Opinion

Data Loss Prevention

Article 32 – Security of processing states

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Read more about Article 32 in our recent post in The Articles blog series here.

If we are to follow the stringent security requirements of the PCI DSS or ISO27001 then there are a number of approaches, tools and systems we could put in place to satisfy this requirement.

It is highly likely that in order to provide a complete security solution a number of different products might be required.

DLP

One of the most important products is arguably a DLP or Data Loss Prevention Product, and these do exactly as you would expect. They prevent data being lost outside of your organisation.

As with any product type there are many options to choose from and which one is appropriate to your organisation should be considered carefully.

DLP is an Important Last Line of Defence

In most organisations data (including personal data) can be transferred internally and provided access is subject to internal controls such as Role Based Access, restricted folders, email groups, document classification, etc. then the risk is at least partially mitigated.

Accidental or Malicious Removal of Data

One of the biggest risks to any organisation is the malicious data removal by an employee or a 3rd party who gains access to unsecured systems, or by the accidental removal of data by anyone who has access to it, this could be by physical removal on a USB or CD for example, email or FTP out of the secure perimeter or copies of paperwork being emailed out from an All In One device.

Whether by accident or malicious act, a DLP product, particularly when combined with good staff awareness and well understood security policies, can prevent data being ‘lost’.

“If data cannot be taken outside of the organisation then the impact of a data breach is exponentially reduced”

Some of the more important features to look for in a DLP product are:

  • Ability to lock down EUC (End User Computing) devices
    •  PC’s and laptops, so that CD/DVD/USB drives cannot be written to
    • BIOS Encryption so that data on lost/stolen laptops cannot be compromised
    • Remote wipe and security for phones and tablets
  • Email filtering – scanning of all emails (or just those being sent externally), for attachments, keywords, destinations, configurable to look for data you want to protect
  • Website filtering – preventing access to websites that provide upload functionality, dropbox, internet drives etc.
  • Email destination limiting – prevent autoforwarding to external email addresses
  • Protection for cloud services, AWS etc. might be classified as being outside your security perimeter but might be harbouring sensitive data

Some other features available in a DLP product are:-

  • Ability to restrict instant messaging
  • Application restrictions
  • Adaptive algorithms
  • Automatic redaction, sanitisation, deletion
  • Machine learning to reduce false positives

Conclusion

Organisations need a unified strategy to cope with data privacy, and this approach will require a diverse set of solutions.

  • Education
  • Policies
  • Processes
  • Procedures
  • Technology

Data Loss Prevention is a technology solution and might been seen as a last line of defence when the other approaches have failed.

If you would like to know more about how GDPR Auditing can help your organisation with GDPR please email us at info@gdprauditing.com or email the author philip.mather@gdprauditing.com.

© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.