The General Data Protection Regulation (GDPR) and your Business: Part 2 – Solutions to aid in compliance
In my last post, I discussed what GDPR is, why it’s coming into force and what it means to you as a business. If you haven’t had chance to read it already, take a look at part 1 as you may find the content discussed in this post more relevant once you’ve read it.
So, you’ve read up on GDPR, you know it’s going to affect you and now you have the lovely task of going out into your organisation and dealing with it before it comes into force.
#Nightmare…or is it? Think about what I said in my last post. Information is power.
Complying with GDPR is actually going to give you a hell of a lot of insight into your business, your policies, processes, procedures. Your data safeguards, your audit and e-discovery capabilities and how your users actually consume the data.
GDPR shouldn’t be seen as a headache, it should be seen as an enabler to the business for these reasons. (You should really be reviewing all of the above regularly anyway as good information security management practices, but that’s story for another day!).
You’ll also find that by doing this review, you’ll be able to apply the same methodology to the rest of the data that you hold and can prove that you are taking your information security practices seriously as a whole.
Where do you start then? At the beginning of course! But seriously, first things first, you need to find out what you know already. Some points of note:
- Understand what personal data you capture and what it’s being used for. Is all of this information relevant? What data is being handled and by whom? How long are you keeping it for?
- How are you currently protecting personal data? What processes are in place to ensure that it is protected? Is all of this auditable? Are your users educated to ensure that these processes are followed?
- How easy is it for you to do E-discovery? Do you even have the ability to do E-Discovery? Don’t forget, the onus is on you to prove that you are compliant. If someone requests all the data that you hold on them, can you confidently find it and prove that you’ve found it all?
- Do you have the right people in-house to be able to manage these areas? Are there any skills gaps?
- Where actually is the data? Find out where all of the personal data you hold resides and don’t make any assumptions. Check cloud repositories, 3rd party services/vendors that you use – how are they securing the data? Mobile devices, network technologies such as endpoint and storage systems, archives etc. Essentially, don’t leave any stone unturned in your searches\inquiries.
I’ve made it sound dead easy right? Okay, so maybe that was a little sarcastic…that being said, there are a multitude of technologies out there from multiple vendors that can help ease this burden. Two vendors that spring to mind for me are Symantec and Veritas.
Yes, they were one company at one point, but divorce aside, they each have pedigree. They are both market leaders in their respective technology sectors (and were before they got married too) and have solutions that are more than equipped to aid your business in not only aiding GDPR compliance but being able to help you prove it as well.
Let’s give you a run down:
Symantec has been around for a long time and is well equipped with some amazing solutions that you can use to secure your data with. They do take security very seriously. One such example is the DLP (Data Loss Prevention) Suite - this platform can be used to comb the network for sensitive information, tag it and then apply protection policies against it. This can be done over multiple areas:
File Servers, Exchange, SharePoint, Databases, Web Servers
Email, Web, FTP, IM
USB, Hard Drives, Removable Storage, Network Shares, Print/Fax, Cloud & Web Apps
Cloud & Web Apps, Email
Cloud Email, Cloud Storage
Some pretty serious coverage right? Did I forget to mention it can learn too? The DLP kit also works really well with one of the Veritas solutions which I’ll cover in a little bit.
This system can also be integrated with Symantec’s encryption technologies. This helps ensure that if data needs to be moved or shared, it is done so in a safe and secure manner; you can also ensure that data at rest is secure as well. Symantec plays in the space of whole disk, removable media, email & file share encryption. As well as being one of the biggest SSL/TLS vendors on the planet (Formally Verisign).
Oh, and for those that aren’t content with that lot, they have a command line encryption solution you can get your hands on, extremely useful for scripts if you’re into that (hint: great for bulk data transfers).
Another interesting suite that Symantec has that doesn’t get enough air time in my eyes is the Control Compliance Suite. Have a regulation you need to adhere to? Know all of the requirements in order for you to comply? Mapped your internal policies to it? Educated your users on it? Tested your server configuration and other security systems against it? No? Need help? This is the suite to do it with.
Another point that’s worth considering is that Symantec recently acquired Blue Coat, these guys have some serious tech too. You really want to be taking a look at the SSL Visibility Appliance (essentially eyes into and control of your encrypted traffic) and the Cloud Access Security Broker. For all you SaaS junkies out there, as you move more infrastructure to the cloud how do you maintain data security and compliance? Cloud Access Security Broker that’s how.
Couple these with a potential…dare I say it…integration…with other Symantec solutions I’d say you have a huge foothold on GDPR with this. Even if they don’t get integrated, it wouldn’t be the end of the world right? (Again, this is my own personal opinion, not of Arrow ECS, Symantec or Blue Coat for that matter!).
These guys are in the business of information management, they literally define themselves as an information management company and boy they aren’t lying. Veritas has an entire IG solution area so you’re already onto a winner and these solutions are big hitters.
First we have Data Insight, this essentially allows you to scan your file systems to give you insights into tracking and reporting on your file data, delivering accountability.
Use it to find out what is out there, what the file types are, how old they are when they were last accessed, by who, who created it, where it is, who’s the data custodian. This is the solution that works brilliantly with DLP from Symantec, as you probably already guessed.
You then have Enterprise Vault, an archiving and e-Discovery solution for file systems and emails. This can be delivered on premise or in the cloud.
Archiving is important for 2 reasons:
The first being it’s great for dealing with storage management issues, move old and infrequently accessed data to low cost long term storage and then have it indexed and available in case you need to refer to it for any reason. There are also data classification services available as well, so data can be archived and retained based on policy. Data retention is the key thing here people, holding onto data longer than you should is a major breach and you really don’t want that…
The second is the ability to do e-Discovery on the archives. You’ve got to remember, part of GDPR is that someone has the right to request all the data you hold on them, how on earth are you going to find it all? Got a legal case pending? How are you going to find the evidence to support your case in terms of file and email data?
You then have an entirely different level of e-Discovery through what is aptly known as the e-Discovery platform. While the e-Discovery stuff I mentioned before was targeted at your file systems and emails, this solution is designed specifically for the entire e-Discovery lifecycle. From legal hold and collections through analysis, review and production. They’ll even let you have it hosted if you use a certified provider. Bonus!
I am however only scratching the surface here, there are plenty of vendors out there that have solutions that can help you with GDPR, not just the ones discussed in this post.
If you’re still confused, come and have a chat with us!
We have a wealth of knowledge and expertise at Arrow as well as a formidable linecard too. We’re more than happy to guide you through all of it. From advice on what solutions may fit you best, working with you to get it implemented with professional services, right through to training your staff to use the solutions. We’re on hand to provide you with the advice and guidance you need to help shape your business’s future.
Make you to also give our podcast a listen, the below episode features David Fearne, Richard Holmes and special guest Neil Cattermull from Compare the Cloud discussing GDPR and what it means for your business.
Chris Collier is a Technical Account Manager within the Arrow team.
Arrow Bandwidth Season 2, Ep 4 | GDPR – What it means for the channel
Have you heard of GDPR? Baffled by data protection laws? You need to listen to this podcast! New regulations will impact every business within the UK, make sure you're clued up.
The General Data Protection Regulation (GDPR) and your Business: Part 1 - What do you need to know?
Data protection might not be the most glamorous of subjects. But trust us, every UK business leader needs to read this post about the new General Data Protection Regulation (GDPR).
Arrow Bandwidth Episode 10 – Big Data in Action with KnowNow
David and Rich are joined by Chris Cooper from KnowNow to discuss the real world outcomes of Big Data