2 Steps to Improve GDPR Security of Processing
2 Steps to Improve GDPR Security of Processing

In the final countdown to GDPR enforcement on May 25th of this year, many UK and US firms are overestimating their state of readiness. 94 percent of FTSE 350 and 98 percent of Fortune 500 companies whose international business makes GDPR applicable believe they are on track to comply with GDPR, according to a recent survey, yet less than half of the same respondents have a GDPR taskforce and even fewer have conducted a GDPR gap analysis. Very soon, companies are going to be held accountable for their handling of personal information – and the failure to comply penalties are severe.

Security of processing, Article 32 of EU GDPR, is one area where organizations have sought clarification. Under Article 32, organizations must implement a risk-based approach to implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” including:

  • The pseudonymisation and encryption of data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the even of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Pseudonymisation and encryption are the only two technical measures specifically called out in Article 32. The rest fall under the discretion of the data controller as those solutions and measures are “state of the art” as appropriate to the level of risk. This risk-based approach must consider the accidental or unlawful destruction, loss alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. For many organizations who rely on network access for device monitoring, resiliency and visibility have been reported the top challenges in addressing Article 32 of GDPR to date.

Step 1: Improve Visibility to Assess Risk

To understand your environment and potential exposure, you first need visibility into the presence of data in your environment that is impacted by GDPR.

If this is an area of concern for you, a GDPR Data Risk Assessment can evaluate and benchmark security controls over processing areas, and a GDPR Endpoint Readiness Assessment to provide a tangible state of GDPR readiness, including a full disk encryption report, device location report, asset report and anti-malware report, as well as the identification of GDPR personal information currently on endpoint devices and if it supports processing activities. For more information, visit Absolute.com/GDPR

Step 2: Always-On Visibility to Ensure Compliance

For most organizations, endpoints are the biggest blind spot, with devices off the network ‘blind’ to remote assessment, patching and application resilience. All too easily, endpoint agents installed to meet GDPR requirements are uninstalled, corrupted or bypassed, creating an exposure gap that needs to be managed.

The solution is to rely on automation, with always-connected visibility of devices for constant auditing of GDPR compliance. If a security incident occurs, automating security procedures allows organizations to rapidly remediate, through remote data delete and self-healing of critical applications.

This level of visibility on the endpoint can only be delivered by Absolute, with our firmware-based self-healing endpoint security solutions and services.

 

The materials in this blog post are general in nature; they are not offered as advice on a particular matter and should not be relied on as such. Use of this material does not constitute a legal contract or consulting relationship between Absolute and any person or entity.  Although every reasonable effort is made to present current and accurate information, Absolute makes no guarantees of any kind. Absolute reserves the right to change the content of this post at any time without prior notice.  Absolute is not responsible for any third party material that can be accessed through this post. The materials contained in this post are the copyrighted property of Absolute unless a separate copyright notice is placed on the material.  

ABOUT THE AUTHOR

Mark McGlenn

Mark McGlenn is Senior Manager of Risk and Compliance Services for Absolute. Mark has over 15 years of experience in Internal Audit, Compliance testing, Risk Management, IT Security, Accounting, and Fraud Prevention. He has developed and managed risk-based corporate internal audit programs with a focus on compliance testing (SOX, PCI, AML) and process and internal control improvements. Leveraging best practices such as CIS Critical Controls, NIST CSF, NIST 800-53, Mark has designed cyber-security assessment procedures and performed engagements in both the public and private sectors. His unique experiences assist Absolute customers in addressing compliance concerns and securing the endpoint.