As most organisations are aware by now, the General Data Protection Regulation (GDPR) comes into force next May. GDPR primarily seeks to:
- Provide unified and clear rules on stronger data protection
- Safeguard the privacy rights of individuals
- Harmonise law enforcement across EU
Organisations established outside the European Union but conducting business within it, will also be subject to GDPR compliance. Fines for non-compliance with GDPR depend on the infraction and can be up to 4% of the company’s annual worldwide turnover or €20 million, whichever is higher.
The extended jurisdiction of the GDPR is arguably the biggest change to the existing 1995 Directive. The other important principles laid down in the GDPR are:
- Extended rights of data subjects — These include the right of access, the right to data portability and the right to data erasure
- 72-hour data breach notification — In the case of a personal data breach, organisations must notify the supervisory authority not later than 72 hours after having become aware of it.
- Privacy by design — Organisations must ensure that, both in the planning phase of processing activities and in the implementation phase of any new product or service, GDPR data protection principles and appropriate safeguards are addressed and implemented.
- Accountability — Organisations must ensure and demonstrate compliance with the data protection principles of the GDPR.
Netwrix Auditor from Trilogy can help you prepare for GDPR
Trilogy has recently formed a partnership with Netwrix and now provides Auditing Services encompassing security analytics for detecting anomalies in user behaviour and investigating threat patterns before a data breach occurs, thus helping companies achieve, maintain and prepare for GDPR compliance.
Here’s just 3 examples of how Netwrix Auditor helps you with GDPR:
1. Personal Data
Personal data shall be…. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Using report subscriptions, you can set an appropriate schedule for reviewing reports that show all user accounts with the current or historical state of permissions granted on files and folders; current and past group membership; object permissions granted to user accounts; excessive access permissions; permission inheritance breaks and changes to user rights assignments.
Use the collected audit trail to review user access to sensitive content in a number of IT systems including SharePoint, Exchange and Exchange Online.
The controller shall be responsible for and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
- You can demonstrate the effectiveness of your data protection controls using a complete audit trail that is consolidated and preserved by Netwrix Auditor.
- Use predefined reports and dashboards to gain meaningful intelligence about user actions and demonstrate the effectiveness of your controls
- Create custom reports or easily pinpoint specific data with Interactive Search.
3. Technical and organisational measures
…the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
Review Netwrix Auditor reports to gain relevant knowledge of the context around system configuration changes and system and data access that posed threats to personal data. Use the reports to get valuable details about existing controls in order to validate those controls and establish user accountability.
For more examples on exactly how Netwrix Auditor helps you with GDPR, download the GDPR Controls and Netwrix Auditor mapping pdf or talk to Trilogy about availing of an Infrastructure Security Audit for your business.