GDPR Subject Access Requests: Why Are Companies Failing to Respond?

Approximately one year ago, the General Data Protection Regulation (GDPR) came into effect, and it has arguably made a significant impact on organizations across all sectors. Since the 25 May 2018, the GDPR has issued a total of €55.96m in fines. To be fair, most of this sum was accumulated by Google. Google was fined €50m by French data regulator for “failing to provide users with transparent and understandable information on its data use policies”. It is important to note that it is still early days for the GDPR, and we may see its scope extended beyond its current boundaries in the not so distant future. When interviewed at the World Economic Forum in Davos, Satya Nadella – the CEO of Microsoft – spoke about how he wanted to see a global implementation of the GDPR.

According to a recent report by Talend, a vast majority of UK organizations are failing to comply with some parts of the GDPR, as almost three quarters do not share a copy of their users’ personal data within a month. Due to the increasing use of cloud-based services, organizations are struggling to locate their sensitive data in a timely manner. It is imperative that organizations know exactly where their sensitive data resides, who is accessing it, sharing it, how and why. Companies must continuously monitor this data to ensure that they are able to catch anomalous events in order to mitigate the chance of a breach and subvert any potential fines. While manually auditing event logs might have been feasible at one point, it is no longer a viable option due to the frequency of events that take place on modern networks. The problem is that many companies have been slow to adopt the right solutions to make this process less painful. At the very least, companies must ensure that they have the tools necessary to:

1. Discover and Classify Personal Data

These days there are number of tools which can automatically discover and classify a wide range of data types, including personally identifiably information (PII), protected health information (PHI) and payment card information (PCI). Some of these solutions provide automatic encryption and/or redaction of sensitive data. By establishing a comprehensive inventory of all the data, they hold, companies will be able to respond to ‘subject access requests’ (SARs) in a fast and efficient manner. Likewise, adopting a classification schema will make it easier for them to assign the appropriate access controls to their data.

2. Provide Visibility Over Changes Made to Protected Assets

Most sophisticated Data Security Platforms provide full visibility into any files and folders that are edited, deleted, moved, shared and so on. They should also provide visibility into files and folders that are currently in use. Given that many organizations are adopting cloud-based services, they will need a solution that can aggregate event logs from multiple sources/platforms, such as AWS, Dropbox, Office 365 and more. As mentioned previously, this needs to be an ongoing process, and any important events must be reported in real-time to the relevant personnel. Additionally, some solutions can detect and respond to events that match a pre-defined threshold condition. For example, if X number of Y events occur of Z period of time, a custom script can be executed which can stop a specific process, disable a user account, change the Firewall settings or shut down the server.

3. Provide an Accurate History of Events for Use in Forensic Investigations

In order to satisfy the relevant compliance and legal requirements, companies must keep an immutable record of all events that have taken place on their network. In the event of a security incident, they will need to conduct a thorough forensic investigation, and generate a detailed set of reports which can be presented to the supervisory authorities on request. Most DCAP solutions allow for the generation of a wide range of intuitive reports at the click of a button.

Without leveraging the right tools and technologies, complying with the GDPR and avoiding potentially large fines will be significantly harder. Find out how Lepide can keep your data secure and adhere to the relevant GDPR compliance requirements.