Regardless of whether we are talking about GDPR, HIPAA, PCI-DSS or any other data protection regulation, they all require some form of data access governance program. A DAG program is required to ensure that organizations know what data they store, and the reasons why they are storing it. They are required to know where their sensitive data is located, who has access to it, and the type of access they have. DAG is typically broken into three parts: people, process and technology.
This includes training staff members to ensure that they understand their role in protecting the sensitive data they interact with. It also requires appointing a qualified security team who’s role is to assist the relevant stakeholders in accessing their data easily and securely.
Organizations are required to establish documentation that defines how data should be handled. This includes data that is stored, accessed, changed, moved and secured. There will need to be a clearly defined protocol for auditing the life-cycle of all sensitive data.
Organizations must implement the solutions necessary to detect, alert and respond to important system events. Such events may include suspicious network traffic and endpoint activity, as well as any changes made to access permissions and sensitive data.
DAG and GDPR
The GDPR, which came into effect in May 2018, introduced a number of fundamental changes to the way organizations collect, process and store personal data belonging to EU citizens. Some of these changes include:
- Harsher penalties for failing to take the precautions necessary to protect the rights of the data subject. Fines can be up to 4% of annual global turnover or €20 Million (whichever is greater).
- Mandatory breach notifications should an incident “result in a risk for the rights and freedoms of individuals”. A breach notification must be issued within 72 hours of first having become aware of the breach.
- Elevated rights for data subjects, which include the “right to be forgotten”, the “right to access”, and more.
- Stricter rules for obtaining consent. Consent must be obtained explicitly (i.e. no pre-checked boxes on forms), and data subjects must have a clear understanding of how and why their data is collected and processed.
- Privacy by Design. Systems must be designed with security in mind, as opposed to bolting-on security features as an after-thought.
- Data Protection Officers (DPOs) are required if the organization’s core activities involve processing personal data on a large scale.
The key to GDPR compliance is the ability to control access rights to employee and user data. Additionally, you should only collect/store data if it is absolutely necessary. Of course, before you can protect your data, you must first know where it is, and what it is. There are a number data discovery tools which can help organizations automatically discover and classify sensitive data such as PHI, PII, PCI, and more.
Once you have discovered and classified your data, you can now begin to setup roles, review access rights, and setup policies that can help you enforce those access rights. You will then need a way to monitor changes made to these access rights, including any changes made to the sensitive data you store. Of course, there is no need to do this manually, as there are a number of affordable data access governance solutions that can make this job a lot easier.
Most sophisticated auditing solutions offer a wide range of features that enable you to detect, alert, report and respond to changes made to your critical assets. Using LepideAuditor, for example, you can review current access privileges, see how they were granted, and receive real-time alerts when they are changed. Finally, Its ability to automatically generate a wide range of reports will make it a lot easier to satisfy GDPR compliance requirements.