Organizations around the world have spent months preparing to comply with the European Union’s new General Data Protection Regulation (GDPR). Given the complexity and scope of the new regulation, many organizations have been working closely with expert advisers to plan strategically for the steps they will take toward compliance. And as the May 25, 2018 deadline for compliance has drawn ever closer, strategic planning has become increasingly coupled with tactical decision-making about the technology that will be needed to put their plans into action.
Compliance with GDPR’s sweeping new requirements for protecting EU data subjects’ personal data necessitates a multi-pronged technology approach. Among the technology areas that have a part to play, three in particular are key: data governance, identity and access assurance, and threat detection and response.
Data governance is foundational to compliance with a regulation that mandates protection of personal data. Fulfilling that mandate rests on knowing what data the organization maintains, where it exists and the extent to which it is at risk. Data governance is essential to identifying personal data within the organization, assessing risk and documenting controls that have been put in place to mitigate risk.
Identity and access assurance protects personal data at the figurative “front door” to an organization, with technology to authenticate users seeking access to data. Beyond authentication, identity governance helps demonstrate compliance with monitoring and reporting requirements.
Threat detection and response systems that are specifically designed to detect and respond to threats rapidly are critical to protecting personal data from being breached. But if a breach is inevitable, these systems are also critical to meeting GDPR requirements for quickly notifying regulatory authorities (within 72 hours of discovery).
While each of these areas is critical in and of itself, it is as integrated components in a holistic deployment that they bring the greatest value to the GDPR compliance effort. Compliance with the regulation’s many requirements requires ongoing monitoring by multiple technologies, ideally working interoperably to support a state of continuous compliance.
For example, once an organization has catalogued personal data, quantified risks and created policies and controls to address risk—a set of activities involving data governance—interoperability with identity governance technology will allow a seamless transition to enforcement activities such as regular access certification and continuous access monitoring.
Another example of the value of interoperability lies in integrating threat detection with identity assurance. When the former detects a suspicious login attempt, it can activate the latter’s capabilities to challenge the user through multi-factor authentication and confirm the legitimacy of the access request.
# # #
Learn more about data governance, identity and access assurance, and threat detection and response technologies for GDPR compliance in the white paper GDPR Compliance: The Technology Essentials. Learn more about the RSA commitment to helping meet organizations’ needs for GDPR technology solutions at rsa.com/gdpr.
Author: Steve Schlarman
Category: RSA Fundamentals
Keywords: Access Control, Data Access Governance, Identity, GRC, GDPR, Threat Detection, Continuous Compliance, Data Governance