Managing access to personal data for GDPR compliance

The European Union is touting the General Data Protection Regulation (GDPR) as the most important change in data privacy regulation in 20 years. From the 25th May 2018, all businesses that process and control personal data within the EU will need to comply with the GDPR or face massive fines. Non-compliance will either result in a fine of up to €20 million or 4% of annual turnover, whichever is greater.

WHAT YOU NEED TO DO TO BE COMPLIANT WITH THE GDPR

The GDPR, which replaces the Data Protection Directive 95/46/EC, consists of 11 chapters and nearly 100 Articles. It’s an incredibly detailed directive, a great many of which refer to managing access to data:

  • Implement appropriate technical and organizational measures: You must show that you have considered and integrated data protection into your processing activities. [Articles 5, 24, 25, 28, 32]
  • Prevent unauthorized access to data: Unauthorized access also includes accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored, or otherwise processed. [Articles 4, 5, 23, 32]
  • Notify relevant parties of a breach: You must notify your supervisory authority and the party of the data concerns of any breaches that are likely to “result in a risk for the rights and freedoms of individuals” within 72 hours of first becoming aware of the breach. [Articles 33, 34]
  • Maintain impeccable records: You need to maintain a record of data processing activities, including information on “recipients to whom the personal data have been or will be disclosed” i.e. who has access to data. [Articles 5, 28, 30, 39, 47]

The full requirements of the GDPR are available within the Official Journal of the European Union.

FOR WINDOWS ACTIVE DIRECTORY DOMAINS, USERLOCK AND FILEAUDIT CAN HELP YOU ON YOUR WAY TO GDPR COMPLIANCE

Our products UserLock and FileAudit together help bolster access security — helping you to become compliant with the GDPR:

  • Prove that you’ve taken technical measures to improve security
  • Prevent unauthorized access to data
  • Detect a breach so that you can notify the authorities quickly, mitigating any fines.
  • Keep a clear audit trail of network, file, and folder activity to prove compliance

HOW USERLOCK HELPS YOU ADDRESS THE GDPR

Compliance starts with securing all logins

The goal of the GDPR is to protect data from unauthorized access. This single word ‘access’ represents the process of someone using an account to actively connect to a system and open/read/copy/download personal data — an action that begins with that person logging on.

The logon is therefore the first line of defense against unauthorized access.

UserLock extends login security to ensure that whoever is logging on to your corporate system (and accessing the data within) is exactly who they say they are. UserLock uses more than just a username and password to confirm an identity. The software analyses the contextual information around each and every logon — the day and time of login, the IP address and workstation of the logon, even the frequency of logon — and restricts logins to only IT-approved contextual information.

For example, a user with access to data subject to GDPR compliance logs on after-hours several times in succession from a remote computer. There are three red flags here — the time of day, the number of logins, and the location from which the login occurred. UserLock is smart enough to detect that suspicious activity, and block the login instantly while alerting administrators.

The logon provides you with leading indicators that there may be a problem well before any access occurs.

With UserLock, an organization can:

  • Ensure access to the network and, eventually, personal data is identifiable, audited, and attributed to an individual user
  • Prevent unauthorized access by rendering genuine but compromised employee logins useless to would-be attackers
  • Eradicate careless user behavior like password sharing to reduce the risk of unauthorized access from internal threats
  • Flag suspicious access events in real-time, meaning an administrator can immediately respond and further protect access to the network and personal data within
  • Audit all access events centrally so you can track down security threats and prove regulatory compliance

The logon is a compelling point at which to both monitor GDPR compliance, as well as to stop potentially inappropriate access from ever happening.

HOW FILEAUDIT HELPS YOU ADDRESS THE GDPR

Monitor access to all personal data

The GDPR states that unauthorized data access includes accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data transmitted, stored, or otherwise processed.

Monitoring both authorized and unauthorized access to sensitive data is essential to early data breach detection. Visibility is key.

For Windows domains, native file auditing is considered inefficient, time-consuming, and overwhelming to track events across the whole organization.

FileAudit is a software platform that greatly simplifies file and folder access auditing on Windows servers. The granular level of file access management helps organizations exceed regulatory requirements and avoid penalties.

With FileAudit an organization can:

  • Identify inappropriate access (and access attempts) through real-time monitoring and alerting, giving the IT department the ability to review and remediate issues
  • Send alerts when FileAudit detects mass access, copying, deletion, or moving of files (a strong indication of a compliance breach)
  • Indicate where the user has accessed the file from, including different workstations on-site or mobile devices remotely — all by tracking and identifying the source IP address
  • Help minimize the risk from access at unusual or unexpected times thanks to granular time and date alerting parameters
  • Centralize and archive all file access events occurring on one or several Windows systems, generating an always available, searchable, and secure audit trail

FileAudit helps prove to regulators you are protecting personal data effectively by comprehensively monitoring all access activity to data found on files, folders, and file shares. Organizations can give precise answers to questions about improper access, alteration, or the destruction of personal data.

More information about FileAudit & UserLock is available at https://www.isdecisions.com/products/