The European Union’s General Data Protection Regulation (GDPR) is a historic change to consumer data protection and privacy. The goal of GDPR is simple: to enhance EU citizens’ control over the data companies hold about them. While the goal is simple, achieving compliance isn’t so easy for most enterprises.
Following four years of deliberation, the current version of GDPR passed in April 2016 and became effective May 25, 2018. But according to a study conducted by Crowd Research Partners, 60% of companies are unlikely to meet the deadline for compliance with the new GDPR legislation.
While some organizations have taken steps to implement the necessary processes and procedures designed to attain, maintain and prove compliance with GDPR, many organizations underestimate the task and what it takes to maintain compliance. This includes a comprehensive review of who has access to what data and where regulated data resides, along with the ability to conduct required security audits and implement continuous controls.
While the regulation applies only to EU citizen data, all companies worldwide that operate in the EU, or have websites that can be found in the EU, must comply with these regulations, truly creating a global impact. This new regulation will require material changes in how and where organizations store customer data, and more importantly – how they grant access to that data to employees, contractors and business partners.
While many industry and government regulations, such as the Health Insurance Portability and Accountability Act (HIPPA), Payment Card Industry Data Security Standard (PCI DSS) and data-breach disclosure laws aim to protect a consumer’s personally identifiable information (PII), GDPR goes much further. The regulation was designed to harmonize data privacy laws across Europe in order to protect and empower all EU citizens’ data privacy and reshape the way organizations operating in the EU approach data privacy.
It requires EU citizens to be able to access and control aspects of their data, in addition to how it’s processed, used erased and transferred. Mandates in the GDPR include:
Financial penalties for data breaches involving EU citizens’ PII can run up to four percent or €20 million – whichever is higher – of an organization’s global annual revenue. That means gaps in GDPR coverage and security breaches can have critical consequences for an organization’s bottom line. Be prepared. Download SailPoint’s GDPR readiness eBook or get the solution brief that offers a step-by-step guide for GDPR compliance.
GDPR not only requires that organizations incorporate least-privilege permissions for EU citizens’ PII data, but also that they be able to detect and remediate violations of that policy immediately. Organizations will now have a maximum of 72 hours after becoming aware of the data breach to report any data breach involving customer data and must notify individuals if adverse impact is determined. In addition, the company’s data processor must notify the controller without delay after becoming aware of a personal data breach. Due to these changes, being able to identify and close any enterprise security vulnerabilities is essential.
The complexities associated with enterprise identity, GDPR compliance and data protection means the most effective way forward is to automate as many identity and access management tools and security audit processes as is reasonably possible. Automation is vital when processes must be repeated regularly and responses need to occur in real time.
Automated provisioning and de-provisioning of access is one of the only ways organizations can truly tighten security controls, while also enabling business efficiencies. Download the solution brief below to learn more about our holistic approach that is focused as much on process and planning as technology.
There are several steps organizations need to take to ensure they are GDPR compliant. The first, and most vital step organizations need to do is conduct a comprehensive security audit and risk assessment, and map their data to data owners throughout their environment. Successful GDPR compliance requires every organization to know who its users are, where regulatory controlled and sensitive data reside, and how its data exists.
Once data and owners are captured, organizations need to strengthen the controls that determine who has access to specific data and who doesn’t. Data access needs to be controlled by “least privilege” so that access to only the minimum resources is permitted and access to sensitive data is highly restricted. These privileges need to be checked on regularly.
At first, you may feel overwhelmed by the requirements of GDPR, especially considering the financial ramifications of non- compliance. However, leveraging identity governance at the core of your security strategy to protect access to customer data in your organization can go a long way towards mitigating the risk of a data breach and the resulting penalties that may incur.
The most cost-effective way to meet and maintain GDPR compliance is to make identity governance the focus of the security and compliance strategy. Specifically, identity governance tools enable organizations to confidently assess their risk, strengthen their controls, close enterprise vulnerability, and automate their detection and audit processes. By ensuring only those who should have access to certain data can actually access that data, identity management increases the security of applications and data.
For GDPR, there are a number of risks enterprises need to assess for successful compliance:
By assessing risks with identity governance at the forefront, an organization can create a roadmap to prioritize and remediate the most pressing regulatory gaps, and thus effectively control and secure the organization’s data.
We make it possible for you to see and control access to all apps and data for all users, including non-human ones like bots.FIND OUT MORE
We’d like to talk about your business challenges and show how our identity platform can address them.