Many enterprises have already implemented processes and procedures designed to prove compliance with EU General Data Protection Regulation (GDPR) requirements that go into full effect in spring 2018. What organizations might be underestimating, though, is how different those requirements are from past compliance initiatives, and that meeting past standards is not a reliable gauge for determining GDPR compliance.
GDPR is Different
GDPR alters the perspective of compliance by requiring data protection from a consumer standpoint as opposed to a business one. That means supporting data portability and the right to be “forgotten” to a degree not mandated by past legislation. And unlike previous initiatives, the GDPR has real teeth. Financial penalties for data breaches involving EU citizen PII can range up to 4% of an organization’s global annual revenue. That means gaps in coverage can have critical consequences for an organization’s bottom line.
Meeting GDPR Compliance Requirements
There are several things organizations need to focus on to make sure they are ready for the detail that GDPR compliance requires. Organizations should start by conducting a thorough risk analysis and mapping of data and owners across their entire infrastructure. They need to know who their users are, and where their at-risk data resides, whether that’s in a database or a spreadsheet, on a NAS device or in the cloud. Organizations who fail to take this first step of actively assigning accountability to data are leaving themselves open to GDPR penalties.
Once data and owners are mapped, organizations need to strengthen the controls that determine who has access to specific data, and who doesn’t. Removing unwanted and unneeded access to systems, applications, and data is imperative. GDPR requirements mean users should have “least privilege” access to only the minimum resources they need, and access to sensitive data should be highly restricted. These privileges will need to be checked on an ongoing and repeatable basis.
Accountability is Key
GDPR compliance also means a higher level of accountability. Enterprises have to be prepared to provide evidence of compliance upon request, and document all their data processing policies, procedures and operations accordingly. They will need to be able to answer fundamental questions like where all their sensitive data resides, and who has access to it. And GDPR compliance means notifications within 72 hours for high risk individuals whose data was leaked. Response times like that simply weren’t a part of earlier initiatives. It demands automation, especially for larger companies whose potential risk and penalties increases with their size. It’s vital when responses need to occur in real time. Automated provisioning and de-provisioning of access allows organizations to tighten security controls while also enabling business efficiencies.
Identity Governance Provides Necessary Visibility
One certain way to meet GDPR compliance is by placing identity governance at the core of any security strategy. SailPoint powers GDPR compliance with Identity Management and Data Access Governance, enabling enterprise organizations to confidently assess risk, strengthen controls, and automate detection and audit processes. Identity lets enterprises design protection into the development of business processes and systems alike. It provides the necessary controls and procedures to keep data safe and available only when needed. And pairing an identity governance platform with data access governance capabilities gives organizations full visibility into “who has access to what”, and insight into how that access is being leveraged. It also gives enterprises the means to not only meet GDPR compliance and other regulatory requirements, but also to realize an overall improved security posture.
Read our solution brief to learn more about meeting the challenges of GDPR compliance.