Enforcement of the new EU General Data Protection Regulation (GDPR) adopted in 2016 starts on May 25, 2018. It requires all organizations that do any business in the EU or that collect or process personal data originating in the EU to comply with the regulation. Organizations that do not have a physical office in the region or do not process personal data in an EU member country are not exempt from the GDPR. Those that fail to comply can face very strict fines—as much as $22.3 million or up to four percent of total worldwide revenue for the preceding financial year, whichever is higher.
Key articles that pertain to data security (Figure 1) are summarized below from the lengthy 88-page document GDPR:
- Article 25: Data protection by design and by default
- Article 32: Security of processing
- Article 33: Notification of data breaches to the appropriate regulator
- Article 35: Data protection impact assessment
- Article 44: General principle for data transfer
We’ve previously written about the professional services we offer that assist with GDPR compliance. In this post, we discuss our products in more detail and how they map to the GDPR data security-specific articles above. Here are five ways Imperva data security solutions can help organizations meet GDPR compliance requirements.
Data Discovery and Classification
GDPR requires that organizations create and maintain a detailed inventory of personal data, and then classify that data by assigning a risk profile and priority. To achieve this requirement, the first step is to understand where databases are located and what type of information they hold. Imperva SecureSphere finds both known and unknown databases by automatically scanning enterprise networks. You can easily create custom data discovery policies to scan any part of your network. To ensure continuous discovery to include new data in security and protection efforts, SecureSphere enables automated, scheduled scans. Automated, scheduled scans allow you to develop and maintain an updated inventory of data scattered across your organization.
Masking or Pseudonymizing Personal Data
The GDPR requires organizations practice data minimization and purpose limitation. This means they collect and use data limited to only what is necessary for a specific purpose, retain it no longer than necessary and limit access to a need-to-know basis. As an example, if an insurance company collects personal information for the purposes of issuing a policy, they cannot use that data for pricing analysis because the personal data collected for one purpose (e.g., issuing a policy) cannot be used for a new purpose (e.g., creating a database for pricing analysis). However, if the data is pseudonymized via data masking, then they could use the masked data for pricing analysis, which is beyond the original collection purpose.
Pseudonymized data, according to the GDPR, is data that has been de-identified such that the data cannot directly identify the subject. Imperva Camouflage obfuscates personal data through data masking that replaces real data with realistic fictional data that is functionally and statistically accurate. It reduces risk of data breach while enabling data utility for business needs.
Security of Processing
Making sure that personal data is secure is the cornerstone of the GDPR. It states that those handling data, such as data controllers and data processors, need to introduce appropriate technical and organizational measures to secure the data. SecureSphere helps you protect data by identifying database vulnerabilities and monitoring database activity.
Database Vulnerability Assessments
The GDPR requires ongoing protection and regular testing and verification of technical and organizational measures used to ensure security of processing. Continuous database vulnerability assessments identify risks to personal data. Imperva SecureSphere finds those security holes in your databases that attackers can exploit. It has a library of over 1,500 pre-defined tests and scans database servers and the OS platforms for vulnerabilities and misconfigurations such as missing patches, default passwords or misconfigured privileges. You can also generate assessment reports that provide concrete recommendations to mitigate identiﬁed vulnerabilities and strengthen the security posture of a scanned database server.
Monitoring Data Access Activity
Data activity monitoring is critical under the GDPR as it requires organizations maintain a secure environment for data processing. To meet GDPR requirement, you need to be able to answer these questions: Who is accessing the data? And how is data being used?
With SecureSphere you can gain complete visibility into data activity by continuously monitoring and analyzing all database activity, including local privileged user access and service accounts, in real time. Monitoring and auditing database activity helps ensure that personal data is being used appropriately and being accessed by authorized users. With data monitoring you can also prevent data theft from external attacks like SQL injections and protect against insider threats − malicious, careless, or compromised users. By keeping a watchful eye on the data, you can identify and block suspicious or unauthorized data access before they become breaches.
Breach Detection and Incident Response
In the event of a personal data breach, the GDPR dictates that data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a reasoned justification for the delay.
The biggest challenge is that security teams are overwhelmed with large volumes of incident alerts and that truly worrisome incidents get lost in the noise. Imperva CounterBreach leverages advanced machine learning and peer group analysis to prioritize data access incidents that require immediate attention – without security teams needing deep knowledge of the data environment. It analyzes user behavior and data access activities to identify truly worrisome (or dangerous) incidents, reducing the window of exposure.
Enforcing Cross-Border Data Transfer Policies
The GDPR imposes restrictions on the transfer of personal data outside the European Economic Area (EEA) to ensure that data protection and privacy requirements outlined in the regulation are not undermined. Article 44 of the GDPR prohibits the transfer of personal data beyond the EEA, unless the recipient country can prove adequate data protection.
SecureSphere helps you enforce requirements outlined in model contracts and binding corporate rules (BCRs). Ongoing database discovery and classification scans ensure new databases and personal data are cataloged and protected. Policies can be created to inspect the database traffic. When policy violations occur, such as unauthorized access, blocking user connections or terminating a transaction can help ensure appropriate cross-border data access and use.
Contact us to learn more about Imperva’s GDPR compliance capabilities and explore our data security solutions in detail.