A recent Reuters survey revealed that many of the regulators meant to police GDPR compliance weren’t ready to do so when it went live. In fact, seventeen of 24 authorities who responded said: “they did not yet have the necessary funding, or would initially lack the powers, to fulfil their GDPR duties.”
However, this doesn’t mean that firms can become complacent. Just because the authorities might not yet be ready to investigate all breaches, doesn’t mean that the breaches won’t be just as damaging to an organisation and its ability to continue trading effectively. In today’s world, there is always a cybercriminal looking for a weak system.
GDPR compliance is of course centred around the protection of personal data for individuals and achieving compliance is no simple task.
As many organisations found when they approached their own compliance process, the GDPR’s legislation authors provided business leaders with very little information on how to go about execution.
We believe that leadership teams need to follow a robust and simultaneous plan which will allow them to become compliant and use security technology efficiently to protect the personal data of customers or employees.
Interpreting the GDPR’s Guidelines
The first move towards becoming fully GDPR compliant is understanding that the regulations are a set of guidelines, not prescriptive rules. This is something that is causing a lot of headaches for organisations. As leadership teams bring their expertise from different departments of a business, it’s more than likely there will be differences in what they interpret as a crucial to becoming compliant.
With this in mind, it’s important to work through how an action on one side of the business might impact another. For example, when it comes down to discussing efficient ways to enforce this degree of data protection, the legal department may be focused on battling the hefty non-compliance penalties; whereas the HR team may be more concerned about how this impacts the company culture.
A clear distinction between data collection and monitoring needs to be made as one stakeholder can’t possibly have the skillset to execute an initiative of this scale by themselves. True collaboration means leaving egos behind and working together towards a common goal. So, before you get started, communication should be considered as a fundamental building block to GDPR planning and to start down the right path, stakeholders must align with the terms for processes and technology.
The three-step implementation process
Once you have communication channels in place, corporations can follow three simple steps to identify security risks, reach common ground amongst employees and accelerate their journey to becoming fully GDPR compliant:
- Identify where personal data resides and map data flows – Most organisations are not sure exactly where their data resides at any given point in time. As data moves beyond the walls of a perimeter, it tends to “hide” in sanctioned or unsanctioned devices and apps. Data loss prevention (DLP) technology can be used to gather information about data, including what the user is attributed to, the data type, where it lives, when it was accessed, and its permissions. Combining cloud access security broker (CASB) technology with DLP helps to identify personally identifiable information (PII) as it moves through the cloud.
- Protect personal data and detect threats – BYOD policies, mobile devices, and cloud apps have added never-before-seen complexity to security and have expanded the attack surface. We need to see risk in real time, but legacy IT wasn’t designed to protect data that travels outside of the enterprise and into the cloud. UEBA assesses risk holistically, and when combined with other enforcement technologies (like DLP, for example), it enforces policies that are unique to the user and only when needed. Instead of locking down productivity, employees benefit from a layer of protection completely invisible to them; something HR departments will always get behind.
- Act fast and adjust processes – The GDPR requires organisations to report a personal data breach within 72 hours; so, organisations should implement UEBA to surface behavioural anomalies and identify risky user activity. UEBA provides a more informed contextual picture, combining data from traditional security systems, SIEMS, and DLP tools with that of other organisational sources (e.g., HR, travel logs, email and chat communication). In the unfortunate event of a data breach, there is no better tool to have in your possession than an Insider Threat Tool, which provides forensics through video collection and playback, expediting investigation and support attribution.
GDPR compliance is a continuous journey
Ultimately, the purpose of a corporate compliance program is to protect your organisation. So, by making sure all the functional areas of your company are working together and maintaining standards, it can help prevent major disasters and failures as an effective program integrates all compliance efforts.
By following a blueprint strategy such as this one, business leaders can rest easy knowing that a plan has been put into place where employees can build upon a foundation of mutual understanding and have the confidence to work together through any compliance issues as they arise. It provides corporations with a comprehensive, centrally managed solution that supports its strategy of effective security—wherever its users are – to help companies reach compliance before criminals reach them.
Written by Mike Smart, Security Strategist, EMEA at Forcepoint