On May 25 2018, the EU General Data Protection Regulation will go into effect, leaving organizations just over one month to plan, budget and employ the changes needed to meet its guidelines.
Enforcement will include steep non-compliance fines, and lest anyone forget, GDPR is not just an EU issue. The guidelines will affect any organization handling personal data of individuals residing in the EU no matter where they are located, meaning even U.S. companies that process the personal data of individuals in the EU will have to comply.
Since the GDPR doesn’t specify many technical details on how to achieve compliance, it can be a challenge for security professionals to prepare their organizations for the new regulations. Additionally, the GDPR introduces a new set of data protection principles that must be followed.
Thankfully, many of these data protection requirements can be sustainably and cost-effectively adhered to by leveraging existing tools and processes that are already deployed in a typical organization – and the good news is, your organization might already be more prepared than you might think.
Many organizations have already invested in identity governance solutions that provide centralized visibility and govern control over which users have access to what information. By providing a map of which users and roles can access applications and data (both structured and unstructured), this technology can offer organizations the ability to catalog systems, applications and databases (both on-premises and in the cloud), and determine whether appropriate access controls and safeguards are in place.
The four key elements you need to look for in a GDPR-ready identity governance solution include comprehensive coverage for applications and data stored in files, compliance controls, automated provisioning and password management. Each one of these plays crucial roles in identifying personal data, securing that data and demonstrating proof of GDPR compliance across an entire organization.
Specific areas in which this visibility can help organizations prepare for and meet GDPR requirements include the following:
Personal Data Protection Principles
The primary objective of the GDPR is privacy and the protection of personal data (Article 5), so organizations will need to demonstrate their compliance in processing, storing and securing personal data. Insight into who has access to what can provide visibility and control of personal data, automating the discovery and classification of personal data, and providing activity monitoring to improve risk mitigation and ensure an understanding of appropriate data use.
Securing Personal Data
The GDPR requires organizations to implement and “design in” appropriate technical and organizational measures for securing personal data (Articles 25 and 32). Centralized visibility into the access control models for all resources storing and processing personal data allows organizations to define and enforce access policies, conduct regular access reviews by data owners, and automatically revoke inappropriate access. To ensure ongoing compliance, this insight can also help to prevent policy violations by evaluating any proposed access changes against defined rules and automatically logging all access requests and actions by approvers.
Monitoring and Detection
According to GDPR (Articles 33 and 34), organizations must report data breaches to Data Processing Authorities and in some cases to data subjects. The regulation gives companies 72 hours from the time they become aware of a breach to report it, so organizations need to be prepared to immediately disclose specific details about individuals impacted, the duration of the breach and any remedial actions taken. A comprehensive understanding of where personal data is located and who has access to it can provide automated breach detection via forensics and fine-grained audit trails, notifying data owners and managers to any detected violations or anomalies, automatically remediating when violations are detected, and allowing data owners to perform real-time risk status checks over data they manage.
Meeting Compliance Documentation Requirements
GDPR regulations require organizations to maintain an Internal Data Processing Register to document all personal data processing activities (Articles 30 and 35). Organizations must also have in place a process for determining when a Privacy Impact Assessment is required for “high-risk” processing of personal data. These reporting requirements can be streamlined by identifying personal data stored in hard-to-find locations, especially data stored in files, and providing complete visibility into the access control models for each resource storing or processing personal data. The technology can also access and mitigate risk by providing detailed reports of each access review cycle.
With cyber attacks becoming more complex and frequent than ever before, organizations must be prepared to mitigate any and all risks. Technology that offers insight into who has access to what can help organizations combat inevitable cyber threats, while also bringing them one step closer to compliance.
If you start with the core concepts from your current identity governance program and augment them to address the unique challenges of data stored in files, you’re well on your way to having full visibility into your organization and being compliant with strict regulations like GDPR.