Not being compliant when it comes to data protection could cost your business millions. But using software to automate GDPR compliance can save you time and money. Information Age runs through the best packages out there
The European Union’s General Data Protection Regulation (GDPR) is now well-established as a global standard for international companies to comply with when it comes to securing and managing their data, and their customers’ and partners’ data.
Non-compliance with GDPR in relation to any data breaches or leaks can also result in potentially big fines.
Here we look at the key types of GDPR compliance software available for chief technology officers and their colleagues.
>See also: Information Age guide to data + privacy
GDPR compliance software challenges
Vicki Utting, managing executive of Vigilant Software, says of GDPR requirements: “GDPR compliance is a challenging and time-consuming activity. The expanding scope and impact of compliance requirements and audit programmes, plus the ambiguity and complexity of the GDPR law itself, creates a never-ending and exhausting to-do list for CTOs – but one that is vital for organisations to survive and thrive.”
Ian Wood, senior director and head of technology for the UK and Ireland at cloud data management vendor Veritas Technologies, adds: “Much of what is on the market today is limited to a small number of specific applications or environments, which will only ever scrape the surface when it comes to the challenges organisations face, leaving them open to falling foul of the regulation.”
The rapid expansion of cloud services and collaboration tools that businesses are now using as a result of the pandemic and accelerated digital transformation, says Wood, only serves to complicate the issues around GDPR.
“To match the constantly evolving landscape, organisations need to partner with a vendor that is able to span all of the platforms where data is being held. One of the biggest risk areas is the explosion of data sharing through cloud collaboration tools, which are replacing email as the preferred way of sending files.
“To miss any of these important cloud platforms out of the compliance process makes it impossible to meet the requirements of GDPR. Therefore, the ability to sweep all systems not only saves time but provides peace of mind that nothing will be missed.”
Darren Wray, head of Guardum data protect solutions at DFIN, says: “GDPR compliance and support software is currently in flux. The recent proposed changes to UK GDPR have left some users reconsidering the solution they have chosen, having realised it isn’t as much of a time saver they originally thought.
“Of course, privacy compliance is not standing still and there are changes in different parts of the world that are also influencing companies to look at the way they adhere to these regulations, and ensure they are protecting their data.”
>See also: What is the role of the data manager?
Egnyte provides GDPR compliance by locating, controlling and securing the personally identifiable information (PII) of EU residents stored in on-premise or cloud repositories.
Kris Lahiri, chief security officer at Egnyte, says: “With 65 per cent of the world’s population expected to have their personal data covered under privacy regulations by 2023, respecting data privacy has never been more critical. There is increasing content moving between on-premise and multi-cloud environments as organisations have shifted the way they store and access their unstructured data.
“Business users are clamouring for consumer-like, self-service models of accessing files anytime, anywhere. Picking a solution that acts as a source of truth for all data is key to ensuring GDPR compliance.”
He says organisations need to look for a solution that can locate all employee and customer private data wherever it resides and classify it, provide real-time alerts for when specific types of content are accessed or shared, and maintain a comprehensive audit trail of all file and user actions that help with total visibility into regulated and company-sensitive data.
By using an effective log analysis tool, it should be easy to monitor and analyse the log data within your network. A good tool will confirm that your devices are secure, while also storing event logs for compliance auditing. By creating periodic compliance audit reports, it’s also easier for IT personnel to assess security risks and ensure their organisations are GDPR-compliant.
Rajesh Ganesan, president of ManageEngine, says: “In the event of anomalous activity on the network, IT personnel should be immediately notified via an alert. Moreover, effective log analysis tools should support file integrity monitoring, which can act as a warning system for permission access issues.”
Data Loss Prevention
In addition to using an effective log analysis tool, it is prudent to employ a data loss prevention (DLP) solution. Such a solution detects and classifies data, defines rules for authorised usage and secure transmission, and protects sensitive data on managed endpoints. Companies that allow BYOD (bring-your-own-device) could use a data containerisation utility, ensuring that all corporate data is kept separate from the operating systems of user-owned devices.
With a good DLP tool, IT personnel can designate trusted applications for data processing, while also monitoring the network for insider threat detection and sensitive data movement.
Policies and cookies
The offering from Ketch helps formulate policies that apply specifically to your company’s entire data and information ecosystem. Its GDPR service promises to ensure compliance with every regulation, covering data users and data systems.
For instance, cookie compliance is not the same as general compliance with GDPR regulations.
“It’s your responsibility to ensure data collected and processed with cookies is compliant with all aspects of GDPR,” says Ketch.
Ketch helps companies eliminate the often manual approaches to data discovery and adding new regulations to the compliance list, in favour of an automated “set-it-and-forget-it” approach.
“Our software gives you a centralised solution to conducting data discovery across multiple systems, setting GDPR policies for your data, and pushing those policies out across all systems, devices and user experiences,” the firm says.
Michael O’Donnell, data ecosystem specialist at Quest Software points out databases are a GDPR “pain point”. He says: “Many organisations fail to realise that databases are a critical security risk. The main goal for many attackers is to gain access to databases to steal a large volume of sensitive information. Many attack techniques, such as SQL injection, are specially designed to compromise database systems, and older versions of widely used Oracle databases, for instance, are susceptible to these attacks.”
One of the ideas behind regulatory compliance is a single version of the truth. “But organisations may have hundreds or thousands of data sources, and to get all this under control and comply with regulations requires a significant re-engineering of the architecture of the data and applications in the business,” O’Donnell says.
It is therefore important to discover where sensitive data may be stored and identify sensitive or critical data to set strict policies around its access.
O’Donnell says IT operations can quickly discover which servers are running databases that contain personal/sensitive information, based on the information in the metadata repository and business glossary. They can automatically scan databases for stored vulnerable data based on data polling or metadata attributes. They then need to put in place encryption, masking or redaction processes to protect it.
The Privacy Compliance Hub was set-up by two ex-Google lawyers, in response to a lack of skilled data protection teams at organisations. It offers a free GDPR compliance health check.
Other players in GDPR compliance software
GDPR compliance software
|Company||Cloud delivered?||On-premise use?||Aimed at SMEs or Enterprises?|
Clive Humby – data can predict nearly everything about running a business – Clive Humby, inventor of the Tesco Clubcard, on ways to stop feeling so overwhelmed by data, how to convince your CEO of its importance, and why data should look forward and not backwards
How businesses can prepare for the Data Protection and Digital Information Bill – With the Data Protection and Digital Information Bill currently being reviewed in Parliament, Netwrix vice-president of research and development Michael Paye explains how businesses can amply prepare
Forget digital transformation: data transformation is what you need – Stefano Maifreni, founder of Eggcelerate, discusses why organisations must focus on data transformation to maximise long-term value