Download our FREE ebook on GDPR compliance. Download Now

Data Loss Prevention and GDPR Compliance

The countdown has started to the implementation of the EU General Data Protection Regulation (GDPR) on 25 May 2018. With less than a year to go until the new regulations come into force, companies are scrambling to get their GDPR ducks in a row.

We here at CoSoSys have already put together a handy guide to what GDPR is and how Endpoint Protector can help our clients achieve compliance. However, during our recent participation in InfoSecurity Europe 2017, the question we were most frequently asked was in regards to the role Data Loss Prevention can play in the rush for compliance so we decided to address the issue here on the blog as well.

What is GDPR and how will it affect your business?

The GDPR was a regulation jointly issued by the European Commission, the European Parliament and the Council of Ministers of the European Union to strengthen and unify data protection for EU citizens.

It is the most important change in data privacy regulation in Europe in the last 20 years and makes a big statement about individuals’ private data and their right to request data controllers and processors to delete, correct, and forward their data. In consequence, GDPR implies significant operational changes in organizations and strict fines in case of failure to properly protect EU citizens.

The GDPR comes at a time when most businesses have taken on a digital life. Many operate a website or distribute their products through online portals, enabling them to collect sensitive data from their customers. And while many hope to escape a too strict application of the GDPR through the sheer number of notifications the Data Protection Agency (DPA) is likely to receive as well as lax implementation of the GDPR at national level, there is no guarantee that this will be the case. The DPA might only go after the big fishes, but it is sure to also crackdown on non-compliance of smaller companies if notifications of breaches pile up.

It is also worth noting that like any standard, GDPR compliance is likely to become a looked-for feature. Customers might shy away from the risk of giving up their sensitive data to companies that are unsure of their compliance.

Getting started on the road to compliance

There are a lot of discussions about the level of GDPR compliance needed for companies of various sizes. If the regulation is interpreted wrongly, it can cause needless expenses and difficulties for companies in the long run. For example, if smaller companies that do not need to adhere to all GDPR articles and are not required to appoint a data protection officer (DPO), choose to assign one anyway, they then must respect all GDPR rules.

It’s essential therefore that companies understand what the GDPR is and how it can be applied within the context of their own business. To assess this, they need to turn to professional auditing or specialized legal consultants as much of the jargon of the GDPR is couched in legal terms.

In the initial phases of GDPR compliance assessment, organizations can use Data Loss Prevention solutions such as Endpoint Protector to track, report and get valuable insights about what sensitive data, like personally identifiable information, credit card numbers, social security numbers, and other confidential information is being transferred where and by whom. Exit points – cloud apps, e-mail, portable storage devices, webmail, etc. – can be monitored to detect exactly where confidential data goes. The itinerary of sensitive data can thus be reconstructed giving companies a clearer picture of where they are in terms of compliance with the GDPR. These reports can be immensely helpful in conjunction with a full audit.

Choosing the right policies for you

Once you know where you stand in relation to the GDPR regulations, you can begin to formulate a plan for compliance. This is likely to mean implementing new company wide policies for data protection that address vulnerabilities and strengthen security. It is at this stage that DLP software becomes an essential tool for compliance.

Endpoint Protector for example allows admins to set restrictive policies that block unwanted transfers, unauthorized copying and pasting of data, screen captures, etc. depending on the transfer channel, users or computers. It can also detect and block data transfers to solutions with data centers located in countries outside the EU that do not have an adequate level of data protection. Endpoint Protect works across borders as well, making data tracking and blocking of data transfers achievable regardless of a business’ location. Additionally, companies have the option to scan sensitive data on users’ workstations and delete it with the recently redesigned eDiscovery module.

All these features address key points of GDPR compliance, namely the right to be forgotten, the handling and tracking of sensitive data, the prohibition of transfers of EU citizens’ data to non-EU countries that do not meet data protection standards and the need for any company that handles EU citizen data, regardless of its physical location, to be GDPR compliant.

It is also worth keeping in mind that the GDPR simply states that data privacy should be ensured, with no mentions of exit channels or platforms, whether Windows, macOS or Linux, iOS, Android, Windows Phone etc. After all, it’s not important. Data must be secured no matter what. Therefore, for any data security tool companies choose to implement, they must make sure it covers their entire infrastructure, all endpoints, mobile devices and exit points.

GDPR ultimately has the welfare and safety of EU citizens at its heart and promises to harshly punish companies that do not comply to the directive’s standards. It puts the responsibility with the company in case of data protection breaches and they are held accountable for them in the eyes of the DPA. It is therefore essential that breaches be avoided and there is no better way to do that than through DLP solutions accompanied by complementary solutions to cover multiple threats scenarios. And while it remains to be seen how harshly the DPA will act in case of non-compliance and what kind of companies are most likely to fall under its radar, the best way not to test the DPA’s intentions is to not have any breaches at all.

Check out our GDPR Essentials infographic.


Download our free ebook on
GDPR compliance

A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.

In this article:

    Request Demo
    * Your privacy is important to us. Check out our Privacy Policy for more information.