GDPR: Reining In Your Data

JOE CISO on December 13, 2017 | 1

Ready or not, here it comes.

The clock is ticking — To date, less than six months remain until The EU replaces the Data Protection Directive, with the General Data Protection Regulations, in what may be the single most important development on the data protection landscape in recent history.

The prospect of becoming GDPR compliant has left a whole lot of organizations shaking in their boots, but the new framework is actually a very positive change. The point of the new regulations is to compel businesses to adopt a Privacy By Design approach, and to create a unified approach to data collection across the EU. It seeks to create far more accountability on the part of the data collectors and processors (i.e., you and your organization) and to prevent idiosyncratic decisions being made regarding that data. Here are just some of the rights granted to EU citizens that will provide them with heightened control over their personal data:

  • The right to object to data collection

  • The right to be informed of how data is used

  • The right to access data rapidly

  • The right to be forgotten/erased

  • The right to restrict what data is processed

And these new regulations apply to any organization that intends on doing business with anyone in the EU - this means that regardless of whether you’re overlooking a cornfield in middle America or sitting in a shiny high rise in Beijing, failure to comply with any of the above can net your company a fine of up to 2 million Euros or 2 - 4 percent of your annual revenue.

 

GDPR Complications in the Modern Workplace

Becoming GDPR compliant is clearly a good idea (actually, the only idea, if you want to do business in the EU), but it doesn't always seem compatible with the realities of the modern workplace.

One of the most anxiety-inducing rights that doesn’t align with the way we work today is Article 17, The Right to be Forgotten/Erased. What this article means in plain speak is that citizens can request their data to be deleted across all areas where it may be stored.

Now think for a moment about all the places your business may have personal user data stored — in databases, by third party vendors, in backups, in archives and probably on a number of employee devices, as well. Once an individual requests to be forgotten, you have to track down all traces of that data and erase it entirely.

Identifying the extent of your data sprawl can be a sizeable task, as the typical business uses at least 24 different systems to collect, store and manage personal data. The reality is that, until now, user data could be stored anywhere and everywhere. While in the past this was simply an inevitable part of doing business, under GDPR, it’s illegal.

 

Centralizing Your Data

Starting to feel a bit nervous? Don’t throw in the GDPR towel just yet.

It may feel like getting complete control of your data is an impossibility, but it doesn't have to be that way. An initial key step toward compliance is to begin moving applications and data from vulnerable, employee-managed endpoints to centralized cloud or server-based systems that are controlled and maintained by IT & security personnel. This makes it easier to track sensitive data and decreases the likelihood that a single user can (accidentally or maliciously) expose these data to unauthorized third parties. At the same time, however, it’s important to choose the right tools and keep users involved in the process at every step of the way in order to minimize the impact on employee efficiency and productivity.
 

  • Offer user-friendly, IT-approved solutions for accessing and working with corporate data and applications remotely and/or from personal devices. Secure remote access solutions enable you to keep sensitive data off of user endpoints, where it is exposed to risk, while allowing for granular access control through group and user-based policies.
     
  • Encrypt all remote sessions to ensure that data is always protected, whether at rest or in motion. In this way, employees and authorized third parties can access the information they need without increasing the risk of data leakage.
     
  • Keep software and apps secure and malware-resistant by enabling IT staff to centrally manage routine security-critical tasks, such as configuring, patching and backing up hosted desktops and applications.
     
  • Measure and monitor user activity for unusual or suspicious activity and, when in doubt, terminate the session or account. Managed access solutions should provide a unified management console and advanced reporting features that give IT better visibility into what is being accessed, when and by whom – making it far more difficult for unauthorized individuals to gain access to sensitive personal data.
     
  • To further strengthen data protection and mitigate the risk of breaches, as required by the GDPR, secure employee web browsing with a layered defense that includes advanced remote browser isolation (RBI) technology. By protecting organizational networks and endpoints against browser-based attacks such as ransomware and other malware, you can significantly reduce the risk of data loss and leakage.

 

Final Notes

When it comes to reaching compliance, this is just a small sample of the issues you’ll need to consider. In fact, if you haven't already familiarized yourself with the steps required to reach compliance, we highly suggest you get up to speed now. With the clock ticking, every moment counts. But that doesn't mean it’s a hopeless situation. Setting up the right solutions to centralize and protect your data makes the task of maintaining compliance far easier to achieve.

Author | 16 Blog Posts

Joe CISO

Joe CISO is the information security professional responsible for protecting the organization from all cyber threats, including ransomware, dirve-by donwnloads and zero-day exploits. | Ericom Software

Most Popular Articles