The EU General Data Protection Regulation (GDPR) was issued by the European Commission, the European Parliament, and the Council of Ministers of the European Union with the purpose of strengthening and unifying data protection for individuals within the European Union.
GDPR is the most notable change in data privacy regulation in Europe in the last 20 years. Its purpose is to protect EU data subjects’ private data, making companies directly responsible for applying security measures to protect the personal information they collect. GDPR also solidified EU data subjects’ right to demand that data controllers and processors delete, correct, and forward their data.
GDPR’s fines are by now legendary: companies found to be violating its core principles can be fined up to €20 million or 4% of annual worldwide turnover, whichever is higher. Data Protection Authorities (DPAs) around Europe have also not been shy about applying them. From Google and British Airways to H&M and Marriott, some of the world’s biggest companies have been hit by record-breaking fines exceeding €20 million.
The Data Loss Prevention (DLP) sector is uniquely situated to provide not only informational support but also tools that can help meet GDPR’s strict requirements. Here are the most important ways in which DLP can lend a hand with GDPR regulatory compliance:
1. Find out where personal data is stored
One of GDPR’s main stipulations requires data controllers and processors to know where personal information is stored and how it is being processed. Most DLP solutions include data discovery features that allow admins to scan a company’s entire computer and device fleet in search of sensitive information as defined through specialized compliance profiles for laws such as GDPR, HIPAA, or CCPA, international standards such as PCI DSS, personally identifiable information (PII), file extensions, file names and more. This way, companies can determine how sensitive data is being used and stored by employees. DLP tools can also log its movements and generate reports that can then be provided to DPAs upon request or to support auditing.
2. Delete personal data when it is no longer needed
Another GDPR requirement is that personal data can only be processed for the purpose for which it was collected and must be erased when there is no longer any need for it. DLP tools with data at rest scanning features allow admins to search company endpoints to ensure that data that needs to be deleted is not stored locally on hard drives.
If files containing the sensitive data defined through DLP policies are found, admins can apply remediation actions such as encryption or deletion to ensure that GDPR requirements are met. In this way, admins can easily control which personal data remains on the company network.
3. Restrict personal data usage
GDPR states that processors must ensure that personal data is not used for any other purpose than that for which it was collected. DLP solutions can easily help meet this requirement through data in use monitoring and control. By using powerful content inspection and contextual scanning tools, DLP solutions can identify sensitive data in files and in the body of emails in real-time, blocking their transfer through unauthorized channels such as messaging apps, cloud storage solutions, or social media platforms. With such security policies in place, users will no longer be able to upload, copy-paste, or print personal data, preventing data leaks and sensitive data misuse.
4. Prevent personal data tampering and loss
The concept of security by design and by default which was introduced into the GDPR made companies legally accountable for any data leakage or data theft. While antivirus and antimalware solutions were built to prevent data exfiltration through cyberattacks, DLP solutions deal with insider threats such as malicious insiders attempting to steal intellectual property and confidential data or employee negligence that leads to unintended data leaks.
With their powerful data at rest and data in motion scanners and device control features, DLP solutions such as Endpoint Protector can help businesses ensure that personal data never leaves the company network by restricting or blocking its transfer.
5. Maintain personal data security standards
Through GDPR, data controllers are required to know the privacy and security standards external data processors have chosen to implement and check that they are being upheld. This can easily be done through the overall use of DLP tools which can scan data in transit and at rest in a company’s entire network using these predefined standards as filters. They can determine whether any policy breaches have occurred and report them back to the data processors so they can take action.
DLP solutions offer unparalleled insight into a company’s data and allow admins to set strict rules concerning specific sets of sensitive data while granting employees the liberty to manage data outside of these categories freely. It is an easy way to add an extra layer of security to a company’s network, ensuring that human error or malicious insiders do not lead to non-compliance. In the era of GDPR, there are no more excuses for companies suffering data breaches: they are now responsible in the eyes of the law for any personal data of EU residents that is mismanaged or misplaced.
To learn more about GDPR requirements, check out our GDPR Infographic – Checklist and essentials.
Frequently Asked Questions
The EU General Data Protection Regulation (GDPR) is a regulation issued by the European Commission, the European Parliament, and the Council of Ministers of the European Union with the purpose of strengthening and unifying data protection for individuals within the European Union. It is the most significant change in data privacy regulation in 20 years. It took four years of preparation and debate until it was finally approved by the EU Parliament on 14 April 2016. GDPR makes a big statement about individuals’ private data and their right to request data controllers and processors to delete, correct, and forward their data. GDPR brought significant changes to its predecessor, the Data Protection Directive 95/46/EC, requiring operational changes in organizations and imposing major fines in case of failure to protect EU data subjects’ personal information. Read more.
The EU’s General Data Protection Regulation (GDPR) protects the personal information of all EU data subjects. Under GDPR’s Article 4, personal data is defined as any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, through an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Further special categories of protected data are listed under article 9 (1): information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation or sex life, health, genetic data, and biometric data used to uniquely identify a natural person. Read more.
GDPR applies to any organization that collects or processes the personal information of EU data subjects. GDPR has an extraterritorial reach which means that companies must comply with it regardless of whether they have physical offices in the EU or not, as long as they sell their products or services to EU residents or support companies that do it through data processing. Read more about GDPR’s essential requirements.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
