It’s been almost five months since the GDPR was enforced and, on the face of it, the world took notice and realized the importance of compliance. Regulatory bodies and governments even began to make their own data protection regulations tighter in line with the new requirements, such as the UK government did with the Data Protection Act.
With the GDPR, in effect, up and running, you would expect data security to be better, wouldn’t you? Unfortunately, from what we’ve seen, this just simply isn’t the case. Most organizations we have spoken to still don’t have a grasp on the key fundamentals of data security and those that have managed to become compliant aren’t necessarily secure.
So, what’s the problem? Is it too difficult to become GDPR compliant? Is being GDPR compliant enough to ensure data security?
Very Few Are GDPR Compliant
According to United Lex, a company that specializes in setting up organizations to be GDPR compliant, “very few companies are going to be compliant and many are still scrambling to get themselves there.” This could be due in part to how ambitious and all-encompassing the rules and regulations are.
The GDPR requires complete transparency as to how data is being stored, handled and processed, as well as required companies to inform regulatory bodies within 72 hours of a data breach. Many organizations are struggling to come to terms with the transparency that the GDPR requires. For years, organizations have been collecting data in any way possible (including through surveys, quizzes, games and content) whilst trying to make it simultaneously seem like they’re not collecting data at all. Such companies are concerned that if they make their data collection methods obvious and detail how data will be used, they will get far fewer people committing to a conversion. But, this is basically the point of the GDPR to begin with – whether you like it or not.
Another issue could be the infamous right to be forgotten, where data subjects can ask companies to delete, correct or send them their information. This can be problematic as many organizations collect vast amounts of data and don’t have the internal infrastructure/solution in place to discover where that subject’s data resides.
To be fair, GDPR is complicated, and even regulators are struggling to get to grips with the fact that some of it is user-driven. Until we see our first major GDPR fine (which Facebook could provide us with) we just won’t know how big data breaches are going to be handled under the new regulations.
How to Supplement Your GDPR Efforts for Better Data Security
You could read through all 99 of the GDPR articles and make sure you are ticking off every single one of them (which is probably recommended at this point), however that won’t completely ensure that you are practicing good data security.
To avoid GDPR breaches in the first place, data security should be your priority. There are essentially four things you should ensure you are able to do in order to be more secure:
1. Data Discovery and Classification: Make sure you are able to scan your data continuously to locate those files and folders that contain personally identifiable information (or any other form of sensitive data).
2. Permissions and Privileges: Once you know where your sensitive data is you should be able to find out who has access to it and whether these access rights change. These privileged users should become the focal point of your auditing and monitoring efforts. Always ensure you are aiming towards a policy of least privilege.
3. User and Entity Behavior: Do you know what these privileged users are doing with your data? If any change is made to a sensitive file or folder you should be able to see it in real time and react to it quickly.
4. Environment States and Changes: Once you have a good handle on the data itself and those users interacting with it, you should turn your attention to whether the state of your environment poses a risk to your data (and what changes are taking place). For example, do you have a lot of inactive users and stale data that could be the entry point for a data breach?
There are many solutions on the market that provide you with siloed functionality along these lines, perhaps addressing one of these four points in detail. Many organizations never get around to addressing all four points because creating that environment of solutions is too complex and time consuming. Fortunately, there are a few vendors providing solutions that address all four pillars, and they are known as Data-Centric Audit and Protection Solutions.
Lepide is the fastest growing DCAP provider in the world, helping thousands of organizations address these four key security pillars and working towards GDPR compliance. Want to see what LepideAuditor can do for you? Start your free trial today.