European Union’s General Data Protection Regulation (GDPR):
Time is running out for firms to comply with the European Union’s General Data Protection Regulation (GDPR), Europe’s most significant update to data privacy regulation in decades. Any company that handles the personal data of European citizens and that is not in compliance by May 25, 2018, could face lawsuits or stiff penalties, including massive fines
The GDPR isn’t just any regulation. It’s a regulation with teeth. Controllers
or processors found in violation of GDPR could be fined up to 20M euros or 4% of their worldwide revenue.
Achieving GDPR compliance can be a significant endeavor wrought with challenges. Organizations that are compliant with the Payment Card Industry Data Security Standard (PCIDSS), NIST 800-53, or ISO 27001 are on the right path to adherence. But they must still address protection, auditing and reporting of personal data, as well as changes in users, data storage,
and user rights.
Challenge: Data Discovery:
A critical first step in the GDPR readiness journey is to establish a complete, accurate picture of where personal data resides. This is the only way to ensure that all personal data is secured. However, given the complexity of today’s IT ecosystems, this is no simple task. To establish this visibility, organizations need to assess:
– Who has access to the data
– How access and other activities will be tracked and assigned to specific individuals
– The different locations and environments in which data resides
– The different data types that must be secure
– Where data is transmitted
You must have complete answers to these questions in order to establish sound practices for addressing the foundational requirements of the GDPR.
Challenge: Controlling Access to Personal Data and Systems:
Article 5 of the GDPR specifies that “personal data must be processed in a manner that ensures appropriate security of the personal data, includes preventing unauthorized access to use of personal data and the equipment used for the processing.” Once you know where personal data is stored, then you must restrict access to only those who have a legitimate reason to process or use it. Strong authentication and access control management solutions are vital to ensure that access to personal data is controlled and minimized.
Challenge: Protecting Personal Data from Data Breaches:
Encryption and key management are increasingly seen as a security imperative, and GDPR will only serve to intensify this view. Encryption and key management therefore play a vital role in complying with the GDPR, as
they can mitigate the need for breach notification. If a breach occurs when data is encrypted and keys are protected, a cyber attacker will be unable to decrypt the data and access the information.
Challenge: Data Sovereignty:
As organizations seek to prepare for the GDPR, they must consider the geographic realities of this regulation (Article 44), whether they’re running workloads in private, public, or hybrid cloud environments. Even when leveraging a cloud service provider, your data resides in a data center, and that data center resides in a physical location.
Within a matter of months, companies must have the people, policies, and technologies in place to comply with the GDPR’s 99 Articles