“When life gives you lemons, make lemonade,” goes the popular saying, which inspires us to tackle life’s challenges in a positive way to help us grow and learn from hardships. For organizations struggling to meet the upcoming GDPR compliance deadline in May 2018, it may be difficult to view the massive data privacy compliance project as a positive, a piece of investment that can change the way an organization stores and handles user data for the better.
But how can an organization successfully turn GDPR “lemons” into lemonade? By using this time to solidify its overall compliance strategy, an organization can get a return on its GDPR compliance investment. Below is a quick summary of the payoff an organization can potentially see from implementing a comprehensive GDPR strategy:
Studies show that organizations are allocating significant budgets for GDPR compliance. But what are the key areas that organizations should invest in to ensure that GDPR compliance pays off in the long-run?
Disciplined and diligent data governance is a must for any GDPR compliance effort. An organization cannot effectively manage and protect customer data if it does not know where it is located. For GDPR compliance, businesses must make an active effort to locate all user data, discover exactly what it consists of and identify where the data originated. It also needs to define and enforce policies regarding how data is viewed, used, copied and accessed.
In the age of the digital workspace, employees take their digital identities everywhere with them, expecting to get their work done effectively regardless of the time of day or physical location. In fact, the majority of employers expect that employees work on-the-go from their smartphones, tablets, laptops and home desktops. This is an issue for organizations that continue to depend on static, perimeter-based technologies to control access to sensitive data resources.
The only way to ensure that customer data doesn’t travel anywhere it shouldn’t — and that all use of customer data is legitimate and traceable — is to manage data access in context. Context and associated policies determine what is and isn’t allowed. It also provides the usage data essential for GDPR audit reporting.
Many employees unnecessarily have more access than they need to company data, posing a serious risk to GDPR compliance — as well as to general cybersecurity. The solution to the problem of creeping privilege is to streamline administration of access rights. Automation also enables IT to put a “freshness date” on privileges so they don’t last indefinitely. Organizations can also fight privilege creeping by using delegation tools that empower LOB managers, HR admins and other non-IT stakeholders to perform access administration as appropriate. This adaptive, business-aligned approach to access control can significantly reduce total organizational privileging without impairing anyone’s ability to be productive.
Ransomware attacks now impact about half of all businesses, and ransomware techniques continue to become more sophisticated. These attacks often take the form of social engineering techniques that circumvent cybersecurity perimeter defenses by tricking human users into clicking a malicious link or opening a malicious attachment.
Effective ransomware defense requires multiple countermeasures, including frequent data backups and aggressive user education. However, any organization seeking to fend off ransomware and similar cyberattacks must also implement some form of workspace whitelisting. Effective whitelisting is thus closely related to automated privilege administration (key investment #3) — with the added dimension of disallowing access to non-whitelisted resources.
Another related and essential capability for GDPR compliance is push-button offboarding. As noted above, employees can accumulate many privileges over time. So when they leave an organization, those privileges must be revoked immediately.
Revocation of a user’s privileges can tend to be slow, leaving organizations vulnerable to data leakage. This is a huge GDPR and data security no-no. Every organization needs an offboarding mechanism that triggers complete revocation of all privileges across all systems — on premise and in the cloud — without exception immediately upon a termination or transfer event in the company’s HR system.
Regulations change and new legislation continues to pops up, but if an organization takes the right data protection measures now, it will have the right tools in place to make life much easier in the future. Businesses that properly view GDPR compliance as one part of a broader effort to better govern data in the digital enterprise — traversing compliance, security and automation — will significantly outperform their more complacent competitors. And that performance will have a tangible, positive impact on the bottom line.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Lacy Gruen is a Director at global digital workspace provider RES, where she works to develop go-to-market strategy and help customers find solutions that will solve the real IT challenges of today and the future.