Business people with face masks having a meeting during COVID-10 showing challenges of GDPR

Black Swans and GDPR: Ensuring Security and Compliance in Challenging Times

If you had looked through the contingency plans of the world’s top 1,000 companies in January this year, you would probably have found references to managing localized outbreaks of illness. But few plans would have detailed what to do in the event of a global pandemic.  COVID-19 is a true ‘black swan’ – a rare, unexpected yet high-impact event that has disrupted business-as-usual. It has forced organizations to quickly transition to mass remote working, and accelerated adoption of cloud applications and workloads.

But what hasn’t changed during all of these upheavals is the need to secure networks and data in compliance with data protection mandates such as GDPR.  While the second anniversary of GDPR in May this year was largely overlooked because of the global response to the pandemic, the European Union issued a warning that GDPR still applies and will continue to be enforced, despite the ‘new normal’ that organizations are having to adapt to.

Although a survey from late 2019 of European organizations showed that 60% claimed to have fully adopted all GDPR measures, that was before the pandemic threw IT and security strategies into disarray – which in turn impacts on the compliance posture of those firms.  And of course, the survey indicates that 40% of organizations are not fully ready for GDPR, and they are unlikely to have made any significant progress because of COVID-19.

As such, organizations need to diagnose and address these new threats to their networks, applications, data and compliance posture in real time. Specific areas of concern are data being stored and processed on employees’ personal devices as they work from home, and protecting data in applications that have been rapidly migrated to the cloud to support remote working.  To add to the complication, handling all of these changes has increased the workload for IT and security teams dramatically – stretching their resources even further than normal.  So how should they approach dealing with these challenges?

Finding and following the data

The first step is for security and IT teams to be able to visualize their entire hybrid network (both on-premise and in clouds), the connectivity of critical business applications, and their security and risk status in a single pane of glass.  This is done using an automation solution which discovers that all data flows associated with every application, and the security rules and policies that support them, giving the teams a holistic overview of what’s really happening across the entire network.

This view enables the teams to proactively assess and identify any potential security or compliance risks, based on knowing where data is flowing from and to, what it is being used for and what it is doing. If organizations don’t have this information about their data, or have blind spots on their network, they simply can’t secure it effectively.

Automating changes

Based on the live map of the network, applications and their data flows, teams can then start to use the automation solution to exert control over the network and handle changes demanded to support and enable the business.  The automation solution is able to compare planned changes against existing, defined legitimate business connectivity. If the changes are in line with what is defined as acceptable use, then they can proceed with the automation solution handling all of the updates and adjustments to the relevant network security controls (which can number in the hundreds), without the need for labor-intensive, error prone manual processes.

This not only maintains and enforces security without introducing risks, it also ensures compliance.  The right automation solution will provide out-of-the-box GDPR compliance support, enabling users to generate automated reports for all relevant network and data security elements, making it easy to get a real-time, accurate picture of the organization’s compliance stance and identify and close any gaps.

Continuous compliance and security

And as data is continually moving and the network evolving according to business needs, both need continuous monitoring. This is where visibility and automation come into their own. The only way to know if there is a problem is by monitoring the entire infrastructure, all the time. This helps to ensure continual security and compliance, with the solution flagging any exceptions so that they can be corrected immediately, with all changes fully documented for later review and auditing by internal parties or external regulators.

Events like the COVID-19 pandemic are once-in-a-generation occurrences, but that doesn’t mean that organizations’ security and compliance processes should be derailed by them.  By automating their security and compliance processes, they can ensure that their business isn’t exposed to risk at any time – even when the next black swan spreads its wings.