Enterprises understand the importance of having access to their consumers’ personal information. This data enables them to more easily build personal relationships with their audiences, using what they know about that audience to provide tailored experiences and recommendations. The internet has been the catalyst, enabling connected consumers to leverage the most transformative innovations of the modern era for reasons such as entertainment, education, knowledge, social sharing, and shopping. They willingly (or unwittingly, in some instances) trade their personal data to enterprises to streamline interactions or get something they want in return.
Looming over this arrangement for all organizations is the threat of sensitive data breaches. Bad actors are out there, using every means at their disposal to gain access to sensitive personal data and Personally Identifiable Information (PII). Once these bad actors create a breach, they may leverage the sensitive data they steal for crimes such as extortion, fraud, or selling that data on the dark web.
Despite this, organizations will continue to collect and use sensitive data. They will, however, be held more accountable for proving they are in compliance with data privacy regulations. In this post, we will give examples where data privacy regulations are getting tougher, articulate the principal challenges organizations face in securing sensitive data, and offer some insights into what a data privacy solution that meets these challenges looks like.
The evolving privacy regulation landscape
The EU General Data Protection Regulation (GDPR) is the bleeding edge of data protection law and has been in effect for less than three years. After a tentative beginning, the law has started to gather momentum in terms of enforcement robustness and the number of fines levied. Organizations that manage sensitive data have started to take notice and – at least publicly – are taking GDPR seriously and erring on the side of caution. Other regulatory frameworks like CCPA, HIPAA, and PIPEDA are sure to follow the GDPR’s lead. In all instances, the goal of these laws is to hold organizations accountable for data privacy and give consumers more control over how their personal data is managed and used. No matter what industry you are in, if you retain personal data and PII you must be able to comply with new data privacy rules. The trend these regulations are following is clear: new regulations are raising organizations’ accountability for failure through costly audits, penalties and fines, and damage to brand reputation.
Consumers’ rights regarding sensitive data
There are six major subject rights that regulatory frameworks address.
- Right to be forgotten. Both the GDPR and CCPA laws entitle every consumer to request that a company delete all the information it has collected about them, with a few exceptions such as where the data needs to be retained to comply with other requirements.
- Right to breach notification. The GDPR regulation stipulates that in the case of a personal data breach, an organization has 72 hours after having become aware of that breach to report it.
- Right to rectification. Consumers have the right to obtain (from any organization) immediate rectification of inaccurate personal data concerning them.
- Right to subject access. Consumers have the right to get a copy of their personal data, as well as other supplementary information to help them understand how and why organizations are using their data, and check they are doing it lawfully.
- Right to data portability. Consumers are entitled to get and reuse their personal data for their own purposes across different services. This enables the secure movement, copying, or transfer of personal data easily from one IT environment to another without affecting its usability.
- Right to compensation. Consumers are entitled to receive full and effective compensation for any damage they have suffered from the misuse of personal data.
The sensitive data management crisis
To get insight into how far away your organization is from being able to comply with these subject access rights, ask the following questions:
- What sensitive data do you hold?
- Is the sensitive data you hold regulated personal data or PII?
- Where do you keep data?
- Who has access privileges to the data?
- How are you protecting the data now?
- Are we using the data appropriately?
If you cannot provide sufficient answers, you have a sensitive data management gap to address to satisfy subject rights requests and prove regulatory compliance. You are not alone. 54% of companies have reported not knowing where their sensitive data is stored. Furthermore, 65% say they’ve collected so much data that they’re unable to categorize or analyze it. What do organizations need to do to ensure compliance without imposing an undue burden on their budget?
Imperva Data Privacy: The data-centric solution
The most critical element in achieving data privacy is gaining complete visibility into your data estate. Imperva Data Privacy enables complete and automatic visibility through a single UI into all data and user activity at the database level. This solution eliminates concerns about DevOps teams or DBAs spinning up databases with no warning and old databases holding sensitive data that are no longer used yet are still part of the estate. Discovering and classifying personal data and PII in both structured and unstructured data sources, on-premise or in the cloud, becomes much easier and faster. The solution constantly scans your entire data estate looking for correlated attributes of sensitive data that constitute PII so you can protect it. Achieving this level of visibility is also key to effectively automating the fulfillment of subject rights requests.
Effective rights and risks assessment
Imperva Data Privacy enables complete visibility into current user entitlements across your entire data estate so you can easily assess and effectively streamline privileged user policies, as many regulations require. The solution also uses vulnerability assessment to create a personal data and PII risk profile, constantly scanning to verify proper configurations and up-to-date CVE patches to ensure you meet compliance requirements for securing databases and operating systems.
Complying with consumer right requests
The Imperva Data Privacy solution automates a workflow that accesses only data assets holding personal data and PII, checks for stored correlated attributes and performs scans on those databases to specifically identify the user, then stores the information. This enables organizations to fulfill subject rights requests automatically in a timeframe that satisfies compliance requirements without being a burden on resources.
Achieve 360° visibility and control
The Imperva solution constantly collects, normalizes, and stores data to create an audit trail that informs who is accessing it, when, and from where. From a single dashboard, all stakeholders can automatically filter on any data type, in any combination, in a matter of seconds for reporting or live investigation. This makes the entire team more efficient at fulfilling their responsibilities within the privacy management lifecycle.
Protect, respond and remediate
Imperva Data Privacy provides tools that protect personal data and PII and associated sensitive data before something happens like a compliance violation or breach. The solution continuously and automatically identifies inappropriate or risky data access behavior across the entire estate, notifying you of policy violations or developing threats so you can correct it before it becomes an incident. You get plain-language descriptions of what happened – who did it, when, and what data was accessed. In addition, you gain live access to audit data to expedite real-time forensic-level investigation into the details of any compliance or security incident.
Where to get more information about data privacy and the Imperva Data Privacy solution
Visit the Imperva Data Privacy solution section of Imperva.com.
In The State of Privacy and Personal Data Protection, 2020- 2022, Gartner highlights how regulations are evolving around the world, what key capabilities you need to support the increasing volume and variety of personal data and what technologies will best support your own privacy program. Download the report here.
In the webinar Data Privacy: What you need to know in 2021, data security expert Terry Ray explains the common elements of the most important data privacy regulations for specific industries, nations, regions and states; shows why good data discovery and classification tools are critical in achieving effective data privacy and offers a way for you to assess the status of your existing data privacy posture and suggests how to improve it. Watch the webinar on-demand.
Get the latest from imperva
The latest news from our experts in the fast-changing world of application, data, and edge security.