By Ed Gorczyca
Should U.S. companies be GDPR compliant? The short answer is yes.
The General Data Protection Regulation (GDPR) is the European Union’s (EU) strengthened data protection rule covering all citizens of the EU, no matter where they are located in the world. Starting May 25th, 2018, the goal of the law is to give control of personal data back to the individual as well as placing restrictions on ‘hosters’ and ‘processors’ of that data.
While enforcement of the GDPR is still under debate, this is not a compliance program to be ignored by anyone outside of the EU. If you are an organization that happens to have the name, address and any other data point of a person from the EU in your data logs, you need to prove compliancy, or face stiff fines.
Step 1: Understand Your Data
The first step toward compliance is to understand your data. You need to do an exercise called data mapping. Data mapping for GDPR is not the same as matching up database schemes. It is more like a data inventory for Personally Identifiable Information (PII) of EU citizens and it is a fundamental requirement for your privacy compliance strategy.
How can you protect someone's data if you don’t know if or where it exists in your enterprise?
In data mapping, you act as a journalist, analyzing your data flows and answering the five Ws of reporting; Who, What, Where, When, and Why. Data mapping can benefit your business in other ways, too, such as identifying key data sources, eliminating duplicate data stores, and consolidating data to provide for a smarter use. The healthcare industry went through similar efforts fifteen years ago with the advent of HIPAA.
Step 2: Assess Risk of Data
Your next step is to assess risk through the identified data flows and rate their importance and sensitivity. You may need to consider different rating scales, both from the company's and the individual’s viewpoint.
The value of any data is determined from the data owner’s perspective – and GDPR changes the perspective from the corporation to the individual user.
Beyond those steps, one of the best protections to place on your data is to encrypt it at rest – but that is also the easiest way to lose access to your data. Do not start encrypting data or drives without a proper encryption key management program in place and tested. This is not an area where you should scrimp and attempt to save a buck or two. Make sure it is fully redundant with multiple access methods. Relying just on your network admin and their laptop is the surest path to disaster.
Encryption at rest is considered a standard industry practice, so if you do have a breach and your data was not encrypted, regulators are likely to be more severe in their reaction. And don’t forget any backup data that you create on a regular basis!
Step 3: Identity Access Management (IAM) Solution
Any organization collecting data on European customers can benefit from an Identity Access Management (IAM) solution, which can reduce headaches by centralizing all the identities and personal information you manage to fewer locations. Personal information does not need to be stored in numerous applications and databases across your company. Reducing your identity stores will make user management easier and more efficient while lowering inappropriate disclosure risks.
Having an IAM solution in place can simplify your data mapping process by providing a roadmap for your data flows. An IAM serves as a centralized control point for authentication and access to systems throughout your company. The sources of identity data used in your company are specified in the IAM software.
Likewise, all parties relying on that identity data are also specified in the IAM software. Therefore, an IAM solution can be your internal source to understand where data goes. If a web app requests access to your customer database, you now know that you must pursue that path to see if the data is stored elsewhere. By centralizing identity management to one application, it eliminates pathways that allow access to other locations.
When IAM is done right, the chances for GDPR success are greatly enhanced. Here are a few areas of an IAM program to manage closely:
- Authentication/MFA – Multi-factor authentication (MFA), or sometimes two-factor authentication (2FA), is a form of cybersecurity that requires two methods of authentication: a password and some other requirement unique to the user. This type of protection makes it exponentially harder for a hacker to impersonate you and steal your data.
- Authorization – Authorization is the process of verifying that you have access to something, like gaining access to a resource (e.g. directory on a hard disk) because the permissions configured on it allow you access.
- Administration – These critical activities manage user authentication and authorization. Subtle, yet very significant, differences in management levels may leave vulnerabilities to access control. When the in-line business managers are responsible for determining and attesting to access levels, mistakes are less likely to happen and GDPR compliance is more likely.
- Audit – GDPR requires organizations to periodically – as well as on-demand – prove that authentication, authorization and administration are happening in a way that does not place personal data at risk or was not the culprit in the event of a breach.
Should U.S. Companies Be GDPR Compliant?
GDPR is now the standard industry best-practice. Data mapping and privacy by design are minimal requirements. If you are not taking the steps outlined in GDPR, your data protection approach will be viewed as out-of-date, incomplete, and possibly negligent.
Neither the economy nor the Internet are confined by geopolitical borders, so you need to incorporate ideas and standards from around the world into your information security systems.
About Ed Gorczyca
Ed Gorczyca has over thirty years of experience in the compliance and IT industry and currently is the Chief Compliance Officer at Optimal IdM, an Identity and Access Management software provider.