On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. While many organizations see this as an EU-only regulation, in reality, it applies to any organization that collects, stores, and uses personal information about an EU citizen.
The GDPR is designed to improve privacy standards and enforce the rights of individual users to have control over the information that they share with organizations, as well as understand, in plain English, how that organization plans to use that data. In light of recent data breaches, especially those that are arguably preventable through basic system hygiene and cybersecurity best practices, the GDPR aims to hold organizations accountable for personal data under their management. Evidence of violations and negligence serves as cause for significant fines.
In Poor Form
To support GDPR specifications, organizations need a comprehensive understanding of their digital footprint—all of the various internet-exposed assets that belong to them. They must be able to discover which external assets collect personally identifiable information (PII), including a user’s name, phone number, address, social media presence, photos, lifestyle preferences, location data, and even their IP address.
Sounds straightforward, but for multinational companies with expansive web infrastructure, merely compiling and assessing site details is often fraught with gaps and inaccuracies. When looking at 25 of the 50 largest banks in the U.S. (2017), the RiskIQ Threat Research team discovered that 68% of the banks had significant security gaps in PII collection:
RiskIQ to the GDPRescue
RiskIQ Digital Footprint can help with GDPR compliance by identifying websites within an organization’s footprint that collect and process PII. Digital Footprint’s new PII/GDPR Analytics provides organizations with the capability to:
- Discover, inventory, and assess websites, apps, and infrastructure where PII is captured and processed
- Identify and assess PII-collecting website exposures: notices, forms, SSL certificates, and frameworks
- Verify security of the PII-collecting websites with SSL certificates and encryption
- Comply with persistent cookie requirements on websites (expiration of less than one year)
- Identify where PII is captured by third-parties using your company/brand as a lure (such as Fake Ads)
- Highlight security and policy violation exposures enabling security and governance and risk and compliance (GRC) teams to better understand, and in some cases reduce their attack surface and achieve compliance.
RiskIQ Digital Footprint PII/GDPR Analytics feature helps expedite GDPR compliance during the initial discovery and subsequent audit processes by helping organizations identify websites belonging to them, as well as specific pages on those websites that collect PII insecurely.
With PII/GDPR Analytics applied to the Digital Footprint inventory, RiskIQ will automatically tag an organization’s internet-facing assets that have login forms, collect PII, or have cookies, and flag potential GDPR violations. Assets in this inventory can be filtered by tags, allowing for easy compliance evaluation and analysis. Organizations will also receive a detailed quarterly point-in-time GDPR assessment in a PDF format for convenient analysis, reporting, and sharing, as well as a CSV file of external assets that collect PII.
RiskIQ's PII/GDPR Analytics feature is immediately available. Our PII/GDPR analytics feature for customers in the United States is included with our Digital Footprint Enterprise solution, and for those in the EU, it's offered as either as standalone GDPR on-demand report or as an add-on to Digital Footprint. Register for RiskIQ’s webinar on Wednesday, Nov. 29 to learn best practices for ensuring your organization is prepared for the looming GDPR mandate. For even more information about how RiskIQ can help with GDPR compliance, please download our white paper and datasheet.