GDPR is here! Are you ready?
Approved and adopted in January 2016, enforcement of the European Union (EU) General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.
With just one year to go before enforcement of GDPR formally begins, it’s time to move beyond mere awareness and understanding of what it is, and start making decisions about how you’re going to address it.—Derek E. Brink, CISSP, Vice President and Research Fellow, Information Security and IT GRC
Six Basic Strategies for Data Protection
Findings from the Aberdeen Group Report
When your organisation is finally technology-ready for GDPR, Aberdeen has found that even the most complex mix of technical security controls for data protection reflects just six basic strategies.
- Do nothing
- Manage access
- Monitor and filter
- Apply controls
This may sound odd at first, but remember that not all data needs to be protected. This underlines the importance of identifying and classifying data as a foundational step in any data-protection plan.
Manage access to data in a central store.
Personal data is commonly centralised in network file shares, on web servers and in enterprise content management systems. Access is provided only to users who are authenticated and authorised.
Monitor and filter
Monitor and filter data as it is being accessed and distributed.
Monitoring and filtering technologies such as data loss prevention, email and web security, database activity monitoring, and networkbased monitoring and analytics are used to gain visibility into the personal data that is being accessed and distributed across the organisation’s networks. These solutions are also designed to flag data movements that are potentially in violation of policies for security, privacy and regulatory compliance, and to guide proper responses.
Encrypt the data.
The use of encryption to protect the confidentiality and integrity of personal data is extremely common in every place that data can be found: in back-end systems, on the network and on a wide variety of endpoints. A unified approach to managing the lifecycle of encryption keys is essential to support greater scale of encryption, and to reduce the total cost of ongoing operations and management.
Substitute non-data for the data.
In some scenarios, personal data is best protected by taking it out of the business process in the first place, using technologies such as tokenisation, format-preserving encryption or data masking. Tokenisation, for example, is a process that substitutes unique, randomly generated values (tokens) to reference personal data (such as payment card data), while maintaining the length and format of the original data to minimise the number of changes required to business processes.
Apply persistent controls to the data.
Rights-management solutions are designed to follow the data itself, providing controls over actions that may be taken on the data even after it leaves the boundaries of an enterprise-managed computing infrastructure.
Six Key Messages from Oracle
As you define your company’s strategies to achieve EU GDPR compliance, what should you be thinking about first?
not a threat
- Best practice
- Security controls
- The countdown
not a threat
An opportunity, not a threat.
The same security controls can be used to protect any sensitive data (not just personal data)
Built-in security inside and out saves time and money, and reduces risk
Security controls that form part of your GDPR compliance strategy should be seen as adding value to your business
Personal data discovery.*
You need to discover the personal information you hold; where is your data?
Remember that personal information doesn’t just live in your database, unstructured data or files; an individual can be identified by other data, such as their MAC or IP address, or by metadata
* Definition: Aberdeen 16486 reference: p8: data discovery/ identification: knowing what data you have, where it is, who has (and should have) access to it, and what patterns of access are normal.
Adhering to best-practice security should be your default behaviour.
Security should be the priority across all lines of business and amongst all employees – including IT
The days of “If it ain’t broke, don’t fix it” are over. Unpatched and misconfigured systems are too great a liability
Network security is not enough; protect all your data!
The number of security controls should be in proportion to the level of risk
If you have lots of sensitive personal data, you will need a high number of controls
Encrypt personal data, everywhere, all the time.
Encryption must be matched by state-of-the-art access control
Key management is essential
“Always on” cryptography increases data security
You don’t have to compromise security over performance
On-chip hardware encryption in the CPU has been part of Oracle’s SPARC processors for generations and comes at no extra cost
Many Oracle and third-party offerings are leveraging this functionality right now
Fines will reflect the extent of organisational and technical measures
You don’t have to wait to perform complete (sensitive personal data) discovery; you should already know which of your applications are likely to contain the most sensitive personal information
Your company should act now to meet the new regulation – but being a security exemplar should always be a business priority (not just a GDPR exercise)
Non-compliance with GDPR can result in heavy fines and increased regulatory actions. More importantly, however, significant breaches can damage an organisation’s brand, value and reputation. Protecting the brand requires an organisation that collects personal data to be able to demonstrate compliance consistently, and adhere reliably to the GDPR principles of privacy and security.
The path towards GDPR compliance involves a coordinated strategy that engages different organisational entities (including legal, human resources, marketing, security, IT and others). Organisations should therefore have a clear strategy and action plan to address the GDPR requirements with the 25 May 2018 deadline in mind.
Based on its experience and technological capabilities, Oracle is committed to providing customers with a strategy designed to achieve GDPR security compliance. To learn more about how Oracle can help, please contact your local sales representative and visit oracle.com/goto/gdpr.