With European Union General Data Protection Regulation (EU GDPR) set to take effect on May 25, 2018, the proper handling of personal data is more critical than ever. Last April, my colleague, Mark Wilson, explained exactly how the new regulations will impact US and multi-national companies that process personal data of EU citizens. Among the highlights are breach notification within 72 hours and astronomical fines for non-compliance.
Here are some strategies savvy organizations are implementing to detect and prevent the sort of breaches that can cost up to 4% of gross revenue under GDPR.
Automate Internal Policy
Most organizations have internal policies that govern everything from file retention to offboarding procedures. Despite good intentions, these policies are often not followed properly and data is left unnecessarily exposed to the wrong people. Automation greatly reduces your attack surface by eliminating the possibility of human error.
For example, you can set your data governance platform to monitor the HR system (Workday, Peoplesoft, etc.) for “terminated” employees and automatically remove corresponding accounts from any security group that grants access to GDPR-regulated content or files. You should also configure it to disable accounts or move them to different OUs as internal policy requires.
Additionally, it’s a good practice to automatically archive or delete files based on retention schedules and trigger events. EU citizens now have a “right to erasure” or “right to be forgotten” and keeping up with such requests can be a resource-intensive process. Tie an automatic staging, review, and deletion workflow to these requests.
Your newly appointed Data Protection Officer (DPO) has 72 hours to alert the EU’s supervisory authority of any event “likely to result in a risk for the rights and freedoms of the data subject”. That’s much shorter than the 30+ days most companies are accustomed to.
To facilitate record-speed investigations, you need to arm your team with a precise accounting of who has accessed personal information of EU citizens. Schedule access reports and summaries for routine delivery to your DPO.
In addition to keeping an audit trail, it’s also recommended to enable proactive alerting and blocking of suspicious file activity (if you don’t do that already). To improve accuracy, augment the threat models you currently have in place with machine learning capabilities provided by log managers, SIEM, or your data governance software.
Enabling business users to perform entitlement reviews and access attestations is a core objective of most governance initiatives.
If you don’t already have a mature process in place, you need a quick way to involve the key stakeholders critical to the success of your GDPR strategy. Start with a pragmatic approach. Once your sensitive data discovery or at-rest DLP tool is configured for GDPR, feed relevant results into your entitlement review system to prioritize file-level and folder-level attestation. This will get managers reviewing access to GDPR-regulated content well ahead of May 2018.
What else are you adding to your data governance process in preparation for GDPR? Share your ideas in the comment section below.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Rosen serves as Vice President of Data Access Governance at STEALTHbits. An expert on managing and securing unstructured data, Adam has helped organizations of all sizes implement controls and policies to meet security, compliance, and efficiency objectives. In his current capacity at STEALTHbits, he manages the industry-leading StealthAUDIT suite that enterprises around the world depend on to defend their most critical information.