The biggest challenge in ensuring security of personal data is people.
At its core, GDPR compliance is simply about protecting personal data of EU citizens that is necessary and appropriate to collect. Applications hosting personal data may provide some level of detail around when personal data is accessed, but without visibility into what users do with personal data after they access it, the risk of data breaches, compliance violations, and the investigations, fines, and reputational damage that comes with them, is significantly increased.
Veriato provides contextual user activity detail and screen recordings necessary to satisfy GDPR requirements. By logging all user activity and capturing screen detail for video playback, Veriato creates an indisputable audit trail that will satisfy the evidence requirements of even the most scrutinizing supervisory authority.
This brief discusses the challenges of safeguarding personal data, and how Veriato uniquely creates the audit detail necessary to meet GDPR compliance objectives.
Effective on May 25, 2018, the General Data Protection Regulation (GDPR) of the European Union stands to change how many companies worldwide do business involving European Union citizens. For the first time, the concept of what constitutes personal information has been expanded by GDPR. According to the regulation, personal data includes any information “that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” It is this data that must be protected, regardless of where the data, or the organization processing or controlling the data resides.
There are material penalties for a breach – as much as 4% of a company’s annual worldwide revenue or €20 million (approximately $24.8 million), whichever is greater. Avoiding these penalties depend solely on an organization’s ability to demonstrate proper processing, security controls, and the lack of breach. And with breach notification required within 72 hours, organizations need an audit trail that provides the detail necessary to document the scope of a breach.
So, what’s needed is a means to have complete visibility into every action performed by a user with access to personal data – every application used, webpage visited, record copied, file saved, print screen generated, and page printed. Only then will a controller or processor truly know whether personal data has been appropriately accessed and used.
But, compliance to GDPR isn’t just a technical battle; it’s one filled with administrative policies and procedures that, in conjunction with technology, ensure users are trained, access to personal data is correctly granted, use and processing thereof is appropriate, and compliance can be demonstrated.
GDRP Challenges for Key Stakeholders
While GDPR only breaks down responsibilities to an organizational level, and to one new role – the Data Protection Officer (DPO), traditional stakeholders in the organization each have different needs around the goal of adhering to GDPR:
What’s needed is a technology that cost-effectively addresses GDPR requirements by monitoring the processes involving personal data, aligning with established policy and processes, providing visibility into how personal data is used or misused, and providing context around either demonstrating compliance or determining the scope of a breach.
How Veriato Helps Address GDPR Challenge
Veriato helps organizations of all kinds satisfy the GDPR obligations related to assessing risk, ensuring safeguards are in place, demonstrating access is appropriate, and providing context should a breach occur. It does so by recording and providing access to detailed user activity data – both within applications used to process personal data, as well as in any other application – combined with robust screen recording and video-like playback. Customizable policies and alerts help enterprises craft appropriate responses to their unique environments.
Veriato can be used to assess the security of a process, that all access to personal data is appropriate, and to replay actions involved in a data breach. All activity data is searchable, making it easy for the DPO, an auditor, security teams, or IT to find suspect actions, with the ability to playback activity to see before, during, and after the process activity in question. Alerts can inform the enterprise about suspicious user activities and minimize risks of breaches. Reports can be produced in minutes – typically a fraction of the time needed – and don’t require pulling critical resources from other tasks.
Veriato assists with a number of specific articles in the regulation, utilizing its detailed visibility into specific user actions related to accessing and processing personal data. The following sections outline how Veriato can assist with meeting specific GDPR requirements.
One of the key responsibilities of the controller under GDPR is to ensure the data is only accessed and used for business-related processing. Veriato can be used to monitor user interaction with specific data, systems, and applications related to the processing of GDPR-protected personal data. Below are some examples of how Veriato can assist in addressing the Controller responsibilities:
Data Protection by Design and by Default
The DPO is mandated to ensure security within systems and applications used to process personal data is in place and part of the intent, the implementation, and the process. Veriato provides unmatched visibility into who is accessing personal data, what applications are being used, which data is being accessed, and what’s being done with it – all factors in testing to see if data protection is implemented as an inherent part of the process.Below are some examples of how Veriato can assist in addressing some of GDPR’s data protection design standards:
Records of Processing Activities
GDPR requires the processor and controller to maintain a record of several different categories of detail around each and every processing activity. The ability to record, report on, and playback user activity provides organizations with specific details and context around each processing activity. Customizable policies can help processors and controllers manage these different categories and provide easily understood reports.
Security of Processing
Akin to most data security standards, GDPR mandates the establishing, assessment, and validation of security around the processing of personal data. Aligning with the assessment of risk in Article 35, this article seeks to ensure a level of security commensurate with the risk should an organization’s personal data be breached.Below are some examples of how Veriato can assist in establishing and maintaining the security of processing:
Notification of a Personal Data Breach to the Supervisory Authority
GDPR mandates notification of a personal data breach within 72 hours of it occurring. This means the organization needs to be continually monitoring for personal data breaches. Additionally, should a breach occur, GDPR requires organizations to define the scope of the breach or be required to report all effected personal data, likely resulting in a larger fine if found inadequate. Veriato assists with both detecting potential breach activity, as well as providing activity detail should it be determined a breach has occurred.Below are some examples of how Veriato can assist in addressing some of personal data breaches:
Data Protection Impact Assessment
Impact assessments are intended to either expose risk in the process, or to establish that the process protects personal data end-to-end. Veriato’s activity monitoring uniquely assists with assessing the current state of operations and its adherence to GDPR.
Monitoring of Approved Codes of Conduct
Periodically, supervisory authorities may review the policies, processes, and documentation of an organization to review its adherence to GDPR. Veriato’s user activity logging can provide needed detail throughout any audit of user conduct. Below is an example of how Veriato assists in monitoring conduct:
Demonstrating GDPR Compliance with Veriato
GDPR is a far-reaching, bold piece of legislation that impacts any business with customers in the European Union. Ultimately, GDPR is designed to ensure the privacy of personal data. And, as long as the only access to and processing of a given personal record is performed by someone who both has a legitimate need and only uses that information for the purposes of the organization, your organization will remain compliant.
But, because users with access to personal records utilize that access every day, it becomes nearly impossible to tell if and when your organization may be out of compliance. For example, the access to a record may seem appropriate, however the cutting and pasting of that information into a separate document saved up on a cloud drive certainly isn’t. This means your organization needs to be monitoring and recording all user activity, regardless of application.
Veriato assists with establishing compliance with GDPR requirements by providing IT, the DPO, security teams, and supervisory authorities alike with complete visibility into every action taken by the organization’s users. Veriato solutions help to analyze risk, test processing security, and review activity in an effort to identify breaches and their scope.