Protecting Cross-border Data Transfers for GDPR
December 1, 2017 | Regulations, Audit & Compliance | Corey O'Connor
Corporate legal counsels, technology providers, IT professionals – and anyone else paying attention to the General Data Protection Regulation (GDPR) – would undoubtedly agree that the requirements within the 99 Articles of the regulation present a laundry list of necessary changes many organizations will need to make to avoid non-compliance. The one we want to highlight in this blog calls for an adequate level of protection to be implemented for cross-border data transfers. Article 45, ‘Transfers on the basis of an adequacy decision’ specifically states:
“A transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection.”
This complicates things in the world of international commerce. Here in the United States, the Department of Commerce has nixed the U.S.-EU Safe Harbor Framework (following a decision by the Court of Justice of the European Union) and replaced it with a new framework, the EU-U.S. Privacy Shield. This new framework better aligns to the very detailed and specific requirements of GDPR, and it will allow companies within the United States and the European Union to successfully execute transatlantic data transfers.
Any country, governmental body or organization that turns a blind eye to this requirement will subsequently have their respective data transfers blocked by this legislation. Most importantly, by not having an ‘adequate level of protection,’ basically means the chances of being subjected to a personal data breach increase considerably. Which as we all now know, introduces severe financial and reputational consequences.
With CyberArk The Privileged Account Solution Version 10, we’ve made significant enhancements that enable customers to better meet the requirements in storing session recordings for cross-border data transfers. Our customers now have the ability to securely store privileged session recordings on regional-based storage, as opposed to storing them in a Digital Vault, which might be globally dispersed or more likely, outside the European Union. This is especially important for monitored database sessions, where client data has the potential to be revealed as a consequence of a command executed by an administrator.
This change applies to both processor and controller requirements and benefits customers that have a need to lock down their session recordings and ensure they do not leave a specific region (see Figure 1). This new capability goes beyond the requirements of GDPR and equally applies to local secrecy acts such as the Singapore Banking Secrecy Act, which prohibits (without permission) the export of client data outside of the region.
Figure 1. CyberArk now provides the ability to store privileged session recordings on dedicated, regional-based external storage.
It’s important for organizations to only provide authorized users with access to these recordings, ensuring that any playback processes are consistent with the data isolation requirements. Additionally, it’s critical to protect the integrity of these privileged session recordings for digital forensics in the case they should ever be needed for a legal proceeding. To support the security, integrity and validity of these session recordings, the following capabilities have been enforced with CyberArk Privileged Account Solution Version 10:
- Secure Communication – The communication between the Privileged Session Manager, the storage devices and the CyberArk user interface for the recordings replay is performed via a secure protocol.
- Managed Authorization – Only authorized users in the Vault will be able to access the session recordings through CyberArk systems.
- Searchable Audit Records and Streamlined Video Replay – The actual location of the video is transparent to the authorized user (e.g. auditors and reviewers) and provides the exact same user experience for both vault-stored recordings and externally stored recordings.
- Maintenance Users Protection – The CyberArk Privileged Account Security Solution will be used for authorizing and monitoring maintenance users’ access to the secure storage.
These enhancements show CyberArk’s dedication to helping organizations avoid non-compliance with GDPR. The CyberArk Privileged Account Security Solution can be critical for your organization to advance securely in an increasingly dynamic, competitive business environment. Be sure to visit our website for more information on how CyberArk solutions can help support your GDPR strategy today.