EU Legislation: General Data Protection Regulation (GDPR)
There are different ways to force companies to pay more attention to the security of the data they process. Severe financial penalties is an effective way to achieve this. The new regulation, General Data Protection Regulation (GDPR), is aimed at protecting sensitive information and introduces charges for the loss of personal information, which can have an enormous impact a company’s budget. Fines can be up to to €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater. So, the bigger the company the more non-compliance can potentially cost.
GDPR was enacted in 2016 and it is going into effect in May 2018. It is a long waited regulation which will replace the current Data Protection Directive (DPD). GDPR will apply to all companies which process EU resident data. GDPR is aimed at protecting natural persons and not only covers processing of personal data within the EU, but also addresses export of personal data outside the EU.
So now a lot of companies will need to re-examine their processes and procedures in order to meet the new compliance requirements, therefore implementing appropriate software is the logical and necessary step.
DataSunrise Database Security Suite helps to achieve compliance with GDPR with minimum effort. Below we list the GDPR articles and DataSunrise features which allow companies to meet the requirements and stay compliant:
Article 25: Data protection by design and by default
“…by default personal data are not made accessible without human intervention to an indefinite number of individuals.”
” The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
Feature: Database Access Control
DataSunrise Database access control capability ensures implementation and maintaining strict control over user access rights and limits exposure of sensitive information to only those employees whose job requires such access. It also helps to detect and disable inactive user accounts which are often exploited by attackers.
Feature: Dynamic Data Masking
DataSunrise ensures protection of sensitive and personally identifiable information (PII) by providing on-the-fly data masking. Companies are enabled to determine exactly how much of the sensitive data to reveal and employees can work with data without gaining access to sensitive data.
Article 30: Data protection impact assessment
“Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.”Article 35: Data protection impact assessment
“…the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”Feature: Sensitive Data Discovery
Data protection starts with determining and finding what has to be protected. DataSunrise discovers where the sensitive content is located and who has access to it. Automatic analysis of data and comprehensive reports allow organizations to get a full picture of the data they work with and determine whether the appropriate security policies are in place.
Article 32: Security of processing
“…implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”Feature: Data-centric Audit and Protection
DataSunrise performs real-time tracking and intellectual analysis of database activity and user actions. It ensures that all potentially dangerous activity is blocked immediately and malicious or suspicious queries never reach the database. It identifies SQL injection attacks in real-time and alarms about a breach attempt. Data remains protected from both external and internal vulnerabilities.
Article 33: Notification of a personal data breach to the supervisory authority
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…”Article 34: Communication of a personal data breach to the data subject
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”Feature: Real-time Alerting
DataSunrise monitors database activity and alerts about suspicious transactions immediately via e-mail or instant messenger.
Adoption of GDPR marks a milestone in data protection laws in the European Union. It will have a global effect, since many organizations worldwide will have to profoundly transform the way they collect and use personal information. DataSunrise helps to make sure that your company is fully equipped to comply with EU data protection legislation.
DataSunrise has implemented the Regulatory Compliance Manager which is a tool that can make your company GDPR compliant within just seconds. The same tool can be used to be compliant with SOX, PCI DSS, HIPAA, ISO 27001, IEC 27001.