The challenge of complying with the European Union’s General Data Protection Regulation is about more than simply safeguarding user data through encryption or other cybersecurity methods. It also entails knowing your risks, closing the gaps, having the systems and processes in place to notify people when and why their information is being collected, and alerting the necessary parties quickly in the case of a breach.
“Shadow and legacy applications figure among the most frequent reasons of PCI (News - Alert) DSS and GDPR compliance failure,” according to High-Tech Bridge, a web security company out of Geneva, Switzerland.
To ensure GDPR compliance, Snow Software CIO Alastair Pooley suggests organizations who within their organizations are using what applications, and taking stock of what data is being processed for what purposes and that it’s adequately secured in all cases. He adds that businesses should identify and prioritize patches and updates for the most critical applications, and ensure staff members are trained on compliance requirements and processes.
Meanwhile, CSPi notes the challenges and importance of being able to identify and issue notifications based on data breaches. Discussing GDPR, Gary Southwell, general manager for CSPi, says “Any breach of systems that have recording of such conversations containing personally identifying information for these subjects fall under the 72-hour breach notification regulations – where authorities of each country must be notified if their is a breach impacting any of their citizens’ or residents’ PII data. The challenge is trying to track down such recording if there is a breach and to determine who needs to be notified. This data could end up residing anywhere – typically any [call] center or hosted premises – and that might be local to where the agent who picked up the call resides. So it’s not just recordings that reside in EU countries (or the U.K.). The law protects the subjects no matter where the data resides.”
In an effort to help organizations address the GDPR requirements, enterprise cloud data management company Informatica in August introduced an advanced subject registry update that provides discovery of identity information including customer and employee data across all data stores and types.
Vicky Nardone, vice president of M&T Bank, an Informatica customer, at the time commented: “One of the things that hasn’t been achievable for us before is a one-stop shop for all customer and account data. There’s never been a system at M&T Bank that has the range of data available that we have in our Informatica solution. We’ve combined 25 different sources where our customer data was fragmented. This is helping us achieve timely regulatory reporting, gain new insights, and get up to date customer information out to front-end systems in a really efficient manner.”