should be paid to the products and services that improve data security posture."
Automated data protection vendors
- SAS: The company's solutions enable secure access to personal data and enable organizations to implement suitable safeguards and avoid improperly casting too wide a net for personal information.
- Gemalto: Helping address GDPR's security obligations with encryption and multi-factor authentication, Gemalto's SafeNet products help businesses keep sensitive user information under wraps.
- CA Technologies: Running an IBM z Systems mainframe? CA Data Content Discovery can help classify and protect sensitive data on big iron.
- Qualys: Helps businesses sniff out vulnerabilities that can lead to breaches of personal data.
- WatchGuard: WatchGuard Dimension, part of the company's Total Security Suite, uses a novel pseudonymization approach to shield users' identities in its network security monitoring dashboards and reports.
Peter Merkulov, chief technology officer of GlobalSCAPE, a secure data integration and movement software provider, also advocates the use of data protection software. Another good idea is to explore the world of governance, risk and compliance technology (GRC) services and reporting tools.
There's also a lot to be said about managed file transfer (MFT) solutions that ensure the secure collection, movement and eventual usage of sensitive personally identifiable data.
"What makes something like MFT a good fit to achieve compliance mandates is that it provides organizations with a holistic view of their data movement processes. It is essentially one centralized hub that customers can use to build the process that takes care of everything, from movement, to storage, to processing sensitive information at all points of an organization," Merkulov said. "MFT provides clear visibility into data flow, whereas if you use separate technologies or tools they would only really give a partial picture of the process and can make compliance much harder to achieve for that reason."
Managed file transfer vendors
- Cleo: The company's managed file transfer products allow businesses to wrangle their various file sharing systems, providing visibility and auditability as data is wends its way across and outside an organization.
- Citrix: Citrix ShareFile sports various integrations that help businesses and keep track of how data is shared and can help businesses meet GDPR's sovereignty requirements by using the ShareFile EU control plane.
- HelpSystems: The firm's GoAnywhere MFT solution enables encrypted data transfers and auditing, among other GDPR-friendly capabilities.
- Ipswitch: Ipswitch MOVEit offers encryption, both in transit and at rest, along with file transfer activity logs and integrations with security solutions.
- BMC: In addition to its secure file transfer capabilities, BMC's Control-M Managed File Transfer product features automated auditing and compliance reporting capabilities helping businesses demonstrate compliance.
The new compliance rules established by GDPR can be punishing to organizations with less than exacting data management practices. Data mapping solutions can help eliminate potentially costly blind spots, said Darren Abernethy, senior global privacy manager at TrustArc.
"A large part of the new GDPR accountability regime is being able to justify the type and scope of data that is being collected, and to demonstrate compliance in a timely manner," explained Abernethy. "Using technology solutions that facilitate data mapping allows companies to know exactly what data they're collecting, where it's being stored, and who has access to it.
"It also helps organizations understand where they are acting as a data controller versus a data processor, and thus which additional obligations may apply based on sensitivity, geography or other factor," Abernethy added.
Data mapping vendors
- TrustArc: Offers a variety of GDPR-compliant solutions, including a data flow manager that map how sensitive data flows throughout an organization.
- Veritas: Best known for its backup technologies, the company's data inventory and analysis capabilities piggyback on its NetBackup product to provide visibility into where personal user information is stored and who has access to it.
- Check Point: Although it primarily prevents data leaks, Check Point Data Loss Prevention (DLP) Software Blade can discover and "fingerprint" files that contain sensitive information.
- BigID: And a new name to add to the list – BigID was named most innovative startup at the recent RSA security conference.
Under GDPR, it's not enough to take user privacy seriously. Organizations must also weigh the potential impact their business decisions will have on their users' data privacy.
Abernethy suggests investigating solutions that enable businesses to conduct privacy assessments that clue companies into potential trouble, preventing a tussle with regulators down the line.
"Businesses must understand the privacy risks that can result from new product launches, geographic expansions and mergers and acquisition activity. To do this, companies are looking to tools deployable across the organization that help identify high-risk data being collected as it pertains to new regulations, and create an audit trail to show they have thought through privacy issues proactively with multiple stakeholders," Abernethy said.
"Companies can then assess where they have gaps in compliance efforts and the steps involved to remediate any areas of concern," he added.
Privacy impact assessments vendors
- AvePoint: Partnering with the International Association of Privacy Professionals (IAPP), AvePoint offers a free, automated privacy impact assessment (PIA) offering.
- OneTrust: OneTrust's automated privacy impact assessments, along with data protection impact assessments, provide self-service tools and role-based templates to help organizations prioritize privacy.
- Privaon: This Finnish firm offers PIA as a service with optional workshops conducted by the company's privacy specialists.
Weighing a privacy management solution? Don't neglect the fact that GDPR grants users rights over how businesses use their data, reminded Abernethy.
"GDPR Articles 15-23 on individual rights require companies to provide customers the right to access their data, the right to restrict or object to the processing of their data, and the right to data portability," he said. "The use of technology solutions that are able to create custom individual rights request forms and provide notifications and automated reporting will help companies meet individual rights requirements without interfering with their business model."
And businesses don't want to be caught dragging their feet after a user request is submitted.
"These tools, when combined with data mapping, allow companies to quickly identify the storage locations of the data requested by customers and fill that request within the required timeframe of 30 days," said Abernethy.
Individual rights compliance vendors
- TrustArc: In addition to the data-mapping solution, the company also offers an individual rights manager, along with cookie consent and direct marketing consent tools that help ensure compliance.
- LogicGate: The LogicGate platform's individual rights request portal helps offers businesses prebuilt landing pages for personal data correction request and erasure, or "right to be forgotten" request, along with tools that help manage responses.
- Pillar: The Pillar Wallet for Business serves as a "personal data locker" that users control and allows organizations to comply with the GDPR's right to be informed, right of access, right to restrict processing and other provisions.
Pseudonymization is a data-masking tactic that is referenced in the text of the regulation itself.
By storing portions of a user's data in separate locations, it makes it tough for potential attackers to reassemble personally identifiable information. "Simply put, pseudonymization means storing an individual's information in many separate files, under many different names, so that no hacker could ever grab one file and have anyone's full information," said Kory Willis, senior director of IT at partner relationship management (PRM) provider Impartner.
"If your information isn't pseudonymized, you're not compliant, and you could face huge consequences [when GDPR goes into effect]," he added.
- Anonos: The Anonos BigPrivacy platform can transform data into a pseudonymized format.
- IRI: IRI FieldShield, a classification and masking tool for personally identifiable information stored in databases and files, supports multiple methods of protecting user data, including pseudonymization.
- Protegrity: The data protection specialist's tokenization technology enables data pseudonymization.
- Oracle: Oracle recommends that customers use Oracle Data Redaction policies and Oracle Database Vault to pseudonymize data stored in its database products.
- Striim: The data integration and streaming analytics provider has added data pseudonymization to its platform.
Governance, risk and compliance (GRC) solutions have long been an enterprise IT staple for managing the myriad of compliance regulations. GRC vendors claim their solutions pay for themselves in fines avoided — and with more than $300 billion in fines levied in the decade since the global financial crisis, they may have a point.
A good GRC solution will cover a range of needs, starting with risk management and analytics, regulatory compliance, and auditing and reporting. Here are our picks for top GRC vendors, with links for more information about each vendor.
The GDPR implementation deadline is also a good time for companies to review their overall security posture.