GDPR Readiness: From Mission Impossible to Mission Accomplished
Your mission, should you choose to accept it, involves the identification and protection of the Personal Data of residents in the European Union (EU). You may select key data security solutions to aid you. You have only eight months to complete this mission. Continue reading for specific steps to take. This message will self-destruct in 10 seconds.
Sound intimidating? The General Data Protection Regulation (GDPR) impacts any organization that deals with the information of current, past or prospective customers (Data Subjects) in the EU. Organizations around the world are scrambling to assess their GDPR readiness before May 2018, when the regulation takes effect.
The GDPR will replace the current EU Data Protection Directive. Is it designed to unify data privacy requirements across all 28 EU member states. Per the GDPR, Data Subjects — which include end users, customers and employees, among others — have the right to make a claim if their data is not protected in compliance with the GDPR regulations. Further, EU regulators have the right to impose huge fines for violations.
Data protection is a key concern for businesses. The GDPR creates more obligation and liability for Data Processors and Controllers. As previously reported, the GDPR “will enact stricter guidelines on getting consent for data collection, individual profiling and more comprehensive definitions of data. It all points to a new imperative to manage data at a granular, data-element level by understanding where the data is located, where it flows, with whom it is shared, what consent is given and when data must be deleted” to fully support the right to be forgotten. Additionally, businesses are required to notify customers within 72 hours of a data breach.
Launching Your GDPR Readiness Mission
To get your GDPR readiness mission underway, you first need to answer some critical sleuthing questions regarding Personal Data:
- Where is all Personal Data stored?
- What does the Personal Data look like?
- How much is at risk if it’s stolen or exposed?
- Who is accessing or trying to access Personal Data? Are bad guys trying to delete or steal it?
- When are they trying to steal or expose it?
Just as Ethan Hunt, the hero in the “Mission: Impossible” series, had nifty gadgets to help him on his mission, IT teams need the right tools to help them answer those critical questions. You can hasten your success by looking for product capabilities designed to support your GDPR needs.
First, consider taking a self-paced GDPR assessment to help you understand your position. Next, tackle the question of what Personal Data falls under the purview of the GDPR. You can set yourself in the right direction by leveraging a product with automated discovery and prebuilt classification patterns that can identify relevant data.
Once you know what you are looking for, determine where the data is stored. To do this, seek out a product that has GDPR-specific vulnerability and risk assessment capabilities. These tools can scan for data sources that contain GDPR-specific Personal Data.
After you know what Personal Data exists and where it’s located, you can tackle the question of who is accessing it. To do this, you’ll need a solution that provides predefined policy rules and groups that help monitor, audit, record and provide alerts on any unauthorized activities related to that Personal Data. Real-time activity monitoring can also provide this insight.
Finally, it’s important to keep track of what’s happening to all that Personal Data in real time and respond according to the GDPR requirements. For this project, seek a solution that provides prebuilt GDPR-centric reports that identify who has accessed Personal Data, where they accessed it from, when it was accessed and how it was accessed. You can use this information to send notifications to auditors, controllers and data protection officers using a Data Security Compliance Review process.
IBM Security Guardium now offers a GDPR Accelerator. This tool provides a suite of prebuilt and ready-to-deploy tools to help you get started and speed your mission along the path to success. Using the Accelerator’s prebuilt classification patterns to help you locate GDPR-governed Personal Data, plus the built-in Personal Data Security Assessment tests, you are better able to understand the scope of your mission and how to proceed. Once you locate and fix any issues with the sources that contain your Personal Data, you can start monitoring them and take action if suspicious behavior occurs.
The Accelerator includes prebuilt policy rules and groups that enable you to perform continuous monitoring more quickly. The prebuilt policy rules help protect Personal Data from unauthorized access and activities, including changes, removal, replication or deletion of records. The tool also offers Security of Processing reports, which you can select on a user, controller or application basis, for data activity monitoring of all authorized and unauthorized activities.
Finally, the Guardium GDPR Accelerator provides an automated compliance audit review process to support GDPR compliance. This capability automates the notification and review process for simplified, faster escalations and sign off on the prebuilt audit reports for Personal Data activities, which should be documented, recorded and reviewed.
Get on Track
Once you’re on the right path, you can begin dealing with more focused means of protecting the Personal Data you’ve located, classified and begun monitoring. Encryption, redaction and masking can then be applied to support the appropriate levels of pseudonymization your organization and its data requires.
The mission to protect Personal Data and comply with the GDPR is a crucial one. To complete your mission before time runs out, you’ll need to equip yourself with the right tools and capabilities to meet the challenge head-on.