GDPR and What it means for Personal Data Protection
By: Frank J. Ohlhorst
One of the primary tenets of the EU’s GDPR is the protection of personal data. That protection consists of many facets of data control, including localization of the data, access to that data, and ultimately, ownership of that data. That said, the onus of data protection lies with the organization storing the data, yet control must be given to the owner of the data.
That creates somewhat of a conundrum, one where companies must protect personal data from compromise, yet still allow users to freely access the data. Simply put, GDPR has the potential to create significant problems for those organizations not doing the utmost to protect personal data.
What’s more, those providing services via the cloud are facing some additional complications in the form of data locality. GDPR compliance includes some specific wording around data localization, which implies that certain customer data is to remain within the borders of a particular region or country.
Although data localization laws are not necessarily new, and have be the rule in many regions, such as Germany, Switzerland, the Netherlands, China, Russia, Turkey, Indonesia, Uganda, Tanzania, Kenya and others countries prior to 2018, the forthcoming GDPR requirements are bringing data localization requirements sharply into focus.
Specifically, the GDPR states that personal data can only be transferred to countries outside the EU when an adequate level of protection is guaranteed. If an organization has even the slightest doubt about a particular destination, the data cannot travel there. That means additional protections, such as those in the form of ensuring that only those authorized to access the data can actually access it, and that the data must be kept secure in transit as well.
Ensuring those levels of data protection requires rethinking how the owners access their data, and making sure that those accessing the data are actually who they claim to be. Here, technologies such as MFA (Multi-Factor Authentication) can provide the foundation to guarantee only authorized individuals have access to the data.
While implementing MFA may require some work, it still proves easier than many other security technologies that institute a higher level of trust into the authentication process. The idea here is to prevent data breaches that come about due to poor password management, which makes it all too easy for an attacker to crack or hack privileged accounts and gain access to sensitive data.
MFA greatly reduces that risk and can determine if a log-in attempt looks suspicious and then ask for more info from the user if necessary, to mitigate risk. Combining MFA with a “least privilege” approach proves to be a great way to protect personal data, while also meeting the requirements of GDPR.
For more details please read our white paper Are You Ready for GDPR?.