One of the challenges facing lawmakers is how to account for future technological advances that could be used to achieve compliance with certain provisions, without having to re-issue a legal framework every time something new comes to market. Within the GDPR, the phrase “with due regard to the state of the art” is such a future-oriented attempt. While a few specific technological approaches are mentioned in the text of the GDPR – such as encryption and pseudonymization – organizations are given a much broader mandate to ensure the state of the art for data protection is considered when selecting or designing applications, services, and products used for processing personal data (Articles 25 and 32). For example, new state of the art approaches currently coming to market include behavior analytics, privileged access management and format-preserving encryption (FPE):
- Behavior analytics examines the normal behavior patterns of employees across the organization and, when a divergence is noted – for example, when the user account accesses applications not previously accessed, accesses data at unusual times of the day or night or from foreign locations, or there is a spike in emails with attachments sent to a personal email address – an exception is raised for further investigation. Unusual behavior could signal an employee going rogue or the presence of compromised credentials, thereby enabling early detection and risk mitigation.
- Privileged access management, on the other hand, adds a layer of protection to mitigate against IT administrators with higher access rights to data sources and potentially encryption keys from causing harm, again either through rogue actions or compromised credentials.
- FPE, which encrypts content so that its format is identical to the plain text input, is useful because it helps to overcome the problems associated with the integration of encryption into applications that have well-defined data models. FPE can make encryption easier to implement and to ensure that it is more readily used in existing applications. In evaluating compliance with the GDPR, organizations should investigate the applicability of these current state of the art offerings.
IDENTITY AND ACCESS MANAGEMENT
Organizations with a myriad of application-specific usernames and passwords for each employee will find it more difficult to map and control access management rights and privileges, and by implication much more difficult to identify non-standard or questionable behavior. A cohesive identity and access management system that seamlessly unifies employee identity across applications is a foundational requirement for GDPR compliance.
Conclusion and Summary