How the Endgame Platform Supports GDPR Compliance
With less than six months to go before the European Union’s General Data Protection Regulation (GDPR) goes into effect, companies are still uncertain if or how it will impact them. A recent study found that 60% of E.U. respondents and 50% of U.S. respondents believe they will face serious challenges in becoming compliant. At the same time, only 38% are prioritizing GDPR compliance. In the U.S., many enterprises may feel it does not pertain to them since it is an E.U. regulation. However, any corporation that ‘touches’ personal data of EU citizens must comply with the GDPR, regardless of where it is headquartered.
Importantly, corporations could take significant steps toward GDPR compliance through security platforms that facilitate two of the major regulations within the GDPR: personal data protection and breach notification. Built with an emphasis on security, privacy and compliance, the Endgame platform helps companies comply with the GDPR, and adhere to the six GDPR privacy principles outlined in the graphic below.
In upcoming weeks, Endgame will publish a series of posts that cover the range of implications of the GDPR - from the future of an open Internet to artificial intelligence to compliance. These posts will help data controllers expedite their preparation for GDPR, and identify ways in which tools like Endgame can ensure effective, fast and persistent compliance. This post specifies how Endgame greatly supports enterprises as they attain GDPR compliance, while protecting enterprise data from targeted attacks.
Protecting Personal Data
One of the best ways to ensure GDPR compliance is to minimize the breadth and depth of personal data collected, as well as minimize the number of third parties (i.e. data processors) who can access personal data. Endgame is purpose-built with privacy embedded by design through optimizing the protection of personal data and excluding third-party access to the data. In other words, the Endgame platform can help to reduce or eliminate the risk of third party data processors impacting your GDPR compliance efforts.
First, with Endgame’s on-premise deployments, Endgame's autonomous agent collects and analyzes data without any dependency of telemetry to the cloud. Endgame does not touch any personal data. The Endgame platform was architected with strict data access schemas, avoiding the collection of personal data. Third-party data processors are not involved, and thus you, as the data controller, avoid any liability that could occur through third-party access.
Finally, data residency and role-based access controls are also critical to protecting data. Endgame offers our clients the flexibility to keep their personal data in their regional data centers, ensuring data from one region is sequestered from another region. Unlike most other EPP providers, Endgame does not require user data to be sent to a centralized location, which is usually out of the user's region, across national borders and oceans. Moreover, Endgame’s access controls are extremely granular across the entire enterprise, which is particularly important to many of the GDPR’s data privacy tenets, such as data minimization and purpose limitation.
Data Breach Notification
Article 33 of the GDPR mandates notification of a data breach to a supervisory authority within 72-hours of becoming aware of it. This notification requirement not only includes acknowledging that a breach occurred, but corporations also must demonstrate how the breach occurred and what they did to remediate or minimize the impact.
While this is an important element of ensuring that data subjects’ personal information is protected, many companies have identified this new obligation as one of the biggest obstacles to GDPR compliance. However, the Endgame platform is designed to help alleviate this burden and simplify reporting and auditing following a data breach. Specifically, the auditing and reporting tools within the Endgame platform can significantly help corporations comply across the various aspects of the GDPR’s breach notification mandate. Endgame provides a transparent, automated audit trail and record confirming a range of information about the breach including what it entailed, what actions were taken to remediate the breach, and how they minimize risk to the affected data subjects.
Looking into 2018
Once the GDPR becomes law on May 25, 2018, non-compliant companies risk hefty fines. The most serious violations could result in fines up to 4% of the company’s net income or €20 million, whichever is greater. Although the EU is spearheading global individual data privacy and corporate breach notification, the U.S. may shortly follow suit. Within the past few months, the House of Representatives has proposed the Consumer Privacy Protection Act of 2017, while the Senate reintroduced the Data Security and Breach Notification Act. The bill was introduced by Florida Senator and Co-sponsor, Bill Nelson, who asserted, "We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers."
In short, even if your company is among the few who may not need to worry about GDPR compliance now, similar regulations may soon become law in the U.S. With security and privacy built in by design, the Endgame platform not only ensures protection against targeted attacks, but facilitates compliance with the GDPR and subsequent protections for corporate and individual data security.