In a few months, Europe will usher in a new regulatory era when the EU’s General Data Protection Regulation (GDPR) takes effect. But even if you’re not living in the European Union, the regulations may still affect your business.

Starting on May 25, 2018, organizations that process personal data relating to EU citizens will need to fully comply with the EU. This regulation is truly global in scope and extends to any organization, regardless of location.

The GDPR legislation includes myriad requirements but the overarching objective is to keep personal data private and secure. The penalties for non-compliance can be severe - besides the financial costs - 4% of global turnover or €20m, whichever is higher - organizations face restrictions on trading as well as the brand and reputational damage associated with a breach.

Let’s examine more closely the three fundamental data protection questions that you’ll need to face before GDPR becomes the new law of the land:

Where is the Personal Data I hold?

GDPR defines what counts as personal data. This covers a range of information types such as IP address or digital images. So, the first issue is to identify all GDPR regulated data. Data can be mobile, stored in the cloud or even in locations that are beyond your control. But if you lack full visibility - either because you don’t know what data to look for or because of blind spots on devices, shadow IT or cloud applications - then you have a problem.

Who Actually has Access to the Data?

Under GDPR, you can only use personal data for the purpose in which you gathered consent. This responsibility persists, even if you have outsourced the data handling. Therefore, you need to ensure that you know who is accessing your data (even if they are part of a third-party organization) and can track their interactions. This latter element is critical in ensuring data is protected, e.g. from account takeover attacks. We see a number of data breaches start with user credentials being stolen, and then hijacked by attackers to infiltrate IT systems and steal data. Being able to monitor user behavior to both assess user risk, and identify potentially compromised accounts allows you to proactively defend against breaches.

 

How do I ensure my data is protected?

How do you protect data when it leaves your premises AND still allow for collaboration with third parties? That’s one challenge presented by data mobility. Ideally, you want a way to selectively block access to data, allowing only legitimate users. The benefit is that if there is a data breach and files end up in the wrong hands, your organization can employ layered defenses to mitigate the damage.

The first defense comes by restricting access rights to limit the risk of a data breach even if the file has been widely distributed. In cases where you also suspect that user accounts have been hijacked, the ability to monitor user behaviors and data access patterns can help identify risk. At that point, the organization can deploy additional defenses, such as revoking file access or suspending a user’s access rights completely.

 Information Centric Security

GDPR is setting off a scramble, causing many organization to completely review, and in some cases, overhaul their processes. With the countdown to the deadline ticking down, it’s more important than ever to work out a coherent strategy. There are three letters that can help – I, C and S, which stand for Information Centric Security. Essentially, this describes a blend of information protection technologies deployed with the goal of protecting sensitive data, wherever it goes and whoever it’s being accessed.

It also marks a new approach to information protection that solves the multiple challenges involved in protecting data. To put it simply, the company’s information protection strategy has to focus on its data. While this may sound obvious, many existing data protection systems focus on the data repository (e.g. network storage), data transfer mechanism (e.g. email) or data application (e.g. financial system), not the data itself.

In contrast, the information-centric approach to security brings together a range of technologies to find sensitive data (using automatic or user based classification and identification) at rest, in use or in motion across computers, servers, email, devices or cloud. Further, it protects data by automatically applying encryption and digital rights management (based on policy) with central user monitoring.

At first blush, all this might seem daunting. But getting data protection right has never been more important. And given the new requirements - not to mention the headline- grabbing penalties and fines that can be applied around breach notification - building out your defenses now will repay your upfront investment many times over.

To find out more, join us on January 11, 2018 for a webinar covering GDPR compliance and Cloud Adoption:

Register here for the GDPR Webinar