The European Union’s General Data Protection Regulation (GDPR) goes into effect in May 2018, which means that any organization doing business in or with the EU has six months from this writing to comply with the strict new privacy law. The GDPR applies to any organization holding or processing personal data of E.U. citizens, and the penalties for noncompliance can be stiff: up to €20 million (about $24 million) or 4 percent of annual global turnover, whichever is greater. Organizations must be able to identify, protect, and manage all personally identifiable information (PII) of EU residents even if those organizations are not based in the EU.
[ Learn how to protect personally identifiable information (PII) under GDPR. | Get the latest from CSO by signing up for our newsletters. ]
Some vendors are offering tools to help you prepare for and comply with the GDPR. What follows is a representative sample of tools to assess what you need to do for compliance, implement measures to meet requirements, and maintain compliance once you reach it.
GDPR assessment tools
Snow Software GDPR Risk Assessment identifies more than 23,000 application versions that hold or transmit personal data. It also provides visibility of devices, users and applications, whether on premises, in the cloud or mobile. Passive scanning means agents do not have to be installed on endpoints. It can flag devices that do not have appropriate GDPR security controls so that the organization knows where its data is, who is using it and how it is protected.
The International Association of Privacy Professionals (IAPP) and TRUSTe GDPR Readiness Assessment tool is available as a special single-user version of the TRUSTe Assessment Manager. Created for IAPP members, it contains more than 60 questions mapped to key GDPR requirements and produces a gap analysis with recommended steps for remediation. The assessment tool is cloud-based and does not require a software download; IAPP members can activate a free account. It integrates with a variety of existing applications and hosting environments, including Amazon Web Services and Alibaba Cloud.
The DB Networks DBN-6300 is a security appliance using artificial intelligence and deep protocol analysis to give visibility into database infrastructure activities. It also non-intrusively discovers databases containing PII and connected applications, and automatically maps how the information is being processed. The DBN-6300 performs passive scanning on a network terminal access point rather than using active scanning, which can miss undocumented databases. It is available as a physical appliance or in an Open Virtualization Format (OVF) and supports database management systems including Oracle server, Microsoft SQL Server, and SAP Sybase ASE. The virtual machine supports VMware vSwitch, dvSwitch, and a software-defined network (SDN) platform configured to allow network tapping.