Eight Technical Tips for CISOs Racing Against the GDPR Clock

The EU's GDPR is the most sweeping change to data protection in the past 20 years. C-level executives everywhere are scrambling to get a handle on what it means to their organizations and how they are going achieve compliance.


Perhaps the biggest international data protection issue this year will be that the European Union's GDPR (General Data Protection Regulation) goes into effect on May 25.

As Datos IO Vice-President Peter Smails told eWEEK: "Data-aware data management becomes table stakes in 2018. The GDPR is the most sweeping change to data protection in the past 20 years. Under the new set of regulations, both U.S. and European companies will need to demonstrate compliance when it comes to managing, storing and sharing data–no matter how massive the data sets. Security-wise, companies will have to report data breaches within 72 hours of their knowledge of them.

"One of the biggest issues next year will be GDPR Article 17, which enables a user's right to be forgotten, which will increase demand for storage and data management solutions that are data-aware. Whether it’s application-specific backup and recovery to protect against ransomware, or intelligent query-based data movement to support test/dev, CI/CD, or GDPR initiatives, organizations will require data management solutions that are data aware and enable them to protect, mobilize, and monetize their data across any cloud boundaries,” Smails said.

GDPR is now having an impact on C-level executives all over the world and has sent them scrambling to get a handle on what the GDPR is, what it means to their organizations and how they are going achieve compliance. Despite what some in the U.S. may think, this regulation will impact the technical and security teams as much–if not more–as it will the legal and privacy departments.

Drew Nielsen, Chief Information Security Officer at infrastructure data protection provider Druva, is another thought leader in this sector. He shares with eWEEK readers eight important technical tips for CISOs racing against the GDPR clock:

Determine Your Role in GDPR

The GDPR affects organizations based outside the EU offering goods and services (even for free), that process or monitor EU citizens’ data. Step 1 is to answer certain key questions in order to determine whether your organization is just an EU “data controller” or a “processor” bound to comply in some other respect, under the GDPR.

Questions include: Does my company offer goods or services to EU residents (even for free)? Does my company monitor the behavior of EU residents (from inside or outside the EU)? Does my company have employees, or any other type of physical presence, in the EU (even a minimal one)? Do special/sectoral rules apply to my organization?

Have Visibility into All Data

Visibility is key, which is why organizations must first know where all data lives in order to secure information and be compliant with GDPR. That means having proper tools and solutions, either internally or through a third party that can properly protect, collect, and monitor data spread out across the enterprise on endpoints, servers and cloud applications. This broad visibility provides organizations with an actionable understanding of their overall data-attack surface and delivers real-time information on how best to deploy security mechanisms to be compliant with the GDPR.

Use the Cloud for Better Governance

GDPR requires a holistic approach to protecting personal data and providing EU residents with access to that data. Traditional governance has focused on forcing data centralization that only provides visibility into centrally stored data.

With the decentralization of data creation on mobile device and cloud apps, organizations need to take a different approach to govern that data as part of developing an effective governance process. CISOs can use the cloud to easily centralize data-source policy management and enforcement to bring in decentralized data under the control of GDPR compliance.

Continuously Monitor All Data

GDPR requires data processors and controllers to monitor the content, location and use of EU resident information no matter where it lives. Organizations that can automate the process of proactively monitoring information for compliance violations, whether that data is on a traditional endpoint or in a cloud application, will have better control and access to data.

Secure Data in Transit

With GDPR, security must move with the data no matter where it resides. CISOs should use industry-leading standards based on TLS 1.2 and AES 256 to encrypt data with unique keys for each customer as well as simplified and integration key management. Data encryption also prevents data from leaving the EU in the event that organizations have not yet established acceptable transfer mechanisms.

Have a Solid Incident Response and Data Breach Plan

The GDPR defines a personal data breach as a “breach of security leading to the accidental
or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal
data transmitted, stored, or otherwise processed.“

If that sounds vague, you’re right. In order to cover all bases, data controllers and data processors should review and update their incident response plans and policies to ensure compliance with the GDPR. IT and IS teams should make sure that proper technical and organizational protections are in place to render the data unintelligible in case of unauthorized access.

Don’t Forget the ‘Right to Be Forgotten’

One of the major challenges facing organizations dealing with the GDPR is how to erase information at the request of data subjects in order to purge all data (including backups) and prevent any subsequent processing. According to the GDPR, consent is not permanently binding, and there must be a possibility to withdraw it.

While there are some caveats with this provision of GDPR, any lawful requests of erasure have to be processed in a timely manner. Make sure if you’re partnering with a backup vendor, or if you’re handling internally, there are defensible deletion capabilities in place that make it easy to comply with erasure requests, including a robust audit trail to definitively demonstrate that the information was deleted.

Think Beyond GDPR

In essence, GDPR is all about data–not just protecting data, but actually knowing where all your organizational data resides and being able to locate, control, and ultimately dispose of information. Any solution that attempts to enable GDPR compliance must use state-of-the-art technology while focusing on being able see all data, classify all data and secure all data.

But this doesn’t stop at GDPR, and CISOs should ensure they have a comprehensive security and privacy program in place at all times that meets GDPR needs and beyond.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...