1. Top tools to assess, implement, and
maintain GDPR compliance
R.Rajivarnan
2. The European Union’s General Data Protection Regulation (GDPR) goes
into effect in May 2018, which means that any organization doing business
in or with the EU has six months from this writing to comply with the
strict new privacy law. The GDPR applies to any organization holding or
processing personal data of E.U. citizens, and the penalties for
noncompliance can be stiff: up to €20 million (about $24 million) or 4
percent of annual global turnover, whichever is greater. Organizations
must be able to identify, protect, and manage all personally identifiable
information (PII) of EU residents even if those organizations are not based
in the EU.
Some vendors are offering tools to help you prepare for and comply with
the GDPR. What follows is a representative sample of tools to assess what
you need to do for compliance, implement measures to meet requirements,
and maintain compliance once you reach it.
GDPR assessment tools
Snow Software GDPR Risk Assessment identifies more than 23,000
application versions that hold or transmit personal data. It also provides
visibility of devices, users and applications, whether on premises, in the
cloud or mobile. Passive scanning means agents do not have to be installed
on endpoints. It can flag devices that do not have appropriate GDPR
security controls so that the organization knows where its data is, who is
using it and how it is protected.
The International Association of Privacy Professionals (IAPP) and
TRUSTe GDPR Readiness Assessment tool is available as a special
single-user version of the TRUSTe Assessment Manager. Created for
IAPP members, it contains more than 60 questions mapped to key GDPR
requirements and produces a gap analysis with recommended steps for
remediation. The assessment tool is cloud-based and does not require a
software download; IAPP members can activate a free account. It
integrates with a variety of existing applications and hosting environments,
including Amazon Web Services and Alibaba Cloud.
3. The DB Networks DBN-6300 is a security appliance using artificial
intelligence and deep protocol analysis to give visibility into database
infrastructure activities. It also non-intrusively discovers databases
containing PII and connected applications, and automatically maps how
the information is being processed. The DBN-6300 performs passive
scanning on a network terminal access point rather than using active
scanning, which can miss undocumented databases. It is available as a
physical appliance or in an Open Virtualization Format (OVF) and
supports database management systems including Oracle server, Microsoft
SQL Server, and SAP Sybase ASE. The virtual machine supports VMware
vSwitch, dvSwitch, and a software-defined network (SDN) platform
configured to allow network tapping.
Opus Global’s Third-Party Compliance software as a service (SaaS)
solution moves assessment into the supply chain by identifying third
parties with whom their customers’ personal data is shared. Questionnaires
about data security controls are automatically sent to third-party users. The
tool analyzes responses to determine whether they comply with GDPR
requirements and provides recommendations for remediation. This allows
the organization to fully document who has access to covered data and
how it is protected. This SaaS solution requires no hardware, software, or
IT infrastructure.
GDPR implementation tools
Secureprivacy.ai is an automated consent management solution to make
websites compliant with GDPR requirements for obtaining informed
consent from users for collection and use of data. It also allows them to
opt out. Once installed, the Secureprivacy.ai script provides granular page-
by-page notifications for the appropriate opt-in and opt-out requirements.
Screenshots are saved to document user consent and are available through
a dashboard. The solution is formatted for both desktop and mobile
devices and includes a plugin for users of WordPress. Documentation
includes the user IP address and location and can be easily exported for
business and regulatory uses.
4. Datum Information Value Management for GDPR is a special edition
of its information governance software that is preconfigured with GDPR
base processes, rules, standards, templates, and frameworks. It aligns an
organization’s data with regulatory requirements, identifying the data that
is covered under the EU privacy rules and the capabilities and controls that
are required. The tool discovers the data and how it is used and maps it to
the organization’s governance process. This allows data to be used and
shared with stakeholders across the organization within the requirements
of the privacy regulations, and documents compliance for regulators.
SAS for Personal Data Protection creates a unified environment with a
single user interface for accessing and managing data. It allows
organizations to access, identify, govern, protect, and audit personal data
so that they can comply with GDPR requirements that personal data must
not only be protected, but must be removed upon request. This
combination of SAS software and services allows organizations to blend
data types from multiple sources such as Oracle, Apache, and Hadoop,
identifying personal data in structured and unstructured sources. Its data
governance features enforce policies and protect data through role-based
masking and encryption that secures sensitive information while at rest
and in use.
Neupart Secure GDPR is based on the company’s Secure ISMS security
management system. Added features designed for companies to implement
and maintain GDPR processes include templates, data protection and
impact assessment tools, data breach notification capability, and gap
analysis to track your current compliance status. It also provides a data
protection officer (DPO) dashboard so DPOs have a single view of key
compliance areas.
Neo4j is a graph solution that provides visibility into the organization’s
data and the connections between and among data. Personal data can
reside in many applications at many locations across the enterprise and in
the cloud, and must be protected and managed in all locations.
Organizations must be able to track data through its lifecycle, from its
acquisition through use to removal. To track and control the data,
connections among multiple systems and data silos must be understood.
The Neo4j native graph database provides this visibility, together with
analytics and data integration. It is available either as a download or an
online tool.
5. Aircloak Insights allows organizations to make use of protected data by
anonymizing it for analysis so that the results can be shared without
restrictions under GDPR. The solution consists of two pieces of software
(the Air web frontend and the Cloak anonymization engine) running on
two Docker containers for virtualization on Windows and Linux. It works
with most popular databases, including a large set of SQL databases.
GDPR maintenance tools
BigID BigOps is a scanning tool that uses machine learning to
continuously track changes in PII across the production and development
environments in the data center or cloud. Machine learning allows the
software to understand known personal data and its contexts, and then
discover and catalog all personal data across the data stores. It integrates
with automation frameworks such as Jenkins to monitor changes to the
data across the development lifecycle, helping to ensure that it remains in
compliance with GDPR requirements. It also helps with requirements for
data breach response by allowing an organization to compare its data with
that in a purloined data dump to determine within minutes if there has
been a breach.
OneTrust privacy management software platform automates tasks to
enable continued compliance with GDPR requirements for website
cookies and maintenance of subject request portals. OneTrust conducts
ongoing scans of an organization’s web pages to identify and categorize
cookies and provides a transparent mechanism for obtaining required
cookie consents. The cookie compliance solution includes continuous
scanning against a database of 5.5 million cookies. Organizations also can
use OneTrust to create a portal and branded web form to deal with user
requests for managing PII under GDPR. It can track and document user
requests and the organization’s response.
FileCloud is known as a enterprise file sharing and syncing platform. It
now offers features to ease tasks associated with some GDPR
requirements. Privacy settings make it easier to ask users for consent while
accessing content from the cloud. Administrator tools allow for the
deletion or anonymization of PII for right to be forgotten requests, or to
reply to requests for PII that a company has on an individual. FileCloud
also addresses the data portability requirement with the ability to export in
standard formats.
6. Loom Systems Sophie for GDPR, which Loom describes as an
algorithmic IT operations (AIOps) tool, uses artificial intelligence (AI) to
“analyze logs and unstructured machine data for immediate visibility into
the IT environments.” The product has a “Find my PII” feature that
automates the collection of sensitive logs. This makes it easier to comply
with GDPR’s right to be forgotten mandate, as it allows you to quickly
locate and delete personal data when a request to remove is received.