The European Union’s General Data Protection Regulation (GDPR) goes into effect in May 2018, which means that any organization doing business in or with the EU has six months from this writing to comply with the strict new privacy law. The GDPR applies to any organization holding or processing personal data of E.U. citizens, and the penalties for noncompliance can be stiff: up to €20 million (about $24 million) or 4 percent of annual global turnover, whichever is greater. Organizations must be able to identify, protect, and manage all personally identifiable information (PII) of EU residents even if those organizations are not based in the EU.
Some vendors are offering tools to help you prepare for and comply with the GDPR. What follows is a representative sample of tools to assess what you need to do for compliance, implement measures to meet requirements, and maintain compliance once you reach it.
GDPR assessment tools
Snow Software GDPR Risk Assessment identifies more than 23,000 application versions that hold or transmit personal data. It also provides visibility of devices, users and applications, whether on premises, in the cloud or mobile. Passive scanning means agents do not have to be installed on endpoints. It can flag devices that do not have appropriate GDPR security controls so that the organization knows where its data is, who is using it and how it is protected.
The International Association of Privacy Professionals (IAPP) and TRUSTe GDPR Readiness Assessment tool is available as a special single-user version of the TRUSTe Assessment Manager. Created for IAPP members, it contains more than 60 questions mapped to key GDPR requirements and produces a gap analysis with recommended steps for remediation. The assessment tool is cloud-based and does not require a software download; IAPP members can activate a free account. It integrates with a variety of existing applications and hosting environments, including Amazon Web Services and Alibaba Cloud.
The DB Networks DBN-6300 is a security appliance using artificial intelligence and deep protocol analysis to give visibility into database infrastructure activities. It also non-intrusively discovers databases containing PII and connected applications, and automatically maps how the information is being processed. The DBN-6300 performs passive scanning on a network terminal access point rather than using active scanning, which can miss undocumented databases. It is available as a physical appliance or in an Open Virtualization Format (OVF) and supports database management systems including Oracle server, Microsoft SQL Server, and SAP Sybase ASE. The virtual machine supports VMware vSwitch, dvSwitch, and a software-defined network (SDN) platform configured to allow network tapping.
Opus Global’s Third-Party Compliance software as a service (SaaS) solution moves assessment into the supply chain by identifying third parties with whom their customers’ personal data is shared. Questionnaires about data security controls are automatically sent to third-party users. The tool analyzes responses to determine whether they comply with GDPR requirements and provides recommendations for remediation. This allows the organization to fully document who has access to covered data and how it is protected. This SaaS solution requires no hardware, software, or IT infrastructure.
GDPR implementation tools
Secureprivacy.ai is an automated consent management solution to make websites compliant with GDPR requirements for obtaining informed consent from users for collection and use of data. It also allows them to opt out. Once installed, the Secureprivacy.ai script provides granular page-by-page notifications for the appropriate opt-in and opt-out requirements. Screenshots are saved to document user consent and are available through a dashboard. The solution is formatted for both desktop and mobile devices and includes a plugin for users of WordPress. Documentation includes the user IP address and location and can be easily exported for business and regulatory uses.
Datum Information Value Management for GDPR is a special edition of its information governance software that is preconfigured with GDPR base processes, rules, standards, templates, and frameworks. It aligns an organization’s data with regulatory requirements, identifying the data that is covered under the EU privacy rules and the capabilities and controls that are required. The tool discovers the data and how it is used and maps it to the organization’s governance process. This allows data to be used and shared with stakeholders across the organization within the requirements of the privacy regulations, and documents compliance for regulators.
SAS for Personal Data Protection creates a unified environment with a single user interface for accessing and managing data. It allows organizations to access, identify, govern, protect, and audit personal data so that they can comply with GDPR requirements that personal data must not only be protected, but must be removed upon request. This combination of SAS software and services allows organizations to blend data types from multiple sources such as Oracle, Apache, and Hadoop, identifying personal data in structured and unstructured sources. Its data governance features enforce policies and protect data through role-based masking and encryption that secures sensitive information while at rest and in use.
Neo4j is a graph solution that provides visibility into the organization’s data and the connections between and among data. Personal data can reside in many applications at many locations across the enterprise and in the cloud, and must be protected and managed in all locations. Organizations must be able to track data through its lifecycle, from its acquisition through use to removal. To track and control the data, connections among multiple systems and data silos must be understood. The Neo4j native graph database provides this visibility, together with analytics and data integration. It is available either as a download or an online tool.
Aircloak Insights allows organizations to make use of protected data by anonymizing it for analysis so that the results can be shared without restrictions under GDPR. The solution consists of two pieces of software (the Air web frontend and the Cloak anonymization engine) running on two Docker containers for virtualization on Windows and Linux. It works with most popular databases, including a large set of SQL databases.
GDPR maintenance tools
BigID BigOps is a scanning tool that uses machine learning to continuously track changes in PII across the production and development environments in the data center or cloud. Machine learning allows the software to understand known personal data and its contexts, and then discover and catalog all personal data across the data stores. It integrates with automation frameworks such as Jenkins to monitor changes to the data across the development lifecycle, helping to ensure that it remains in compliance with GDPR requirements. It also helps with requirements for data breach response by allowing an organization to compare its data with that in a purloined data dump to determine within minutes if there has been a breach.
OneTrust privacy management software platform automates tasks to enable continued compliance with GDPR requirements for website cookies and maintenance of subject request portals. OneTrust conducts ongoing scans of an organization’s web pages to identify and categorize cookies and provides a transparent mechanism for obtaining required cookie consents. The cookie compliance solution includes continuous scanning against a database of 5.5 million cookies. Organizations also can use OneTrust to create a portal and branded web form to deal with user requests for managing PII under GDPR. It can track and document user requests and the organization’s response.