Keeping it simple
The GDPR states that data controller and processors should implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk. So what does this mean?
There is no one size fits all solution. The new regulations require all parts of your infrastructure and IT solution to be as secure as you can make them and that includes protecting against breaches from within, as well as attacks from outside.
Plus you need to ensure that you know what data is held, where and for what use and that you can access it, and if requested, delete it under the right to be forgotten.
Locate and Search
These days, data doesn’t just sit on physical servers or desktops. With the number of mobile devices growing, the cost of portable flash drives dropping and organisations operating bring your own device (BYOD) policies, there are more places than ever before that personal data could reside.
Communication happens over an ever-growing number of devices, platforms, and apps. And whilst these developments are great for business, they also make the chance of a data loss more likely.
However, there are lots of products available that can help you, whatever the complexity of your network. These products can help you to:
- Determine what data you hold and where it is - even if it’s held within forms or images
- Control who can access it, even from unmanaged locations or devices
- Police what level of access a user has
- Monitor user access to sensitive data and identify risky behaviour or security compromise
- Revoke access to users, effectively digitally shredding a document
- Manage data loss policies
Under GDPR, any personal data held must be accurate and up to date, and you must be able to demonstrate consent and for what purposes. Having multiple records for an individual can make this difficult.
Using a de-dupe product can help you to ensure your records are accurate and up-to-date, even when someone appears multiple times, across multiple platforms potentially with slightly different spellings (Rich, Richard etc).
Using de-dupe products can also have other benefits. In today’s world of shrinking budgets and growing requirements, many organisations have a list of, often competing, requirements and priorities to manage.
As data explodes, storage needs grow and keeping up with demand can be costly. Storage management and de-dupe technology can help to reduce the demands on an already stretched infrastructure whilst also keeping your data safe and making sure you know what is where, whenever you need it.
Despite the best laid plans, disasters can, and do, happen. The key under GDPR is to have a disaster recovery (DR) plan in place to ensure you can restore the data that you hold and that your system will meet the required standard. A few key questions to ask are:
- Should something happen, will customer data be accessible and available in a timely manner?
- Are your DR providers ISO27001 certified?
- Where is your data held - remember if it’s outside the EU it will need to meet stringent conditions under chapter five.
Once you have a view of the data you have, where it is and how to recover it, then it’s time to look at protecting it. Network security is an area that most organisations will have at least some coverage - be that firewalls, malware protection or encryption. Products in this area will help you to:
- Manage passwords and ensure they remain strong and regularly updated
- Keep your devices and data secure if lost or stolen using multi layer encryption in transit, and at rest, and automatically encrypt or block sensitive data in emails.
- Protect encryption keys
- Stop malware and ransomware
- Stop attacks at your network perimeter
- Keep individual files secure even when they leave your network or devices
- Ensure that only authorised recipients can access sensitive files
Monitor and Manage
Having security tools in place creates data and that data is only useful if it can be analysed and understood. Security and behavioral analytics products help to make sense of the information created and provides teams with the ability to rapidly discover advanced persistent threats.
If you don’t already have one in place, a log management or Security Information and Event Management (SIEM) tool will help you to test, assess and evaluate your data security effectiveness. SIEM tools are important for monitoring all users and system activity so that you can quickly identify suspicious or malicious behaviour. It’s also important to monitor data stored, or processed in cloud environments.
With a 72 hour time limit on notifications of breaches it’s vital to have a programme in place that identifies and flags breaches if they happen. The right product can gather real-time log data from your distributed applications and infrastructure in one place to enable powerful searches, dynamic dashboards and alerts, and reporting for real-time analysis.