Fuelling compliance as the deadline for GDPR looms

The deadline for organisations to be compliant with the EU General Data Protection Regulation (GDPR) is edging ever closer in what will be the biggest shake up in European privacy laws for 20 years. 

Compliance will be no mean feat for anyone, requiring vast amounts of time and resource, no matter how big or small the organisation. Recent research commissioned by CA Technologies among business leaders with over 5,000 employees revealed that only 22 per cent are completely prepared and waiting for the GDPR to come into force. For those who have not yet started preparations (14 per cent), the first step to getting ready is to create a cross-functional programme of work containing representatives from Legal, IT, HR, and other Business Units. This is not just an IT problem.

With great data comes great responsibility 

The GDPR introduces a move toward privacy by design, meaning that organisations will have to build safeguards into processes, such as testing and development, from beginning to end. Organisations must become more accountable for the Personally Identifiable Information (PII) they hold. They need to know where PII resides, how they can secure it (at rest and in-flight) and if they have a breach, how will they know about it? When asked about the safe storage of sensitive data and PII, 18 per cent of those surveyed were not confident that it was stored in places where only their organisation could access it and a worrying 34 per cent are not yet able to detect PII and other sensitive data used during software development. 

In the financial sector, the introduction of GDPR is seeing programmes running in larger banks to ensure they remain compliant. Now it will be about balancing the requirements against finding ways to stay compliant and using automated processes to reduce the cost impact of doing so. Finding the data that organisations think they have might seem easy, but data can leak out of control in many ways. For example, the proliferation of spreadsheets which may contain PII is very difficult to get under control, especially when this data is held on laptops, mobile devices and shared over email. Furthermore, the use of customer PII in testing new applications is an everyday occurrence in larger banks and this data needs to be masked or anonymised. 

Understanding where this data resides is one challenge, but once understood, the data must be encrypted in production environments; and masked and anonymised for use in development and test environments. On top of this, access needs to be controlled by using identity management, privileged access management and strong authentication techniques. 

There’s no hiding from the legislation; it’s a stark case of comply or face the consequences. Non-compliance penalties could lead to fines of up to €20m or 4 per cent of a company’s global annual turnover. 

As the May 2018 deadline approaches, these four points are just some of the key areas that organisations need to focus on:   

New requirements: Organisations will need to put data protection at the centre of their information processes, including the execution of data protection impact assessments—appointing a data protection officer could also be a way to guide this overall process. 

New user rights: The GDPR demands increased transparency. For example, users can request the erasure of data from controllers (the ‘right to be forgotten’), the correction of errors, and the right to access data in structured formats so they can switch controllers. If a data breach occurs, users also need to be notified in certain cases. 

Technology strategy: Organisations will need to document and report on where their data is, how it is collected, how it is stored, and who can access it. For example, whenever personal data is used for testing, the testers need to ensure there is a legal ground to do so. 

Identity management: The GDPR supports calls for transparent, documented, and enforceable identity policies and tools surrounding authorisation and authentication to ensure traceability and increased security. 

How technology can drive GDPR compliance   

When exploring the organisation’s technology strategy further, sufficient resources must be devoted to risk management, compliance and IT. This can be achieved by taking the following five steps to help the organisation accelerate their GDPR compliance:   

1. Data management and discovery 

The initial step is to discover personal data across your organisation and protect it from unauthorised access. By identifying and controlling personal data—at rest, in motion, and in use—organisations will be uniquely positioned to enforce the GDPR compliance. 

2. Identity and access governance 

Organisations need to centralise and govern user identity and manage access, especially in the case of privileged users. By automating this user management, organisations benefit from ‘who has access to what’ insights, higher user productivity and GDPR compliance. 

3. Privileged access management and threat analytics 

Under the terms of the GDPR, data controllers must report any data breach within 72 hours of the incident occurring. By managing privileged access, organisations can more easily protect privileged activities and enforce data breach detection and notification. 

4. Test data management and synthetic data generation 

Test data management (TDM) is the process of providing, distributing, and managing test data for development teams—and TDM takes on more urgency as the GDPR deadline looms. Robust and efficient TDM practices are key to overcoming compliance hurdles and avoiding the penalties associated with the GDPR. By using synthetic data, organisations will avoid the pitfalls associated with masking production data. 

5. API management 

API management is the foundation for a future-proof GDPR-compliant architecture. It enables organisations to quickly and easily adopt rules for gathering consent, and inform users about the regulations relating to data access and data portability. 

The EU GDPR legislation will give citizens back control over their personal data and simplify the regulatory environment for international business. Organisations need to review their data lifecycle and put in place rigorous and robust controls for the security and protection of data and how it’s used and accessed. By adopting the appropriate software solutions, and wrapping these around compliant processes, organisations can ensure GDPR compliance. 

Rob Coleman, CTO for UK&I at CA Technologies   

Image Credit: Wright Studio / Shutterstock