Data privacy solutions are crucial for complying with privacy regulations and maintaining security. In the first nine months of 2019, there were 5,183 reported data breaches, with 7.9 billion records exposed, according to the Data Breach Quickview. Modern regulations, such as GDPR and CCPA, require companies to develop reasonable data protection measures to protect consumers’ personal information against exposure or loss.
To meet these privacy protection requirements and manage the risks of noncompliance, businesses must refine or re-engineer the information systems, databases, data warehouses and data processing platforms they use to collect, manage and store personal data.
This requires the adoption of modern technologies that help control personal data during its life cycle and include an end-of-life process. However, the differences between the various privacy regulations create challenges in achieving compliance.
GDPR, CCPA and Other Privacy Regulations
The GDPR regulates the private information of European Union residents, while the CCPA applies to residents across the state of California. Although they are very much alike in the requirement to ensure data privacy, they differ in their definitions, penalties and other issues. Here are some key things to know:
- The GDPR requires the demonstration of a legal basis for processing customer The CCPA does not.
- The GDPR has specific rules about how health data can be collected and stored. It also differentiates between types of health data. The CCPA lumps it all under “personal information.”
- The GDPR applies to all companies working with the regulated data; the CCPA applies only to for-profit businesses.
Other privacy laws that many companies have to comply with have other nuances to consider. Moreover, companies that work with private data often need to ensure that their data practices are above and beyond those required by legislation.
Choosing the right data privacy solution means finding one that meets your compliance needs while providing a good return on your investment.
Top Data Privacy Protection Capabilities to Look for
There are several primary technical capabilities that will help you achieve and maintain compliance with many data privacy regulations. Note that some of these capabilities are probably provided by tools you already have in your environment.
Data Discovery and Classification
Data discovery involves identifying all the structured and unstructured data across your technology platforms, systems and archives. Data classification categorizes the discovered data by type and processing purpose. Together, these capabilities enable you to understand exactly what sensitive data you have so you can prioritize your data security efforts. For example, you can decide to encrypt only documents classified as “restricted.”
It’s best to start with a simple classification scheme. The U.S. government segments data into three categories: top-secret, secret and public. Similarly, private sector organizations often classify data as restricted, private and public. All data within a classification may be assigned the same security measures, but some organizations develop highly granular data classification systems to accommodate various levels of risk.
You might want to look for a solution that has pre-built classification taxonomies for each compliance regulation you are subject to, such as GDPR, CCPA and HIPAA. With quick and accurate classification of this data, you will be able to apply granular data security controls that meet the requirements of each of these regulations.
When comparing data classification solutions, be sure to look for the following capabilities:
- Compound term processing — Identifying and weighting multi-word concepts based on a purely statistical analysis ensures a better understanding of information patterns specific to your organization and delivers results you can trust.
- Reusable index — By eliminating the need for lengthy data re-collection every time a new file appears or a classification rule is changed, a reusable index ensures you get updated information about content quickly.
- Granular taxonomy manager — Be sure you can easily build and customize classification rules. For example, you need to be able to assign a specific weight to each RegEx, keyword or key phrase so that only the right combinations of these clues will push a document over the classi?cation threshold.
- Transparent results — You need to be able to see precisely why ?les were classi?ed the way they were so that you can analyze your rules to improve accuracy.
- Change simulation — It’s also valuable to be able to simulate changes to your classification rules and see how they would a?ect ?les that have already been classi?ed, without actually affecting your production environment.
- Support for all your data sources — Look for a solution that can discover and classify all the data you store, whether it’s in file servers, databased or cloud
Risk Assessment and Mitigation
Many data privacy protection regulations also require you to identify and mitigate risks to data security, so you also need to be able to perform IT risk assessment on a regular basis.
IT risk assessment involves finding excessive access rights to data and applications, as well as checking the configuration of underlying systems for security gaps. Risk mitigation can take various forms, from resetting configurations to a known good baseline and revoking unneeded permissions to adjusting security policies.
User Activity Monitoring
You need to have visibility into when, where and how data is accessed and used normally, and be able to quickly spot aberrations that could indicate a threat. Ideally, a tool will proactively alert you to critical activity so you can respond immediately to avoid breaches and compliance violations.
In addition to looking for vulnerabilities in your security defenses though regular risk assessment, you also need to learn about more complex gaps using strategies like regular penetration testing. To perform penetration testing, you will likely need a separate solution or even an experienced third-party service, but a solid privacy solution should provide visibility into current configurations.
Change and Access Auditing
Your IT ecosystem is a busy place, with both IT teams and business users making changes, accessing and modifying data, and so on. It’s essential to be able to quickly spot unwanted modifications and suspicious access. For example, a change to a powerful security group could indicate unwarranted privilege elevation; an improper change to Group Policy could easily lead to a data breach; and massive file changes could signal ransomware in action.
Change and access auditing help you enforce least privilege, maintain proper configurations, spot active threats and more. Retaining this audit data also enables you to prove to auditors that you have required processes in place and can quickly investigate incidents.
Hackers and network sniffers commonly steal passwords, credit card numbers, and other sensitive information. Indeed, credit card information breaches have been some of the most publicly reported issues for consumers. Encryption renders this stolen data useless to the hacker and helps you avoid compliance penalties.
Look for solutions that offer encryption and other obfuscation methods, such as:
- Tokenization — The replacement of sensitive data with unique identification symbols that retain the essential information without compromising security
- Pseudonymization — The replacement of personally identifiable information fields in a record with artificial identifiers (pseudonyms)
- Dynamic masking — Changes in a data stream to prevent a data requester from accessing sensitive information, while making no physical changes to the original data
Privacy regulations require you to respond to data subject access requests (DSARs) quickly and effectively. Despite these tight deadlines, you must uphold the rights of data subjects for data transfer, data destruction and more. As individuals become more aware of their rights, the number of DSARs is growing rapidly — costs have already increased by up to 74%, according to the Netwrix 2020 Data Risk and Security Report.
Manually crawling your data repositories to fulfill each DSAR is too slow and effort-intensive to be a scalable approach. Automation is the key to reducing the cost of DSAR searches while meeting strict compliance timelines. Look for a solution that enables secure delegation of DSAR processing to non-IT teams, and eliminate this growing burden from your understaffed IT department.
More Data Protection Steps
Other solutions to protect your sensitive data include firewalls and anti-virus, anti-malware and anti-spyware software. Physical access controls are important as well, such as limiting who can enter your server room.
Also be sure to educate your employees about data privacy and security. They are at the front lines of information creation, access and use. Make data privacy part of your mission statement and regularly train everyone — from customer service teams to business users to senior management — about how to ensure both data privacy and data security.
How Netwrix helps
The Netwrix data protection platform can help you meet the requirements of modern privacy and security standards. It enables easy data classification and discovery, as well as control over changes and activities around sensitive data. It enables you to easily identify overexposed data, misconfigurations in underlying systems and other risks in your infrastructure. And it even automates the most time-consuming part of DSAR fulfillment. As a result, you can strengthen security and compliance while seeing a strong return on your investment.