Staying compliant with regulations like GDPR is essential if you want to appease that pesky auditor, but it does not guarantee full protection against data breaches. Once you have worked out how to be compliant, you will then have to turn your attention to other important factors in data protection.
The reason for this, is that regulations and compliances alone do not guarantee the required shift in attitude that is essential for creating a sustainable data protection scheme. Additionally, regulations may not keep up with technological developments.
In this article I will explain not only how to meet GDPR compliance, but also how to expand your data protection plan to address potential security breaches.
More about GDPR compliance
The European Parliament adopted the regulation on GDPR on 27th April 2016, and it will come into effect from 25 May 2018. After becoming effective, it will replace an old data protection regulation (Directive 95/46/EC of 1995). Businesses will be required to protect the personal data and privacy of EU citizens for transactions within EU member states. It also regulates the process for when a company exports the personal data of EU citizens outside Europe.
Beyond GDPR – a more robust data protection strategy
As the GDPR implementation deadline (25th May, 2018) nears, many companies are offering solutions and services to help both vendors and clients comply with the new rules. However, as highlighted at the beginning of the article, attaining compliance is not the ultimate objective
In fact, it would be naïve to assume that the technological and behavioral paradigm that complies with GDPR in its current form will be capable of regulating the markets in the light of future, more advanced technology. Therefore, it would be wise to think beyond GDPR in its current structure and research further into more fundamental aspects of data security; such as data access control and policies, encryption, data masking and auditing.
Steps for an advanced data protection strategy
According to a recent survey conducted by the Risk management company MARSH, some companies are using the GDPR compliance process to strengthen their key cyber risk practices, and some have increased or restructured cyber risk insurance. Here are some of the primary steps that you can take to create an advanced data protection strategy:
1. List the risks
Imagine yourself in the worst possible scenarios. What are the risks you face if customer, enterprise or vendor information is lost or deleted.
2. Ascertain your vulnerability to the risks identified in the previous step
For each risk identified in the last step, try to determine your vulnerability. This will help you determine where the gaps are in your current security plans and order them in terms of criticality.
3. Evaluate the worst-case scenario
What if every risk you listed in the first step comes to fruition at the same time? Imagining such a scenario will help you to determine what the damages would be and whether you could recover from it.
4. Develop risk reduction measures
For each risk identified in the first step, develop a plan to mitigate it. Also, determine how much it will cost, both in time and money, to eliminate the risks.
5. Prioritize and implement your risk mitigation measures
After you know the risks, you know how much damage each of them can cause to your organization, and you also know how much it will take to mitigate it, you can prioritize them. Create a plan to implement these risk mitigation measures.
Use LepideAuditor for GDPR compliance
You may have to audit your entire Information Technology infrastructure to satisfy this regulation. However, native auditing alone can be too time-consuming and complicated. Through LepideAuditor’s single, centralized console you can audit Active Directory, Group Policy Objects, Exchange Server, SharePoint, SQL Server, Windows File Server, NetApp Filer, and Office 365 (Exchange Online SharePoint Online). It also gives predefined reports to address different aspects of GDPR compliance specifically.
The following GDPR compliance reports categories are available in LepideAuditor:
- SQL Server reports: Server Object Modification Reports, All Database Object Modification Reports, Login Reports, Alert Reports and others.
- SharePoint Server reports: All SharePoint Modification Reports, Document Reports, Document Library Reports, List Reports, Permission Reports, Folder Reports and others.
- Domain Reports: Active Directory Modification Reports, Group Policy Object Modification Reports, Exchange Server Modification Reports, and others.
- File Server Modification Reports
- Exchange Online Modification Reports
- SharePoint Online Modification Reports
The following screenshot shows LepideAuditor for File Server’s pre-defined “All permissions modification” report for GDPR compliance:
Non-compliance with GDPR regulations will attract significant penalties. Depending on the non-compliance, organizations can be fined either up to 20 million euros or four percent of the total worldwide annual turnover of the preceding financial year, whichever is higher. LepideAuditor helps you meet GDPR compliance mandates easily and quickly. You can download the free trial of the solution to try it for yourself.