New protections for consumers, such as the EU’s General Data Protection Regulation (GDPR) — which is celebrating its first anniversary, and the new California Consumer Privacy Act (CCPA), provide consumers with added protections to ensure their privacy and prevent issues related to data theft or misuse. They do this by defining what is meant by personally identifiable information (PII), establishing compliance standards for organizations to meet, and imposing severe penalties for organizations that fail to protect the PII of their customers.
Some of the most important benefits of these regulations is their uniform definition of exactly what is meant by personal data; detail rules for how that data can and cannot be used by any organization doing business within a specified region—or with any citizens that reside, work, or travel therein, even remotely; explicitly define what constitutes a breach of personal data along with standardized and consistent notification requirements; and give consumers complete control over the use and storage of their PII.
The GDPR established a common and broader definition of personal data than previous efforts, including things like IP addresses, biometric data, mobile device identifiers, and other types of data that could potentially be used to identify an individual, determine their location, or track their activities. The CCPA extends that definition even further, adding such things as geolocation data and shopping, browsing, and search histories.
Further, organizations affected by these regulations not only need to obtain explicit approval from individuals to retain and use their personal data, but also honor their “right to be forgotten,” which enables individuals to demand that an organization purge any personal data about them for any reason.
The challenge is that with today’s highly distributed network, data could have been copied multiple times and distributed virtually anywhere. The recent and rapid transition to multi-cloud networks, platforms, and applications complicates this challenge. To meet data privacy requirements in such environments, organizations need to implement security solutions that span the entire distributed network in order to centralize visibility and control. This enables organizations to provide consistent data protections and policy enforcement, see and report on cyber incidents, and remove all instances of PII on demand.
Achieving this requires three essential functions:
1. Security needs to span multi-cloud environments. Compliance standards need to be applied consistently across the entire distributed infrastructure. While privacy laws may belong to a specific region, the cloud makes it easy to cross these boundaries. Policies and protections established for data in a physical data center under the control of local privacy laws need to follow data as it moves to the cloud or to other data centers as long as they are stored in the same geography.
This creates two issues that need to addressed.
2. Data Loss Prevention is essential. Tracking and managing PII requires the implementation of Data Loss Protection (DLP) technologies that can be applied inline as well as at the cloud API level. Such solutions need to be able to identify, seamlessly track, and maintain an inventory of all PII. A few key principles when it comes to handling and exchanging PII:
3. Compliance reporting requires centralized management. Compliance reporting needs to span the entire distributed infrastructure. As with other requirements, this also demands consistent integration throughout the cloud and with the on-premise security infrastructure. Achieving this requires the implementation of a central management and orchestration solution, such as a SIEM or other single-pane-of-glass management console which has visibility to the entire multi-cloud & security infrastructure. What you don’t want is having to hand-correlate data from multiple systems, because things get missed, and if they are found in an audit, the penalties can be severe.
The best approach to security is to stop an attack before it even starts, and limit its scope once a breach occurs. This requires organizations to have technologies and policies in place, such as:
When properly understood, privacy regulations not only ensure that the PII of consumers is protected, but they also raise the bar for security across the entire organization. It forces organizations to go back to the drawing board, rethink processes and policies, identify and close gaps, and centralize their visibility dashboard feeds and operational controls. Many of these security fundamentals have been lost in the rush of digital transformation, and this is a good excuse to regroup, rethink, and re-secure your infrastructure.
Learn more about how Fortinet’s multi-cloud solutions provide the necessary visibility and control across cloud infrastructures, enabling secure applications and connectivity from data center to cloud.
Find out how Fortinet’s Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.
Find out how Fortinet security products, solutions, and services can help organizations mitigate and manage security and data protection obligations under the GDPR.