The General Data Protection Regulation (GDPR) went into effect on 24 May 2016, giving all organizations who process or control personal data of residents in the European Union (EU) two years to put the right people, process and tools in place to comply with the regulation. The regulation, which will apply from May 25, 2018, aims to harmonise data privacy rights for all EU residents across the 28 countries that make up the EU, as it relates to the use and protection of residents’ personal data.
Any organization who fails to comply with the GDPR could face severe penalties in fines of up to €20 million or 4% of the global annual turnover (or revenue) for that organization’s preceding financial year, whichever is greater.
Moving towards GDPR compliance can be daunting, which is one reason why many companies are still in the midst of their GDPR readiness exercise, with many companies outside of the European Economic Area (EEA) unaware that they will fall into the scope of GDPR. If an organization that has no presence in the EU is selling goods or services to residents in the EU or tracking their activities, the GDPR will also apply to them.
The challenge for organizations facing the GDPR is that data is everywhere these days—processed through all types of apps, stored in various places and accessed from all sorts of devices. Data being so ubiquitous makes it very difficult to control, raising accountability and transparency concerns for IT staff and end users.
For customers who still need to begin their journey toward GDPR readiness, and even for those who have already began, simplifying the approach of focusing on data protection and understanding key privacy use cases is essential. Organizations should be prepared to answer questions such as, “What data do we have? Who has access to that data? How is the data protected?”
To answer these questions, it’s important to map out data lifecycle to security and privacy use cases for data protection. Basic data lifecycle includes data collection, access, usage, storage, transfer and deletion/destruction. Connecting each stage of the data lifecycle to data protection use cases can help organizations determine if they have the right tools in place to help with compliance. For example, data access can be mapped to identity management and application access, so it’s imperative for organizations to have solutions in place that can provide secure access to applications using identity.
The right solutions need to be in place to cover data protection use cases and help organizations move towards GDPR readiness. We at VMware can help provide and implement solutions for data protection in your organization.
Using the VMware Workspace ONE digital workspace platform, our customers can deliver an enterprise-secure, consumer-simple digital workspace to empower their workforce to securely use apps and devices for productivity. A digital workspace can help improve data privacy, protection and control, and enable accountability and transparency across the data lifecycle.
The Workspace ONE platform can help fill data protection gaps with critical capabilities such as identity management, unified endpoint management, secure network policies and desktop and application virtualization. Let’s look at some examples that’ll illustrate how Workspace ONE can help any organization close data security and privacy gaps.
Secure Data Access Using Identity Management
In this example, we’ll focus on the data access stage in the data lifecycle. Data access is all about having a secure way to access your data, and making sure those who access the data are authorized to do so.
Using Workspace ONE, IT can set policies to help grant or deny access and authorization to data and applications. With powerful integrations between identity capabilities and device compliance, IT can create contextual or conditional access policies, such as:
- Denying access to an app if the device (for example, iOS or Android) is jailbroken.
- Requiring stronger authentication or device enrollment for access to certain apps.
- Only allowing access to apps on domain-joined devices.
Conditional policies like these eliminate manual compliance management, which minimizes data access risk, a critical component of the GDPR. Mapping secure data access to identity management gives organizations a simple way to think about data privacy and access.
Secure Data Transfer Using Network Policies
Another important stage in the data lifecycle is data transfer. When data is synchronized, or transmitted between back-end resources and mobile applications, Workspace ONE can utilize AES-256 bit encryption. This data protection capability maps well to Article 32 in the GDPR, which speaks to the implementation of encryption of personal data where appropriate.
Organizations can take even better control of their data by using per-app tunneling and micro-segmentation. This combination helps further isolate resources from an end user’s device across a connection to the network inside the data center.
[box type=”shadow”] Per-app tunneling allows IT to give certain applications, and the data associated with each application, a secure tunnel to connect to back-end resources. This capability removes the need for the entire mobile device to be connected to the data center, thus minimizing the surface area of attack on the mobile device.[/box]
[box] Micro-segmentation helps isolate data across the tunnel by only allowing access to the segmented resources that are required on the network. Control of east-to-west traffic on the network using micro-segmentation helps minimize the surface area for an attack on the network.[/box]
These are just a couple of examples highlighting data protection capabilities that are available in the Workspace ONE platform. Workspace ONE is the platform that can help organizations deliver secure digital workspaces, enabling their end users with secure data access, data transfer, data collection and more. To learn more about Workspace ONE, visit VMware.com/WorkspaceONE.