The worldwide data privacy regulation landscape is changing
National laws and state/provincial laws continue to be enacted and strengthened to ensure their citizens’ data is protected and give individuals more control over how personal data is collected, used, and shared. No matter what industry you are in, if you retain personal data, you must comply with some set of data privacy rules or face potentially costly audits, penalties and fines, and damage to your brand and reputation.
Your data privacy responsibilities
Operationally, for all organizations subject to privacy regulations, their compliance depends on how well they prepare and execute these requirements and responsibilities below:
• Inventory the personal data you have collected and are holding and document where it is held • Document who and what has access to it (users and systems)
• Assess if you have implemented the legally required standards for protecting Personal Data
• Monitor data access activity for internal data handlers to ensure compliant behavior
• Allocate the resources to fulfill data right requests in the legally required time frame
• Collect and retain the records necessary for breach incident forensics and create the appropriate response plan and procedures
Choosing a solution to meet compliance responsibilities
Of course, all organizations should look for solutions that enable them to fulfill requirements in the easiest and most cost-effective way. Data privacy compliance is a lifecycle of processes and procedures, as shown in the diagram below. Your solution should automate this lifecycle, and the seven features listed below are critical to the effort.
1. Discover and classify personal data
Today, without informing the security team, anyone in your organization can spin up a database, or create an unstructured data file such as a spreadsheet, and populate it with sensitive data in a matter of minutes. An effective data privacy solution should run an automated, ongoing discovery process that finds sensitive information such as Personal Data in both structured and unstructured data sources, on-premise or in the cloud, wherever it is stored. This enables you to know at all times what regulated privacy data you hold and where you hold it.
2. Gain visibility into correlated personal data attributes
Today, a state-of-the-art data privacy solution features unique proprietary algorithms and automated machine learning that constantly looks for correlated attributes of independent structured data fields that, when combined, constitute personal data. Once these correlated attributes are discovered, the solution can protect them or retrieve them on demand. Correlated personal data visibility is required to effectively automate customer rights requests.
3. Assess rights and risks efficiently
Overly permissive user entitlements offer fertile ground for costly sensitive data breaches. With the right solution in place, your organization can achieve complete visibility into current user entitlements across your entire data estate, enabling you to easily assess and effectively streamline privileged user policies. You can get a vulnerability assessment that creates a personal data risk profile, scanning to verify proper configurations and up-to-date CVE patches to have the auditing reports that privacy regulations require and ensure you meet industry standards for securing databases and operating systems.
4. Achieve 360° visibility and control
A reliable data privacy solution should constantly collect, normalize, and store data to create an audit trail revealing who is accessing it, when, and from where. From a single dashboard, all stakeholders should be able to automatically filter on any data type in any combination in a matter of seconds for reporting or live investigation. This view into the data makes the entire team more efficient at fulfilling their responsibilities within the privacy management lifecycle.
5. Manage data subject requests
Without a reliable data privacy solution, fulfilling Data Subject Access Requests (DSAR) is a huge time and resource burden at scale. Your solution should automate the workflow that accesses only data assets holding personal data, checks for stored correlated attributes, and performs scans on those databases to precisely identify the user.
6. Protect, respond and remediate
Your solution should offer tools that protect personal data and associated sensitive data before something happens, like a breach. By continuously and automatically identifying inappropriate or risky data access behavior across the entire estate and notifying you of policy violations or developing threats, you can correct suspicious behavior before it becomes an incident.
You should also get plain-language descriptions of what happened – who did it, when, and what data was accessed as well as live access to audit data to expedite real-time forensic-level investigation into the details of any compliance or security incident.
7. Complement your existing data protection solutions
A good data privacy solution should complement current security or privacy tools you may already use and dramatically reduce the time and resources required for audits. You should be able to identify and remediate non-compliant data access behavior to protect your data more effectively and gain visibility to risks across all of your data repositories.
See the Imperva Data Privacy Solution
Imperva Data Privacy is the only solution to combine data privacy and sensitive data security in a single platform, giving you the tools to assure your organization’s compliance in the easiest and most cost-effective way. Schedule a demo or start a free trial today.
Try Imperva for Free
Protect your business for 30 days on Imperva.