How to Prepare your Data at Rest for GDPR Compliance
With the GDPR implementation around the corner, companies processing EU data subjects’ personal information need to step up their data protection policies and take decisive action to reach compliance. Under the new legislation, organizations will no longer have the luxury of putting data security low on their priorities list or feign ignorance about their data processing practices. They will be held accountable in the eyes of the law and will have to demonstrate their compliance with GDPR requirements to data protection authorities.
One of the first steps companies must take in this direction is to become aware of the way data is handled within their organizations. This implies a deep understanding of EU data subjects’ rights as well as the principles enshrined in the GDPR that relate to the processing of personal data.
Under the GDPR, sensitive information must be processed in a transparent way, its use limited to the purpose for which the consent was initially granted and stored only for the amount of time needed for the purpose for which the data was processed. Sensitive information must also be protected against unauthorized or unlawful processing and against accidental loss, destruction or damage through the use of appropriate technical and organizational measures. Data subjects can also revoke consent at any time and request that their data be deleted through the right to be forgotten.
What all these stipulations mean in practice is that companies must know where sensitive data is located, who is processing it and exercise control over it at all times. So how can companies achieve this? Auditing is a crucial first step towards GDPR compliance, but in the long run, organizations need software, like Data Loss Prevention tools, to ensure that sensitive data is being monitored and protected.
Threats to data at rest
Based on the way it’s being used, data can be separated into three distinct categories: data in use, in motion and at rest. While data in use refers to frequently updated information, usually accessed by multiple users within a network, data in motion refers to data being transferred outside the network. Lastly, data at rest is static data stored locally on hard drives that is not often accessed or modified and can be thought of as archived.
Data at rest is often considered the safest type of data because it is not exposed to the dangers of internet transfers or third-party security lapses. Often protected from cyberattacks through firewalls and antivirus software and from theft through hard drive encryption, data at rest is still left vulnerable to human error. And in the age of the GDPR, that is one of the greatest dangers to compliance.
Users can intentionally or unintentionally store sensitive data long term on their hard drives, directly contradicting some of the key requirements of the GDPR such as the limited timeframe data should be kept by data processors or the right to be forgotten. When a data subject revokes access or demands that his data be deleted, companies not able to fully remove that data from their system because of rogue data copies leave themselves open to noncompliance and potential fines.
Network-wide scanning for sensitive data
One of the ways in which these risks can be mitigated is through the employment of eDiscovery tools such as those Endpoint Protector offers, which can scan and identify personal information on all the endpoints in an organization. Based on results, administrators can then take remediation actions such as deleting or encrypting files where they are found on unauthorized users’ computers.
In the case of the right to be forgotten, it allows companies to thoroughly search their entire network for the data whose deletion is being requested and ensure that no copies remain anywhere in their system, thus ensuring GDPR compliance. The same applies to time limitations for data storage, with the added bonus that scans can be prescheduled and started automatically for both one time and recurring scans.
Through its extensive scanning capabilities and predefined profiles for sensitive data as defined under the GDPR, eDiscovery can also be considerably useful during the initial auditing phase of GDPR compliance. Reports can be generated from the results that can enable companies to accurately assess where sensitive data is being stored and by whom within their network.
With less than two months to go until the GDPR goes into force on 25 May 2018, companies must make sure that all personal data they are processing or collecting is properly protected and they can track its whereabouts at all times. The GDPR means not only higher security for sensitive information, but also a higher degree of transparency and awareness of how data is being used and stored. Because of this, organizations cannot afford to address only one type of data, but must develop all-encompassing policies that reasonably cover them all.
Frequently Asked Questions
Data at rest is static data stored on a hard drive, laptop, flash drive, or archived in some other way. It is inactive data that is not being transmitted across a network or actively being processed. Data at rest is a complement to the terms of data in motion and data in use which together define the three states of digital data.
Usually, conventional antivirus software and firewalls are used to protect data at rest. Another commonly used method to safeguard stored data is hardware encryption, but while this offers protection against cases of lost or stolen computers, it does not guarantee against insiders. Data Loss Prevention (DLP) solutions can scan data at rest stored on endpoints for sensitive data and based on the results, data can be encrypted or deleted to protect from potential breaches.
The GDPR requires companies to gain a new level of awareness of how they process data, where it is stored, and how and by whom it is being used. The essential requirements of the EU’s privacy law include data protection by design and by default, appointing a data protection officer, tracking sensitive data and reporting any breaches, extended individual rights and cross-border data transfer policy.
Encryption is explicitly mentioned in the General Data Protection Regulation (GDPR) as one of the security measures for protecting personal data. Although not mandatory under the GDPR, encryption of personal data helps companies to reduce the probability of a breach and thus avoid fines. Encryption can ensure protection for both data in motion and at rest.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.