“When life gives you lemons, make lemonade,” goes the popular saying, which inspires us to tackle life’s challenges in a positive way. For organizations struggling to meet the upcoming E.U. General Data Protection Regulation (GDPR) compliance deadline in May 2018, it may be difficult to view the massive data-privacy compliance project as a positive and an investment that can change the way an organization stores and handles user data for the better.
But how can an organization successfully turn GDPR “lemons” into lemonade? By using this time to solidify its overall compliance strategy, an organization can get a return on its GDPR compliance investment. Below is a summary of the potential payoff from implementing a comprehensive GDPR strategy:
- Better data- and analytics-driven decision making. Visibility into data and access to that data can help with both GDPR compliance and other IT or business initiatives.
- Long-term customer/brand loyalty. Customers want to know that the company they are buying from cares about protecting its users’ data.
- Greater organizational agility. Automating data access allows an organization to be nimble in responding to business changes and needs.
- Reduced cybersecurity risk. Security controls that are put in place for GDPR compliance can help an organization protect itself against IT-security threats such as ransomware.
- Higher-value allocation of IT staff. Some automation tools are flexible enough to do more than automate data-policy enforcement; they can automate many other IT tasks along the way.
- Reduced overall compliance and audit costs. Organizations must likely comply with multiple regulations, so streamlining the audit process will help with more than just GDPR.
- Avoidance of GDPR-related fines. GDPR has set hefty penalties for non-compliance, so organizations should plan to avoid the fines, which can be up to 4% of the firm’s annual turnover.
Studies show that organizations are budgeting for GDPR compliance. But what are the main areas in which they should invest to ensure that GDPR compliance pays off in the long term?
Key investment #1: Good data governance
Disciplined and diligent data governance is a requirement for any GDPR compliance effort. An organization cannot effectively manage and protect customer data if it doesn’t know where that data is. For GDPR compliance, businesses must locate all user data as well as determine what it contains and where it originated. They must also define and enforce policies regarding how data is viewed, used, copied and accessed.
Key investment #2: Context-based mobile-workspace controls
In the age of the digital workspace, employees take their digital identities with them everywhere, expecting to complete their work effectively regardless of the time of day or physical location. Most employers expect employees to work on the go using their smartphones, tablets, laptops and home desktops. This situation is a concern for organizations that continue to depend on static, perimeter-based technologies to control access to sensitive data.
The only way to ensure that customer data avoids traveling anywhere it shouldn’t—and that all use of customer data is legitimate and traceable—is to manage data access in context. Context and associated policies determine what is and isn’t allowed. It also provides the usage data essential for GDPR audit reporting.
Key investment #3: Streamline privilege administration with automation and delegation
Many employees have more access to company data than they need, posing a serious risk to GDPR compliance—as well as to general cybersecurity. The solution to the problem of creeping privilege is to streamline administration of access rights. Automation also enables IT to put a “freshness date” on privileges so they don’t last indefinitely. Organizations can also fight privilege creep by using delegation tools that empower line-of-business managers, HR admins and other non-IT stakeholders to perform access administration as appropriate. This adaptive, business-aligned approach to access control can reduce total organizational privileging without impairing anyone’s productivity.
Key investment #4: Anti-ransomware whitelisting
Ransomware attacks now affect about half of all businesses, and techniques continue to become more sophisticated. These attacks often take the form of social engineering that circumvents perimeter defenses by tricking human users into clicking a malicious link or opening a malicious attachment.
Effective ransomware defense requires multiple countermeasures, including frequent data backups and aggressive user education. But any organization seeking to fend off ransomware and similar cyberattacks must also implement some form of workspace whitelisting. Effective whitelisting is thus closely related to automated privilege administration (key investment #3)—with the added dimension of disallowing access to non-whitelisted resources.
Key investment #5: Push-button offboarding
Another related and essential capability for GDPR compliance is push-button offboarding. As noted above, employees can accumulate many privileges over time. So when they leave an organization, those privileges must be revoked immediately.
Revocation of a user’s privileges can tends to be slow, leaving organizations vulnerable to data leakage. This is a huge GDPR (and data security) no-no. Every organization needs an offboarding mechanism that triggers complete revocation of all privileges across all systems—on premises and in the cloud, and without exception—immediately on termination or transfer event in the company’s HR system.
Regulations change and new legislation continues to pops up, but if organizations take the right data-protection measures now, they will have the right tools in place to make life much easier. Businesses that properly view GDPR compliance as one part of a broader effort to better govern data in the digital enterprise—traversing compliance, security and automation—will outperform their more complacent competitors. And that performance will have a tangible, positive impact on the bottom line.
About the Author
Lacy Gruen is a Director at global digital workspace provider RES, where she works to develop go-to-market strategy and help customers find solutions that will solve the real IT challenges of today and tomorrow.