The GDPR saga rumbles on, with a degree of GDPR fatigue becoming apparent. IT departments were thrown the challenge of working out what was needed to meet GDPR guidelines as it was thought to be a security issue. It swiftly became apparent it was a people and process issue and not a technology one. So the IT departments passed the buck on to the legal, HR and finance departments. But as companies gain a handle on the policies and procedures they need in place to meet GDPR guidelines, they are now throwing it back over the fence to IT asking how they can help.
There are many IT vendors making many claims as to what IT can do to help with GDPR, but really it’s quite simple. It isn’t a security play; this should be being done already. It’s an enabler to get your processes right. IT departments have some excellent tools that they can deploy to help ensure business processes meet the GDPR guidelines, but the IT department can’t meet GDPR guidelines by itself. Here is a list of IT tools that can help, and indeed will make life simpler in the new GDPR world.
1. Data Discovery Tools
There are data discovery tools that help you understand what data is flowing through your organisation and where it is. These tools can help identify unstructured personal data, but also offer the analytics, tracking and reporting necessary to deliver accountability for file use and security.
2. Mapping Tools
Data mapping may not be an essential requirement of the GDPR, but meeting the requirements of the regulation would be very hard without a clear picture of the lifecycle of personal data in your organisation. Mapping tools allow companies to identify areas where there is a risk to the rights and freedoms of data subjects in order to specify and implement appropriate technical and organisational measures to mitigate the risk. They also allow for ongoing maintenance of data which is important.
3. Encryption Tools
These can be used in a variety of ways to support the guidelines, including protecting data in transit or at rest, providing verification of data integrity and authenticity, and even offering a means of secure destruction. It’s important to keep in mind though, that the encryption may need to be reversible and those responsible for your data must ensure that the technologies selected are appropriate for the formats needed.
4. Protection of Data in Transmission
The guidelines require that organisations implement adequate technical measures to protect personal data during transmission, over and between networks. This is to further protect confidentiality and integrity. You can do this through a combination of network protection (ensuring attackers are unable to intercept data) and encryption (to render the data unintelligible). Controls could include the use of virtual private network (VPN) solutions, disabling insecure protocols, supporting strong protocols and even private point-to-point connections between data centres.
5. Hosted Solutions
For smaller organisations the use of hosted solutions give access to high level security tools, thereby supporting their efforts to comply with the secure processing requirements of the GDPR. These could include robust firewalls, enterprise quality antivirus and web filtering, encryption of emails and management of all endpoints. By outsourcing the storage, backups, security, and processing of data, and provided they meet the requirements for appointing a data processor, organisations are able to significantly reduce their compliance burden.
6. Data Visualisation Tools
With companies generating more and more data, year on year, effective data management i.e. the use of architectures, policies and procedures to manage the information lifecycle needs of organisations, is becoming increasingly challenging. Data visualisation tools that are simple to use can help organisations uncover what personal data is hidden, identify risks, and accurately classify all personal data, providing the intelligence to demonstrate many obligations for GDPR compliance.
7. Monitoring Tools
No later than 72 hours after having become aware of a data breach your company must notify the supervisory authority (ICO). With the time involved in detecting a breach currently being measured in months, this requirement presents a significant challenge to companies. But there are IT tools that monitor and log activity, and create alerts when anomalous events are detected, and support reporting both for the purpose of breach notification and continuous improvement.
8. Retrieval of Data Tools
Under the new guidelines, organisations should be able to locate and retrieve personal data at the request of the data subject. Tools that support the effective retrieval of data from systems in common machine-readable formats should be used, in order to minimise the overheads that might be incurred as individuals exercise their rights.
9. Disposal of data and IT equipment
Your organisation needs to be able to clean and dispose of data and IT equipment previously used for the processing of personal data to ensure permanent erasure, for example, through the use of electronic file shredding programmes.
10. Robotic Process Automation
Finally, companies might also like to consider using robotic process automation if they aren’t already, as this is an effective way of helping to maintain compliance. RPA ensures greater accuracy of processing, and thereby compliance by removing human error. It also ensures greater security of data and information. RPA can be used to improve compliance and security in many areas including, HR, legal, finance and IT.
Technology is a great enabler for the correct use of information within a company’s business processes. IT will help find the information, sort it, store it correctly and put security around it, and then ensure it is deleted correctly when a business no longer requires it, helping you meet your GDPR requirements.