Businesses failing to understand GDPR compliance status

Sufficient guarantees

It is the responsibility of the organisation as the data controller to ensure that the data processor – in this case the CSP – provides sufficient guarantees of being GDPR compliant. This means that both the CSP and the organisation are responsible for ensuring data compliance in the cloud.

The survey revealed that nearly 20% of respondents who are confident that they are GDPR compliant admit that personal data held within their organisation cannot be purged or modified. Some admit they cannot search data, do not know where it is, or do not have data clearly defined.

More than one in 10 (13%) respondents admit that their organisation does not have the capability to search and analyse personal data to uncover both explicit and implicit references to an individual, and does not have accurate visibility into where all their data is stored, or admit that their organisation’s data sources and repositories are not clearly defined.

This means that many organisations will not be able to easily search, find and erase their customers’ data if they exercise their “right to be forgotten”, which risks a key violation of the GDPR, the report said.

Some organisations that have recognised these challenges and the fact that they are running out of time to address them before the GDPR compliance deadline are turning to the data-centric audit and protection (DCAP) model, according to data security software firm Protegrity.

This model focuses on securing data rather than networks, systems and devices because if those security controls are breached or bypassed, data within networks, systems and devices is vulnerable.

Data-centric approaches to security are designed to ensure data is protected in transit and at rest wherever it resides, from the point that the data is captured, through storage, usage and transmission, until it is either archived or deleted.

This approach means that once all the elements are implemented, organisations can automatically identify new data covered by security policies, protect that data, and maintain that protection throughout the data’s life.

The DCAP model requires organisations to classify data to identify what data is sensitive; to know where sensitive data is stored; to define policies for how data is managed within a business context; to protect data against unauthorised access or usage; and to carry out data monitoring and auditing to ensure there are no deviations from normal behaviours that would indicate malicious intent.

This approach means that organisations can ensure consistent protection for data wherever it resides, within the enterprise, such as on-premise data management and storage systems, or cloud services such as software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS).

Encryption and tokenisation are the two main methods organisations can use to protect data directly, and a recent report by security firm Thales shows that in an effort to comply with new data protection requirements, including the GDPR, almost two-thirds of retailers (64%) are encrypting their data and 40% are using tokenisation.

Although the GDPR says very little about technical security controls, it does refer to pseudonymisation and encryption as appropriate safeguards for personal data. The GDPR also highlights the importance of knowing where sensitive data is located and being able to carry out audits to prove that data is protected.

Tokenisation is a form of pseudonymisation in which fake data values are substituted for real data values, and because this is done in a consistent way, it means real data such as a customer’s name will always tokenise in the same way, making it possible to still do things like pattern-matching analysis.

Encryption and tokenisation

Organisations that embrace the DCAP model typically use a combination of encryption and tokenisation, depending on the format of the sensitive data they are protecting. The DCAP model enables organisations to choose the most appropriate protection for each piece of data.

Tokenisation is useful for dealing with structured data such as text and numbers, but encryption would be more appropriate for protecting images. Tokenisation and encryption can be used alongside each other, even within a single table.

One very important advantage of a data-centric model is the existence of a centralised management point, which means organisations can use one set of tools to protect data across different environments, such as Teradata, Oracle, SQL or Hadoop.

“A data-centric approach is really about having one point of control where you can manage your entire organisation’s security posture,” said Clyde Williamson, a member of the product management team at Protegrity.

“In addition, data management policies are role-based, so the security policy is managed by the security officer, who determines how data gets protected and who gets access to that data.”

This means that only users specifically defined in the security policy will get access to the data, which ensures that no matter how much access a system administrator has, they will not get access to data unless they are specified in the security policy.

Role-based access policy

A role-based access policy also means that organisations can audit very clearly on what users are doing with sensitive data.

“This all falls in neatly with what the GDPR calls privacy by design and privacy by default because all data is protected equally at point of capture and is protected all the way through the enterprise and only gets unprotected at the points where access to the data is required,” said Williamson.

“It is possible to fine-tune who gets access to what, where they get access to it, and then audit all of that to monitor user behaviour to identify potentially malicious activity when abnormal behaviour is detected, which is useful for protecting data and ensuring compliance with regulations such as PCI DSS, Hipaa or GDPR.

According to Williamson, Protegrity software and services are designed to support the DCAP model by enabling organisations to classify, discover and protect data, enforce data management and security policies, and audit and monitor data access activities regardless of where company data resides.

Any organisation that has adopted the DCAP model for PCI DSS or Hipaa will be able to extend this easily to cover GDPR, he said, but for many organisations, GDPR is the first time they are being required by a regulation to protect personal information.

Regulatory compliance

Without either a business reason for implementing DCAP or being forced to do so by regulatory compliance, Williamson said most organisations are unlikely to go down this route.

“Most organisations want to keep their data as easy to access as possible,” he said. “They are typically not keen to modify the data, so that they can take all the controls away and still get to their data.”

About 10 years ago, “that kinda worked”, said Williamson, but in the light of increasing data breaches and the potential brand damage they can cause, organisations are beginning to understand the importance of data-centric security.

Alongside new data protection regulations, concern about brand protection is one of the biggest drivers for organisations to review their cyber security capabilities.

As high-profile data breaches in recent months and years show, reliance on access controls, firewalls and authentication mechanisms is no longer enough to keep organisation out of the headline, said Williamson.

“Although we have been talking about data-centric security for years, we are seeing an uptick in adoption of this approach because the business world is just now getting to the point where they realise they have got to protect data in a way that makes sense,” he said.

“GDPR is either the main or secondary driver for all the potential customers were are talking to at the moment, and the GDPR is certainly one of the main topics in all the conversations with organisations interested in data-centric security.”