25 May 2018 is the date that has been on everyone’s mind over the last few months. GDPR, which will enter into force in seven months’ time, is a new EU directive relating to personal data protection.
Let’s recall the most important changes that will become applicable once this EU Regulation takes effect. First, the regulation changes the definition of personal data. Second, starting from May next year, any personal data collected will have to constitute an ordered set that can be easily located and to which all access instances are registered; there must be the possibility to modify the data or, at times, to erase part of the data permanently. Third, the regulation oversees all issues related to loss of personal data: companies will have 72 hours following the detection of a breach to report it, and failure to observe these rules will result in severe financial penalties.
Should we therefore expect a major upheaval? Do the upcoming changes hold anything to fear? The answer to both questions is “not necessarily”. Taking the appropriate steps will allow companies to prepare themselves for the new regulations and will place security center stage, which should contribute to reorganizing a company’s strategy in the sphere of IT security, and thus to better protection.
It is important that action is not postponed. Contrary to appearances, seven months is not much time. Analyze your systems, risks and strategy, compare them to the new GDPR regulations, and adjust your business to the new era of personal data processing. It should be borne in mind that the Regulation itself is not a set of instant solutions to be implemented by your company.
The text of the Act clearly states how to approach the issue from the perspective of creating procedures for secure data processing, but it does not provide any specific technological solutions to be implemented. At the moment, there is no one comprehensive technological solution on the market that would protect a company fully and at the same time allow us to meet the provisions of the new regulations. We should consider implementing several solutions that will bring us closer to the ideal conditions.
Reinforce Protection of Portable Equipment
Laptops, smartphones and tablets are the devices most easily taken over physically. Documents containing personal data are often stored in the memory of such devices. According to the EU Regulation, each device is a medium that should be properly protected against data leakage. End users often don’t establish authentication passwords, don’t use encrypted data transmission channels, use software unauthorized by their company’s IT security center, and what is worse, don’t always have anti-virus software.
Such equipment should therefore be protected with an encrypted password, used in line with procedures dedicated to mobile devices, and anti-virus software should be checked regularly.
GDPR requires companies to implement effective encryption solutions that provide data protection within their IT environments – from computers and network elements to cloud resources. A data encryption system should perform activities on many levels – from hardware to files – and should enable a company to protect data stored on a physical disc against loss or theft, and to implement data leak prevention (DLP) policies. These are of key importance when it comes to sending emails containing personal data outside the company, or using USB sticks on site. Implementation of an appropriate data encryption system protects against data being read by any unauthorized person in the event of potential data leakage from the company. It is worth mentioning that, in such an event, the company is not obliged to report the incident.
Unified threat management is a class of network equipment responsible for total protection, supervising traffic in an intra-company network and contact-access to Internet resources. Such equipment allows us to create access policies for dedicated resources, i.e. it allows us to separate data and limit unauthorized persons’ access to data, which is in line with GDPR. Using packet control modules, the device allows the data flow to be blocked in such a way that sensitive data are not made available to unauthorized parties. Such a solution is recommended for small and medium-sized enterprises due to the optimal relation between the company’s size and the device’s capability.
SOC-based on SIEM Platform
SIEM are solutions that collect data and provide full diagnostics for analyzing and confirming security events. Such systems constantly monitor the whole company network for security threats, and register events that take place within the network – all of which, importantly, takes place inline. If any incident occurs, the company has all the necessary information about a potential risk, is prepared to take immediate action, and (as it is stipulated in the new regulations) is in a position to report the leak within the prescribed 72-hour period. Such a solution is dedicated to large enterprises.
Cloud solutions are a great alternative while transitioning to GDPR requirements. Such technologies are often compliant with the regulations in force (currently and future). Cloud solutions tie in with the requirements of EU GDPR as they guarantee a high level of protection for data collected and processed by companies. It is worth considering transferring your data center to a company that has an appropriate environment in place and the competences to provide services. This functioning model allows responsibility for any potential data leakage to be transferred to the service provider.
These are only suggestions of IT security solutions that may facilitate smooth adjustment to the new GDPR guidelines. It should be kept in mind that these are only tools to support the protection processes and secure processing of sensitive data. One should remember that only appropriately created and instantiated procedures make it possible to meet the GDPR requirements. Implementation of the new provisions relating to personal data processing will prevent persistent marketing phone calls or weird promotions in our mailboxes. If we do receive such unsolicited communications, we will be able to trace the person breaching the law and lodge a complaint, or ask the inspectorate to discipline the data operator. GDPR is focused sharply on protecting the data of individuals, and at the same time imposes a great deal of responsibility on companies that collect or process personal data. In order to meet these expectations, the Comarch ICT team can support you in preparing to change your environment in line with the new EU GDPR.