Following on from our last blog, Readiness activities for GDPR, we continue the discussion regarding the change in regulation and the steps your organisation can take to prepare.
Now is the time for organisations to get their identity house in order before the enforcement and penalty phases of the law take force. Organisations can take pro-active steps to stay ahead by focusing on a few key identity governance priorities: locating sensitive data, understanding who has access to it and maintaining proper access controls on that data.
1. Identify Your Sensitive Data
Organisations need to develop a complete picture of where the customer data that is required to be protected under GDPR exists within their organisation. It may be in structured systems such as applications or databases or it may reside as unstructured data (such as an Excel spreadsheet or PDF report exported from an application or database) located on file systems, collaboration portals (such as SharePoint) or even in cloud storage systems (such as Box or Google Drive).
2. Determine Who Has Access
There needs to be an understanding of who should have access to customer data, reconciled with who actually does. This should be an ongoing process, not a one-time event. This includes all applications and file storage platforms (running on-premises and in the cloud) where customer data is actively stored.
3. Create Preventive & Detective Controls
Users should have access to only the minimum resources they need (“least privilege”) and access to sensitive data should be highly restricted. A governance model that aligns access to applications and data based on organisational need should be built. This is where identification and data access governance tools can help make sure that users cannot attain improper access, in concert with automated review and monitoring processes for user access.
The Solution: Utilise Identity and Data Access Governance
At first, organisations may feel overwhelmed by the requirements of GDPR, especially considering the financial ramifications of non-compliance. However, leveraging identity governance at the core of their security strategy to protect access to customer data in their organisation can go a long way towards mitigating the risk of a data breach and the resulting penalties that may incur.
By pairing an identity governance platform with a data access governance solution and applying M Four Monitoring via our Intercity Secure Operations Centre (ISOC) organisations can gain full visibility into “who has access to what” in addition to how they are using that access. This will help them make the right decisions in the event of a data breach, during access re-certifications and other security events.
As we saw during the recent cyber-attack on the NHS and other organisations on 12th May 2017, our customers were amongst the first to be alerted and able to avoid more serious disruption and cost. GDPR is a wake-up call to every data controller who works within the EU. Doing nothing is not an option. There are just 10 months to go before it comes into force in the UK.
If you would like to find out more about GDPR and how to prepare for it – join our GDPR roundtable in Manchester on Tuesday 13th June – register here.