How Organisations Can Prevent Data Breaches & Meet GDPR Compliance

Posted by Maria Milenkova on 26 June, 2017

On the 25th of May 2018, every organisation which is involved in the handling of personal data will enter a new world full of major challenges. Despite a vast amount of content already written on the subject and the fact that the acronym GDPR (standing for General Data Protection Regulation) has become the latest buzzword in our offices, a recent IDC report found that 40% of organisations are only just getting started and 17% still have no plans or strategy in place. With less than a year left until the GDPR comes into effect, we are here to talk about a solution which will add strength and value to your compliance strategy.

It is important to note that meeting the security standards is not just about technology solutions, it is also about the people within your company and the processes which everyone need to be aligned to. This involves training and plenty of communication to ensure your employees are aware of their responsibilities.

Before we get started, let’s establish exactly what the EU General Data Protection Regulation is and why you should bother to pay it any attention at all.

The GDPR was approved and adopted by the EU Parliament in April 2016 and the UK government has confirmed that the regulation will take effect regardless of Brexit. This is the most significant privacy regulation update in the past 20 years, period. With the increasing number of organisations operating across borders on an international level, it is crucial to have consistent laws and regulations around data protection in place. Therefore, the regulation doesn’t apply only to organisations located within the EU but to any company that handles, stores or processes personal data and information on EU citizens.

The consequences of a GDPR non-compliance will be much more severe than the penalties introduced by the Data Protection Act (DPA). The maximum fine that can be imposed for very serious infringements is up to 4% of the annual global turnover or 20 million Euro, whichever is greater. The new law also requires that notifiable breaches have to be reported to the relevant authorities within 72 hours of the company becoming aware of it. Failing to notify about a breach in this time frame can result in a significant fine of up to 2% of the global annual turnover (or 10 million Euro).

One of the key elements outlined in GDPR is how organisations deal and protect themselves against data breaches.

Besides the encryption of personal data, the regulation requires the restriction of access to personal data. Your system is as safe as your weakest link, and we know that privileged users are the most common culprits for misuse in any organisation. No matter how well you try to protect your organisation, a breach is extremely likely to happen at some point, therefore the key is to understand how to detect breaches in real time and prevent them from happening.

Dedicated solutions for managing privileged users and sensitive information ensure the strongest level of security for those who have the highest level of data access and editing powers. Therefore, controllers and processors should have some level of user authorisation and a monitoring process. Companies will need to protect data in the same way that they protect critical infrastructure assets, requiring users with access to personal data to be monitored.

How to achieve GDPR compliance with Balabit

Balabit’s Shell Control Box is a session management solution that controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions.

  • Who did what
    • Shell Control Box can identify ‘who did what’ on your database or SAP servers. We have seen the effects this has on employees as they tend to carry out their work with a greater sense of responsibility, leading to a reduction in human errors. By having an easily interpreted, tamper-proof record, you can see where the misuse took place
      • The designing of a security-aware culture in your organisation is key to compliance. The weakest link in security is often the misuse of internal users and the human hand. A good starting point to making your users security aware is making them aware that you can identify where the error occurred, and therefore people feel more accountable
  • Advanced protection of personal data
    • Shell Control Box isolates your data processing systems from unknown intruders or from non-authorised users. In addition, it records all authorised access to sensitive data and provides actionable information in the case of human errors or unusual behaviour
      • This solution will enable you to create a data breach report within 72 hours, which is what the law now states if there is a breach
  • Prevention of malicious activities
    • It will detect any suspicious activity and alert you immediately or terminate the connection
      • It is interesting to note that if a data breach occurred but the leaked data was encrypted and you can prove this fact to the supervisory authority then you are not obliged to disclose details of the breach to the affected data subjects
  • Tighter employee & data processor control
    • It records all sessions into searchable audit trails, making it easy to find relevant information in forensics or troubleshooting situations. You can replay the recorded sessions in your browser or in a separate application just like a movie – all the data processors’ actions can be seen exactly as they appeared on their monitors
      • An incident response plan will be key in recovering from a data breach and returning to norm as fast as possible

We hope this article has been of interest. If you want to know more about how Solar Communications and Balabit can assist your organisation meet the needs of GDPR, please get in touch and we will be happy to help.