[BreachExchange] Fuelling compliance as the deadline for GDPR looms

Audrey McNeil audrey at riskbasedsecurity.com
Tue Sep 26 19:12:28 EDT 2017


http://www.itproportal.com/features/fuelling-compliance-
as-the-deadline-for-gdpr-looms/

The deadline for organisations to be compliant with the EU General Data
Protection Regulation (GDPR) is edging ever closer in what will be the
biggest shake up in European privacy laws for 20 years.

Compliance will be no mean feat for anyone, requiring vast amounts of time
and resource, no matter how big or small the organisation. Recent research
commissioned by CA Technologies among business leaders with over 5,000
employees revealed that only 22 per cent are completely prepared and
waiting for the GDPR to come into force. For those who have not yet started
preparations (14 per cent), the first step to getting ready is to create a
cross-functional programme of work containing representatives from Legal,
IT, HR, and other Business Units. This is not just an IT problem.

With great data comes great responsibility

The GDPR introduces a move toward privacy by design, meaning that
organisations will have to build safeguards into processes, such as testing
and development, from beginning to end. Organisations must become more
accountable for the Personally Identifiable Information (PII) they hold.
They need to know where PII resides, how they can secure it (at rest and
in-flight) and if they have a breach, how will they know about it? When
asked about the safe storage of sensitive data and PII, 18 per cent of
those surveyed were not confident that it was stored in places where only
their organisation could access it and a worrying 34 per cent are not yet
able to detect PII and other sensitive data used during software
development.

In the financial sector, the introduction of GDPR is seeing programmes
running in larger banks to ensure they remain compliant. Now it will be
about balancing the requirements against finding ways to stay compliant and
using automated processes to reduce the cost impact of doing so. Finding
the data that organisations think they have might seem easy, but data can
leak out of control in many ways. For example, the proliferation of
spreadsheets which may contain PII is very difficult to get under control,
especially when this data is held on laptops, mobile devices and shared
over email. Furthermore, the use of customer PII in testing new
applications is an everyday occurrence in larger banks and this data needs
to be masked or anonymised.

Understanding where this data resides is one challenge, but once
understood, the data must be encrypted in production environments; and
masked and anonymised for use in development and test environments. On top
of this, access needs to be controlled by using identity management,
privileged access management and strong authentication techniques.

There’s no hiding from the legislation; it’s a stark case of comply or face
the consequences. Non-compliance penalties could lead to fines of up to
€20m or 4 per cent of a company’s global annual turnover.

As the May 2018 deadline approaches, these four points are just some of the
key areas that organisations need to focus on:

New requirements: Organisations will need to put data protection at the
centre of their information processes, including the execution of data
protection impact assessments—appointing a data protection officer could
also be a way to guide this overall process.

New user rights: The GDPR demands increased transparency. For example,
users can request the erasure of data from controllers (the ‘right to be
forgotten’), the correction of errors, and the right to access data in
structured formats so they can switch controllers. If a data breach occurs,
users also need to be notified in certain cases.

Technology strategy: Organisations will need to document and report on
where their data is, how it is collected, how it is stored, and who can
access it. For example, whenever personal data is used for testing, the
testers need to ensure there is a legal ground to do so.

Identity management: The GDPR supports calls for transparent, documented,
and enforceable identity policies and tools surrounding authorisation and
authentication to ensure traceability and increased security.

How technology can drive GDPR compliance

When exploring the organisation’s technology strategy further, sufficient
resources must be devoted to risk management, compliance and IT. This can
be achieved by taking the following five steps to help the organisation
accelerate their GDPR compliance:

1. Data management and discovery

The initial step is to discover personal data across your organisation and
protect it from unauthorised access. By identifying and controlling
personal data—at rest, in motion, and in use—organisations will be uniquely
positioned to enforce the GDPR compliance.

2. Identity and access governance

Organisations need to centralise and govern user identity and manage
access, especially in the case of privileged users. By automating this user
management, organisations benefit from ‘who has access to what’ insights,
higher user productivity and GDPR compliance.

3. Privileged access management and threat analytics

Under the terms of the GDPR, data controllers must report any data breach
within 72 hours of the incident occurring. By managing privileged access,
organisations can more easily protect privileged activities and enforce
data breach detection and notification.

4. Test data management and synthetic data generation

Test data management (TDM) is the process of providing, distributing, and
managing test data for development teams—and TDM takes on more urgency as
the GDPR deadline looms. Robust and efficient TDM practices are key to
overcoming compliance hurdles and avoiding the penalties associated with
the GDPR. By using synthetic data, organisations will avoid the pitfalls
associated with masking production data.

5. API management

API management is the foundation for a future-proof GDPR-compliant
architecture. It enables organisations to quickly and easily adopt rules
for gathering consent, and inform users about the regulations relating to
data access and data portability.

The EU GDPR legislation will give citizens back control over their personal
data and simplify the regulatory environment for international business.
Organisations need to review their data lifecycle and put in place rigorous
and robust controls for the security and protection of data and how it’s
used and accessed. By adopting the appropriate software solutions, and
wrapping these around compliant processes, organisations can ensure GDPR
compliance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170926/6d8fb91d/attachment.html>


More information about the BreachExchange mailing list