In its report, The role of technology in your GDPR strategy, IDC identifies EIM technologies as central to achieving compliance with the EU’s General Data Protection Regulation (GDPR). The GDPR sets out to deliver new levels of data privacy and protection. This places emphasis on the security of all your enterprise applications. In the first of a series of three blogs, I want to look at the critical role of security in EIM deployments.
This year has seen security move to front and center of the IT world. The influential global CIO Survey 2018 from Harvey Nash and KPMG found security as top of the priority list for senior IT executives—more than doubling in importance from the year before. There is an increasing amount of critical digital information to protect, and organizations are more vulnerable to attacks than they have ever been.
The KPMG survey found that 86% of CIOs surveyed felt confident in the security measures they had in place. You have to question this confidence when 2017 set the all-time record for data breaches and 2018 already looks like it will surpass that total.
Data breaches getting bigger and more expensive
The striking aspect is that breaches seem to be getting larger. One of the largest, high profile data breaches involved Under Armour®. The company’s MyFitnessPal app was breached, exposing the personal details in over 150 million accounts. Under Armour had informed everyone of the breach within four days of it occurring. Sounds pretty good, right? Not for GDPR, which requires notification within 72 hours.
Even with Under Armour’s swift actions, it would be potentially liable to the huge fines of €20 million or 4% of turnover that can be levied under GDPR (though it seems unlikely given they responded quickly). As it was, the company’s shares immediately dropped almost 4% on the news.
GDPR heightens the focus on security. It means you must know what personal and sensitive data you have, where it is, who is using it, who can access it and, importantly, how you’re protecting it. It means you must take steps to ensure your systems and devices are secure, and that you’re prepared to identify and quickly report any security breaches affecting this type of data. Under Armour illustrates the perils of getting this wrong: it costs you a great deal financially and in terms of reputation.
GDPR demands. EIM delivers.
For a piece of legislation designed to radically change the landscape for data privacy and data protection, GDPR says frustratingly little explicit about security. Only Article 32 talks specifically about security, setting out that an organization must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” involved in data processing “in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
If these requirements sound like the security capabilities inherent in an enterprise-wide EIM platform, it’s because they are. The IDC list of technologies needed for GDPR compliance is:
- Data discovery
- Data classification
- Enterprise Content Management
- Records Management
It reads like a ‘who’s who’ of EIM functionality but, when you consider that GDPR is pretty much all about better managing enterprise information, it makes sense. EIM solutions can identify all the structured and unstructured data that resides within your organizations and bring that information together on a single platform. Data can be classified and rights imposed so you know the information is only accessed by the right people. You can ensure that data is archived or deleted as quickly as possible to meet the data minimization requirements of GDPR.
Vitally, EIM platforms such as OpenText™ EIM add a layer of security that is essential in the new collaborative, hyper-connected world where data is shared daily between a company and its partners. Information security isn’t just about keeping bad actors out. It’s also about rapid detection and remediation when breaches do occur. Features such as endpoint security, incident response and forensic data investigation ensure that hacking attempts are quickly spotted, investigated, and the risk of data breach minimized.
Building on the IDC list
There are three areas that I would add to IDC’s list. The first is Identity Access Management (IAM). The first generation of IAM revolved around assigning access privileges for employees. In today’s world, personal data is regularly shared with customers, suppliers and other partners. We also use temporary and contract staff.
All these players need carefully managed, time and resource-limited access. All accounts must be disabled as soon as they are no longer required—so called ‘ghost user accounts’ provide a very attractive back door for hackers. Modern EIM requires sophisticated IAM functionality to secure the identity of people, systems and, increasingly, things—just think about how much personal data is being collected by a smart home or wearable device.
The second area is endpoint security. More and more often, security threats enter the enterprise through one or more of the many endpoint devices (laptops, mobile phones, etc.) that are carried by staff. In order to safeguard your corporate information, these endpoints must be safeguarded against malware and unauthorized access. The OpenText™ Security Suite includes industry leading OpenText™ EnCase™ Endpoint Security which provides early detection, alerts and forensic level response options.
One other GDPR consideration beyond the IDC list is handling breaches. GDPR sets out strict timelines for communicating a breach to the affected individuals. Are you prepared to detect and report a breach within 72 hours? Not only do EIM Security Solutions have software to assist with this, they also provide guidance on how to navigate a breach and respond to it.
With security at the front of CIO minds and GDPR compliance a must, the security capabilities within EIM solutions are perfectly suited to deliver the level of data protection you need to minimize risk and meet regulatory requirements.
To find out more about how an EIM platform can help meet the security requirements of GDPR, please contact us.