Let’s break down some of the challenges in the new GDPR and how to address them:
|GDPR Article||What does it mean||How to address it|
|Article 25: Data Protection by Design and By Default||Embrace accountability and privacy by design as a business culture.||Safely remediate access controls to least privilege|
|Article 30: Records of Categories of Personal Data Processing Activities||Implement technical and organizational measures to properly process personal data||Create asset register of sensitive files; Understand who has access; know who is accessing it; know when data can and should be deleted.|
|Article 17: Right to Erasure and “to be forgotten”||Be able to discover and target specific data and automate removal||find it, flag it, remove it.|
|Article 32: Security of Processing||Ensure least privilege access; implement accountability via data owners; Provide reports that policies and processes are in place and successful.||Automate and impose least privileges through entitlement reviews and pro-actively enforced ethical walls|
|Article 33: Notification of personal data breach to the supervisory authority||Prevent and alert on data breach activity; have an incidence response plan in place.||Detect abnormal data breach activity, policy violations and real-time alert on it as it happens.|
|Article 35: Data Protection Impact Assessment||Quantify data protection risk profiles.||Conduct regular quantified data risk assessments.|
So what should you focus on to meet the EU General Data Protection Regulation?
- Data classification – Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data.
- Metadata – With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future
- Governance – With data security by design and default the law, companies should focus on data governance basics. For unstructured data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls.
- Monitoring –The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues.
Varonis helps organizations of all sizes with GDPR projects. Our software suite automates what would otherwise be an extremely arduous and time-consuming task. Take advantage of our a free GDPR readiness assessment today to avoid any non-compliance issues down the road.