Skip to main content

GDPR three years in: Three strategies for continuous compliance

(Image credit: Image Credit: StartupStockPhotos / Pixabay)

Anniversaries are a time for reflection, but not always celebration. Ask any privacy professional if they celebrated May 25, the third anniversary of the General Data Protection Regulation (GDPR) going into effect, and I bet most would say no. In many ways, GDPR has made the privacy (and security) landscape much more challenging. This makes it more important than ever to take a holistic approach to data protection and ensure continuous compliance. This article offers three strategies for companies to pursue. 

GDPR is a landmark regulation for rebalancing the data relationship between individuals and the organisation that collects and processes their data. It catalyzed similar sweeping regulations worldwide. Within the EU data privacy landscape, Schrems II and ePrivacy Regulation (ePR) has put additional demands on organisations to maintain data compliance globally. 

Schrems II: In July 2020, the Schrems II decision effectively invalidated the EU-US Data Privacy Shield. In essence, it means that companies must assess whether any country outside the EU respects data protection required by the GDPR. If not, organisations must take supplementary measures. 

ePrivacy Regulation: Still making its way through the EU’s regulatory morass, If approved, the ePrivacy Regulation will regulate electronic communications for service providers who process data of individuals residing in the EU. It would complete the GDPR and create a single data protection standard for the entire EU.

Implications for enterprises: Focus on where privacy and security intersect 

There is no doubt that the privacy picture has become murkier in the last three years. And it’s more apparent than ever that different frameworks and policy standards require companies to have specific controls in place to mitigate risk and continuously monitor compliance.

An excellent place to start in assessing where companies stand is the NIST Privacy Framework. This is a free, regulation-agnostic tool that helps companies define their privacy goals, identify where risks exist and what technologies to apply to ensure compliance with unconnected regulations.

Another critical aspect of the Privacy Framework is that it complements the Cybersecurity Framework, which is important given how security and privacy need to be intertwined. Data protection sits at the heart of where the frameworks intersect. Let’s look at this part of the framework more closely.

Data protection, policies, and procedures: This includes establishing configuration change control processes, maintaining and testing data backups, putting incident response and recovery plans in place, and extending privacy procedures to human resources practices (for example, deprovisioning).

Identity management, authentication, and access control: This encompasses the management of physical and remote access to data and devices, as well as access permissions and authorisations incorporating the principles of least privilege, Zero Trust, and segregation of duties. 

Data security: This includes ensuring protections are in place for data-at-rest and data-in-transit, the prevention of data leaks, and the separation of development and testing environments and production environments.

Three strategies for continuous compliance

The evolving regulatory landscape will continue to change and companies need to aim for continuous compliance by investing in the technology to meet these mandates. This means leaning into identity access and governance, embracing automation, and using AI/Machine Learning to make this easier for IT and security teams and partnering with the right vendors to ensure compliance.

Following are three key strategies for companies to ensure they are set up for compliance success. 

Apply the principles of least privilege

According to NIST, “the concept of limiting access, or ‘least privilege,’ is simply to provide no more authorisations than necessary to perform required functions.” Implementing least privilege in fast-paced enterprises is a formidable task. Users are dynamic, moving from one role to another on a regular basis. Resources that employees need one week aren’t the same the next. 

Enterprises need to ensure their technology includes the intelligence and holistic visibility needed to continuously monitor access privileges for control violations, such as those granted as part of emergency elevation or through a backdoor. This ensures automated detection of potential violations to trigger alerts and suggestions for remediation actions, such as exception documentation, setting time limits, or rejections.

Address consent management and right to erasure

A core aspect of any privacy regulation going forward is the right for consumers to deny or revoke the collection of their data. Enterprises must ensure that their technology solution not only monitors user access to customer identity information and personal data, but also tracks all access to personal data collected, and updates access rights based on both organisational changes and relevant customer preferences.

Consider ways to ease audit compliance

Access request management can be a cumbersome process, but is fundamental to enforcing data rights based on the principle of least privilege and access governance rules. Hybrid cloud ecosystems increase the complexity of the process, reducing the effectiveness of servicing access requests manually and, thus, expanding the need to automate aspects of the access request/fulfillment process.

Key to this is enabling self-service access requests, as it makes security and compliance easier through consistent enforcement and tracking of digital identities across the IT ecosystem. This also should include integrating intelligent access analytics to suggest appropriate access and highlighting risky requests.

Automated access requests and fulfillment creates a centralised location for audit trail documentation and streamlines the generation of reports verifying that access to specific data and resources has been restricted appropriately as required by security, compliance, and privacy regulations. 

The three-year anniversary of GDPR provides a good time for companies to assess their privacy and security compliance posture. In many ways, it ushered in a new era of privacy regulations, one that will get more difficult to navigate as time goes on. Taking a step back will allow companies to understand how they need to prepare for what lies ahead to ensure they are set up for compliance success.

Chris Owen, director of product management, EMEA, Saviynt

Chris Owen is a Director of Product Management at Saviynt, where he drives product innovation, execution of the technology roadmap, and go-to-market strategies. He has more than 15 years of experience in the identity access management and privileged access management industry. Before Saviynt, Chris held various technical and leadership roles at Quest / One Identity, CyberArk, BeyondTrust, and Centrify.