GDPR: Covering the bases when it comes to prevention and protection

The European General Data Protection Regulation (GDPR) has been developed to give citizens more control over their online personal data by requiring businesses comply with new rules for collecting, sharing, and protecting personal data. From 25^th May 2018, businesses based in Europe and those who export EU data internationally will be required to execute a range of new security measures to comply with GDPR’s rules to ensure data privacy. Failure to implement these required measures will potentially result in significant fines, especially in the case of a data breach where personal data is stolen or exposed. This presents a challenge to companies as cyber attackers are only becoming more creative and sophisticated with their attacks.

The cybersecurity landscape is constantly shifting, and data breaches are now daily events. Verizon’s 2017 Data Breach Investigations Report revealed that 81% of hacking-related breaches leveraged either stolen or weak passwords¹. Many organisations currently rely on security software safeguards   that are out of date or no longer appropriate, such as two-factor authentication. Under GDPR, the potential consequences for a company that suffers a breach can be financially devastating, so the new data protection rules are the perfect incentive to review and modernise security methods. 

So, how can businesses achieve GDPR compliance?

The GDPR consists of several articles that summarise expected security measures businesses must now ensure. Here are three areas where cybersecurity professionals should look to address authentication challenges for GDPR compliance:

 

Articles 15 & 16: Data access and ratification

Key requirement: Capability to access personal data, make alterations and permit the collection data. How to cover this base: Organisations should review processes that enables data subjects to view, access and edit collected personal data and to make corrections if needs be. By being adaptable to diverse environments organisations can choose which user or group of users (such as individuals, consumers, admins etc.) can operate profiles. Corporations should have the capacity to choose what type of profile data and personal preferences are collected.

 

Article 17: Erasure of data

Key requirement: The data subject is entitled to ask the controller to “forget” or delete all personal data.

How to cover this base: Logs can be used to identify and to also ‘delete’ users if required. A unified data store location or source will ensure that all information is removed, so that corporations won’t need to worry about erasing personal data from multiple databases. The best solutions should be scalable and flexible, allowing organisations to support any number of users and applications.

 

Articles 25 & 32: Data protection by design and security

Key requirement: Corporations are responsible for designing systems that protect and secure personal data based on risk. 

How to cover this base: Implement adaptive authentication and risk analysis which provides the highest identity and security protection at the point of access without negatively impacting user experience. Risk analysis can look at user’s geographic location and IP address, check for device recognition and apply machine learning to look for suspicious login attempts or anomalies behaviour of the user’s credentials.

How authentication fits in to the GDPR

GDPR regulations are just around the corner, so it’s imperative that businesses start to integrate modern and flexible authentication practices which analyse various dynamics to govern the legitimacy of every login attempts for ultimate protection and prevention. This will ensure that personal data and resources are consistently kept secure, and threats at the front door are detected early and thwarted. Additionally, good adaptive access control solutions will deploy directly into corporation’s infrastructure, binding to enterprise directories, web servers, VPNs, and even applications built in-house.

When it comes down to the cybersecurity posture of a business – especially under GDPR – unnecessary risks cannot afford to be taken. Authentication should be prioritised, in all internal processes and integrated with the software needed to support GDPR compliance consistently. However, protecting data should not stop after the points above have been addressed. Organisations should be continuously assessing their environments for vulnerabilities and implementing best security practices should always be the focus. Now is the time to begin adapting data practices to comply with the new rules – including implementing the right tools to ensure data security.  

 

[1] Verizon’s 2017 Data Breach Investigations Report