The European Union is touting the General Data Protection Regulation (GDPR) as the most important change in data privacy regulation in 20 years. Since May 25th 2018, all businesses that process and control personal data within the EU need to comply with the GDPR or face massive fines. Non-compliance will either result in a fine of up to €20 million or 4% of annual turnover, whichever is greater.
What you need to do to be compliant with the GDPR
The GDPR, which replaces the Data Protection Directive 95/46/EC, consists of 11 chapters and nearly 100 Articles. It’s an incredibly detailed directive, a great many of which refer to managing access to data:
- Implement appropriate technical and organisational measures: You must show that you have considered and integrated data protection into your processing activities. [Articles 5, 24, 25, 28, 32]
- Prevent unauthorised access to data: Unauthorised access also includes accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, stored or otherwise processed. [Articles 4, 5, 23, 32]
- Notify relevant parties of a breach: You must notify your supervisory authority and the party the data concerns of any breaches that are likely to “result in a risk for the rights and freedoms of individuals” within 72 hours of first becoming aware of the breach. [Articles 33, 34]
- Maintain impeccable records: You need to maintain a record of data processing activities, including information on “recipients to whom the personal data have been or will be disclosed” i.e. whom has access to data. [Articles 5, 28, 30, 39, 47]
The full requirements of the GDPR are available within Official Journal of the European Union.
For Windows Active Directory domains, UserLock and FileAudit can help you on your way to GDPR compliance
Our products UserLock and FileAudit together help bolster access security — helping you to become compliant with the GDPR:
- Prove that you’ve taken technical measures to improve security
- Prevent unauthorised access to data
- Detect a breach so that you can notify the authorities quickly, mitigating any fines
- Keep a clear audit trail of network, file and folder activity to prove compliance
How UserLock helps you address GDPR on Windows files, folders and file shares
Compliance starts with securing all logins
The goal of the GDPR is to protect data from unauthorized access. This single word ‘access’ represents the process of someone using an account to actively connect to a system and open/read/copy/download personal data — an action that begins with that person logging on.
The logon is therefore the first line of defense against unauthorized access.
UserLock extends logon security to ensure that whoever is logging on to your corporate system (and accessing the data within) is exactly who they say they are. UserLock uses more than just a username and password to confirm an identity. The software analyses the contextual information around each and every logon — the day and time of logon, the IP address and workstation of the logon, even the frequency of logon — and restricts logins to only IT-approved contextual information.
For example, a user with access to data subject to GDPR compliance logs on after hours several times in succession from a remote computer. There are three red flags here — the time of day, the number of logons and the location from which the logon occurred. UserLock is smart enough to detect that suspicious activity, and block the login instantly, while alerting administrators.
The logon provides you with leading indicators that there may be a problem well before any access (read: compliance breach) occurs.
With UserLock, an organization can:
- Ensure access to the network and, eventually, personal data, is identifiable, audited and attributed to an individual user
- Prevent unauthorized access by rendering genuine but compromised employee logins useless to would-be attackers
- Eradicate careless user behavior like password sharing to reduce the risk of unauthorized access from internal threats
- Flag suspicious access events in real time, meaning an administrator can immediately respond and further protect access to the network and personal data within
- Audit all access events centrally so you can track down security threats and prove regulatory compliance
The logon is a compelling point at which to both monitor GDPR compliance, as well as to stop potentially inappropriate access (read: compliance breach) from ever happening.
How FileAudit helps you address GDPR on Windows files, folders and file shares
Monitor access to all personal data
The GDPR states that unauthorised data access includes accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data transmitted, stored or otherwise processed.
Monitoring both authorized and unauthorized access to sensitive data is essential to early data breach detection. Visibility is key.
For Windows domains, native file auditing is considered inefficient, time consuming and overwhelming to track events across the whole organization.
FileAudit is a software platform that greatly simplifies file and folder access auditing on Windows servers. The granular level of file access management helps organizations exceed regulatory requirements and avoid penalties.
With FileAudit an organization can:
- Identify inappropriate access (and access attempts) through real-time monitoring and alerting, giving the IT department the ability to review and remediate issues
- Send alerts when FileAudit detects mass access, copying, deletion or moving of files (a strong indication of a compliance breach)
- Indicate where the user has accessed the file from, including different workstations on site or mobile devices remotely — all by tracking and identifying the source IP address
- Help minimise the risk from access at unusual or unexpected times thanks to granular time and date alerting parameters
- Centralize and archive all file access events occurring on one or several Windows systems and in the cloud, generating an always available, searchable and secure audit trail
FileAudit helps prove to regulators you are protecting personal data effectively by comprehensively monitoring all access activity to data found on files, folders and file shares. Organizations can give precise answers to questions about improper access, alteration or the destruction of personal data.