Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Is Your Data Access Governance Program Fit for GDPR Compliance?

Is Your Data Access Governance Program Fit for GDPR Compliance?

Regardless of whether we are talking about GDPR, HIPPA, PCI-DSS or any other data protection regulation, they all require some form of data access governance program. A DAG program is required to ensure that organizations know what data they store, and the reasons why they are storing it. They are required to know where their sensitive data is located, who has access to it, and the type of access they have. DAG is typically broken into three parts: people, process and technology.

People

This includes training staff members to ensure that they understand their role in protecting the sensitive data they interact with. It also requires appointing a qualified security team who’s role is to assist the relevant stakeholders in accessing their data easily and securely.

Process

Organizations are required to establish documentation that defines how data should be handled. This includes data that is stored, accessed, changed, moved and secured. There will need to be a clearly defined protocol for auditing the life-cycle of all sensitive data.

Technology

Organizations must implement the solutions necessary to detect, alert and respond to important system events. Such events may include suspicious network traffic and endpoint activity, as well as any changes made to access permissions and sensitive data.

DAG and GDPR

The GDPR, which came into effect in May 2018, introduced a number of fundamental changes to the way organizations collect, process and store personal data belonging to EU citizens. Some of these changes include:

The key to GDPR compliance is the ability to control access rights to employee and user data. Additionally, you should only collect/store data if it is absolutely necessary. Of course, before you can protect your data, you must first know where it is, and what it is. There are a number data discovery tools which can help organizations automatically discover and classify sensitive data such as PHI, PII, PCI, and more.

Once you have discovered and classified your data, you can now begin to setup roles, review access rights, and setup policies that can help you enforce those access rights. You will then need a way to monitor changes made to these access rights, including any changes made to the sensitive data you store. Of course, there is no need to do this manually, as there are a number of affordable data access governance solutions that can make this job a lot easier.

Most sophisticated auditing solutions offer a wide range of features that enable you to detect, alert, report and respond to changes made to your critical assets. Using Lepide Data Security Platform, for example, you can review current access privileges, see how they were granted, and receive real-time alerts when they are changed. Finally, Its ability to automatically generate a wide range of reports will make it a lot easier to satisfy GDPR compliance requirements.