In the UK, an atmosphere of economic and political uncertainty is touching almost every aspect of life and business. That’s no different in IT and data security.
But, as we move to our EU exit, it’s tempting to wonder if one of the biggest challenges for IT security – the General Data Protection Regulation, or GDPR – has conveniently disappeared.
In fact, that couldn’t be further from the truth. While Brexit will undoubtedly create change that’s hard to predict, your obligations when it comes to protecting data will probably stay the same.
Why GDPR still matters to UK businesses
The GDPR is a milestone in European data protection that comes into effect on 25th May 2018. Designed to provide consistent data handling and security across the EU, it covers everything from maintaining accountability to what happens in the event of a breach. It also outlines severe penalties for non-compliance.
This still affects UK organisations for several reasons.
First, even when Article 50 is formally invoked and we give our obligatory notice to leave the EU, we will remain members for a minimum period of two years. During this time, every piece of EU regulation will still apply.
Even after this, if you store or process data related to EU clients, you will still be affected by GDPR.
And, finally, the Information Commissioner’s Office is putting increasing pressure on the UK Government to strengthen data protection regulation. When GDPR isn’t setting the standards, the government is likely to create its own equivalent counterpart.
In short, if you were already preparing for GDPR, you should continue. If you weren’t, it’s time to get started.
The challenge of GDPR and privileged accounts
Crucially, many of the points included in the GDPR are about taking a proactive security posture. While many organisations would typically focus their resources on reactive measures in the event of a breach, the GDPR makes it clear that being prepared and protected is essential.
However, not every area of your business is easy to secure proactively. Your privileged accounts in particular pose a complex problem.
The GDPR states that any retained data must be:
- Accessed on a need to know principle / least privilege principle
- Processed in line with the rights afforded to individuals
- Handled with accountability
However, shared privileged accounts make this very difficult. It’s hard to limit access to privileged passwords to the people that really need them. It’s hard to maintain accountability when more than one person needs to use the same account. It’s even hard to discover all your privileged accounts in the first place.
Thycotic Secret Server can help.
Thycotic Secret Server and GDPR
Meeting the expectations of GDPR will take a multi-layered, multi-faceted strategy – but better privileged account management can help with one of the biggest security threats your organisation currently faces.
Thycotic Secret Server stores your privileged passwords in a secure, encrypted vault.
From there, every interaction is logged and linked to a specific user. There’s no need to elevate privileges at the endpoint level, mitigating the threat of unauthorised account access. And it’s easier to enforce your password policies with confidence that critical accounts can still be quickly and conveniently retrieved.
So you can take a proactive approach that’s in-line with GDPR – and avoid a breach instead of trying to cope with one when it’s too late.