Last month, I spoke to an audience of sales and marketing professionals at the General Data Protection Regulation (GDPR) Summit in London. I thoroughly enjoyed the experience. My presentation and live demo focused on data security and how basic defense measures can help with several of the key GDPR obligations.
When GDPR was first discussed, many feared that it would force businesses to be more insular and defensive about their data. Thankfully, the reality has been very different. Instead of seeing GDPR as a threat, many businesses see it as a welcome opportunity to get their house in order and, for once, tackle the thorny question of data protection head-on.
At the event I explained that the data security journey should start with understanding your data because you can’t protect what you don’t know. A necessary first step to tackling the GDPR requirements is to identify the personal data and where it is stored. As you get started, it’s also important to assess the other vulnerabilities within your environment and across your data sources to determine where your additional weaknesses are and how to address them. Some examples include missing patches, wrong user privileges and default configurations, such as usernames and passwords.
Once you understand the gaps and exposures, you can take immediate steps to address those gaps and harden the personal data sources. This might involve data minimization, encryption and pseudonymization. For instance, Dutch multinational bank and financial services company Rabobank is working with IBM to use cryptographic pseudonyms on its clients’ personal data to innovate around new financial regulations in the European Union (EU).
The next step is to start monitoring data sources that contain personal data and take action if any suspicious behavior occurs. Monitoring also provides security of processing reports for authorized and unauthorized activities to personal data and enables security teams to detect and investigate data breaches.
GDPR compliance is a long journey that involves a combination of adapting processes and procedures and implementing strong technical controls. If you haven’t already done so, this is the time to begin identifying and mapping how all your GDPR-related data is collected and used, where it’s stored, and who can access it. The better you understand where you are in your GDPR journey, the easier it will be for you to identify what you need to do next to reach your destination. That’s where IBM can help you move forward.
For security and privacy leaders who need to address the rules established by the EU GDPR, IBM Security is a trusted solutions provider. With a holistic GDPR-focused framework, offering software, services and GDPR-specific tools, IBM can help organizations prepare to protect personal data and operate in conformance with GDPR requirements — regardless of where they may be in their readiness journey.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.