X
  • June 7, 2018

GDPR: Five ways to close the data security gap

Martien Ouwens
Enterprise Architect, Architecture and Cloud Enablement EMEA

The GDPR is here – but are you compliant? Here’s our pick of the top five priorities to demonstrate you have the right safeguards in place. 

Following much anticipation, General Data Protection Regulation (GDPR) —the European Union’s legislative answer to greater consistency and protection when handling and processing personal data – is now in force.

You’ve probably heard a lot about the potential fines for failing to comply, but there’s far more to it than that. From potential bans on data processing to data subjects’ legal rights, to compensation following a breach—there is a wealth of reasons to take your GDPR compliance decisions very seriously.

Given this, you may have already taken care of consent management, key data discovery tasks, and ensured you’re upholding your subjects’ rights concerning access, rectification, portability, and the right to be forgotten.  However, no matter where you are in your GDPR compliance journey, you need to explore the latest data protection and security technology. It is implicit in article 32 (security of processing) where the regulation requests data processors to implement appropriate technical measures and ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

Here’s our suggested list of top five priorities that you can start actioning today to help towards GDPR compliance.

 

1. Ensure you can demonstrate accountability

As of this month, transparency when handling data is more important than ever before. Indeed, reporting on how you’re managing data, and demonstrating the measures you’ve taken to process it securely (to guarantee confidentiality, integrity and availability), are essential parts of GDPR compliance.

Accountability should also be demonstrated by documenting your technology decisions. This includes providing a rationale for why you selected those technologies that reduce the probability of a breach, or enable you to easily investigate the impact of one after it happens.

 

2. Explore encryption and anonymizstion capabilities

It’s true, there’s a host of technology out there designed to help you comply with the GDPR. But the regulation doesn’t explicitly name any technology you must adopt:  you have to make your own decisions, taking into account the technology available, the costs of implementation and the nature, scope, context, and purposes of the processing you’re doing—in addition to the rights of your data subjects.

That said, however, the capabilities that are highlighted in GDPR have been done with good reason. Simply, they’re powerful examples of tools you should consider. Articles 32 and 34, for example, call out encryption and anonymisation technologies.

Exploring these technologies, and scoping out what they could do for you and your data subjects, is certainly a worthwhile activity. Database encryption and database masking for example can provide simple ways to encrypt and anonymize data. What’s more, they’re relatively simple to deploy and implement. 

 

3. Set appropriate access controls

Your data protection measures can be industry-leading, but without the right policies and measures in place to enforce who can access what data, your efforts could all be for nothing.

It’s vitally important you explore capabilities for:

  • Authorisation—set who can access what data and reduce your attack surface by reducing privileges to the minimum necessary to execute every task, and use policies to avoid errors and bypasses.
  • Authentication—make sure your systems can check the identity of the person, account, object, system, or procedure that is requesting access.

With the right controls in place, you’ll not only gain peace of mind, but if things go wrong, the source can be traced easily and quickly—which is essential for demonstrating a conscious decision to comply, and disclosing detailed information about leaks.

 

4. Analyse logs regularly and store responsibly 

Logs play an essential part in both preventing data breaches and, in the event of an incident, proving what happened, and who or what is to blame.

They can be used to help you:

  • Analyse and prevent incidents
  • Understand what’s happened and prevent it from reoccurring
  • Demonstrate what’s happened and why

Even in a worst-case scenario, logs can help you demonstrate compliance, and mitigate the level of punishment for suffering a breach.

These logs and audit trails should cover all IT assets, across on-premises, cloud, databases, applications, firewalls, middleware components, and all other devices.

 

5. Keep your systems up-to-date using secure configuration and patching

One of the biggest causes of data breaches is quite simply out-of-date software and patches. It’s hardly surprising that many organisations fail to stay on top of updates when an activity like patching can cause system downtime.

Modern systems however make this process much easier. For instance, discovery and patch management software and tools can help organisations maintain maximum uptime, while being uncompromising on subject data availability.

In this post there are many Oracle technologies implicitly mentioned such as, for example, those collectively known a Database Security, Identity SOC (Security Operation Centre) and Oracle Management Cloud: for more information point your browser here: www.oracle.com/goto/gdpr.

 

Next steps

It’s important to understand that the aim of the GDPR isn’t to penalise organisations who are in breach of compliance. Rather, one of its key objectives is to help better secure individuals’ data.

These five priorities can help you take major steps toward achieving GDPR compliance. But ultimately, GDPR is all about managing data security well, and tearing down the walls between data subjects and those holding and processing their information.

To ensure long term success you need to keep up with state of the art security—continuously refining and improving the way you secure and protect data with the latest advances in technology.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha