Modernizing Authentication — What It Takes to Transform Secure Access
In roughly four months, the European Union's (EU) General Data Protection Regulation, or GDPR for short, goes into effect. Businesses that aren't prepared for the May 25 deadline—many of them weren't as of last summer's VMworld 2017 conference in Las Vegas—are in for a rude awakening if they mismanage the data belonging to users in the EU.
The stringent new rules on user data privacy and security not only apply to EU-based organizations, but also to companies that do business in the region, which includes countless web applications and online services with European customers. Penalties for mishandling user data can reach as high as four percent of an organization's global annual revenue.
After settling on a GDPR compliance strategy, it's time to look for technology vendors and software solutions that are up to the challenge. Here's some advice on what to look out for while assessing your organization's GDPR readiness and evaluating products that can help.
Automated data protection processes
When it comes to meeting GDPR security requirements, Bogdan "Bob" Botezatu, senior security threat analyst at Bitdefender, said it's time to pawn off the manual labor to machines.
"Use a solution that automates manual data protection processes and offers better visibility of data flowing in and out of your company. Your solution of choice should also be a layered one that yields protection against data loss, data theft, including targeted attacks, and offers enhanced visibility into data breaches," advised Botezatu.
For effective GDPR compliance, IT and business leaders should be prepared to set new security standards for their organizations, perhaps high ones.
"Define procedural and technological controls you deem sufficient to protect personal data. Pay special attention to securing unstructured data, e.g. by encrypting it," added Botezatu.
When it comes time to implement GDPR-friendly processes and IT solutions, it's up to data protection officers to ensure that they all work in tandem to safeguard user data.
"Data governance should be a result of business functions cooperating with teams focused on information, data, and security architecture," Botezatu said. "The best leader to facilitate this is the Data Protection Officer. When choosing technical and procedural controls, special attention should be paid to the products and services that improve data security posture."
Managed file transfer
Peter Merkulov, chief technology officer of GlobalSCAPE, a secure data integration and movement software provider, also advocates the use of data protection software. Another good idea is to explore the world of governance, risk and compliance technology (GRC) services and reporting tools.
There's also a lot to be said about managed file transfer (MFT) solutions that ensure the secure collection, movement and eventual usage of sensitive personally identifiable data.
"What makes something like MFT a good fit to achieve compliance mandates is that it provides organizations with a holistic view of their data movement processes. It is essentially one centralized hub that customers can use to build the process that takes care of everything, from movement, to storage, to processing sensitive information at all points of an organization," Merkulov said. "MFT provides clear visibility into data flow, whereas if you use separate technologies or tools they would only really give a partial picture of the process and can make compliance much harder to achieve for that reason."
The new compliance rules established by GDPR can be punishing to organizations with less than exacting data management practices. Data mapping solutions can help eliminate potentially costly blind spots, said Darren Abernethy, senior global privacy manager at TrustArc.
"A large part of the new GDPR accountability regime is being able to justify the type and scope of data that is being collected, and to demonstrate compliance in a timely manner," explained Abernethy. "Using technology solutions that facilitate data mapping allows companies to know exactly what data they're collecting, where it's being stored, and who has access to it.
"It also helps organizations understand where they are acting as a data controller versus a data processor, and thus which additional obligations may apply based on sensitivity, geography or other factor," Abernethy added.
Privacy impact assessments
Under GDPR, it's not enough to take user privacy seriously. Organizations must also weigh the potential impact their business decisions will have on their users' data privacy.
Abernethy suggests investigating solutions that enable businesses to conduct privacy assessments that clue companies into potential trouble, preventing a tussle with regulators down the line.
"Businesses must understand the privacy risks that can result from new product launches, geographic expansions and mergers and acquisition activity. To do this, companies are looking to tools deployable across the organization that help identify high-risk data being collected as it pertains to new regulations, and create an audit trail to show they have thought through privacy issues proactively with multiple stakeholders," Abernethy said.
"Companies can then assess where they have gaps in compliance efforts and the steps involved to remediate any areas of concern," he added.
Individual rights compliance
Weighing a privacy management solution? Don't neglect the fact that GDPR grants users rights over how businesses use their data, reminded Abernethy.
"GDPR Articles 15-23 on individual rights require companies to provide customers the right to access their data, the right to restrict or object to the processing of their data, and the right to data portability," he said. "The use of technology solutions that are able to create custom individual rights request forms and provide notifications and automated reporting will help companies meet individual rights requirements without interfering with their business model."
And businesses don't want to be caught dragging their feet after a user request is submitted.
"These tools, when combined with data mapping, allow companies to quickly identify the storage locations of the data requested by customers and fill that request within the required timeframe of 30 days," said Abernethy.
The GDPR implementation deadline is also a good time for companies to review their overall security posture.