Top X GDPR Assessment Tools

By: -Rajivarnan.R
Cyber Security Analyst
What is GDPR?

The European Parliament adopted the GDPR in April 2016, replacing an outdated data
protection directive from 1995. It carries provisions that require businesses to protect
the personal data and privacy of EU citizens for transactions that occur within EU
member states. The GDPR also regulates the exportation of personal data outside the
EU.

The provisions are consistent across all 28 EU member states, which means that
companies have just one standard to meet within the EU. However, that standard is
quite high and will require most companies to make a large investment to meet and to
administer.

Why does the GDPR exist?

The short answer to that question is public concern over privacy. Europe in general has long had
more stringent rules around how companies use the personal data of its citizens. The GDPR
replaces the EU’s Data Protection Directive, which went into effect in 1995. This was well before
the internet became the online business hub that it is today. Consequently, the directive is outdated
and does not address many ways in which data is stored, collected and transferred today.

How real is the public concern over privacy? It is significant, and it grows with every new high-
profile data breach. According to the RSA Data Privacy & Security Report, for which RSA
surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S., 80 percent of
consumers said lost banking and financial data is a top concern. Lost security information (e.g.,
 passwords) and identity information (e.g., passports or driving license) was cited as a concern of
76 percent of the respondents.

An alarming statistic for companies that deal with consumer data is the 62 percent of the
respondents to the RSA report who say they would blame the company for their lost data in the
event of a breach, not the hacker. The report’s authors concluded that, “As consumers become
better informed, they expect more transparency and responsiveness from the stewards of their
data.”

Lack of trust in how companies treat their personal information has led some consumers to take
their own countermeasures. According to the report, 41 percent of the respondents said they
intentionally falsify data when signing up for services online. Security concerns, a wish to avoid
unwanted marketing, or the risk of having their data resold were among their top concerns.

The report also shows that consumers will not easily forgive a company once a breach exposing
their personal data occurs. Seventy-two percent of US respondents said they would boycott a
company that appeared to disregard the protection of their data. Fifty percent of all respondents
said they would be more likely to shop at a company that could prove it takes data protection
seriously.

“As businesses continue their digital transformations, making greater use of digital assets, services,
and big data, they must also be accountable for monitoring and protecting that data on a daily
basis,” concluded the report.

What types of privacy data does the GDPR protect?

 Basic identity information such as name, address and ID numbers
 Web data such as location, IP address, cookie data and RFID tags
 Health and genetic data
 Biometric data
 Racial or ethnic data
 Political opinions
 Sexual orientation
 Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states
must comply with the GDPR, even if they do not have a business presence within the EU. Specific
criteria for companies required to comply are:

 A presence in an EU country.
 No presence in the EU, but it processes personal data of European residents.
 More than 250 employees.
 Fewer than 250 employees but its data-processing impacts the rights and freedoms of data
subjects, is not occasional, or includes certain types of sensitive personal data. That effectively
means almost all companies.

Top tools to assess, implement, and maintain GDPR

compliance

GDPR Assessment Tools

 Snow Software GDPR Risk Assessment

It identifies more than 23,000 application versions that hold or transmit

personal data. It also provides visibility of devices, users and applications,
whether on premises, in the cloud or mobile. Passive scanning means
agents do not have to be installed on endpoints. It can flag devices that do
not have appropriate GDPR security controls so that the organization
knows where its data is, who is using it and how it is protected.

 The International Association of Privacy Professionals

(IAPP) & TRUSTe GDPR Readiness Assessment tool

This tool is available as a special single-user version of the TRUSTe

Assessment Manager. Created for IAPP members, it contains more than 60
questions mapped to key GDPR requirements and produces a gap analysis
with recommended steps for remediation. The assessment tool is cloud-
based and does not require a software download; IAPP members can
activate a free account. It integrates with a variety of existing applications
and hosting environments, including Amazon Web Services and Alibaba
Cloud.
  The DB Networks DBN-6300

This is a security appliance using artificial intelligence and deep protocol

analysis to give visibility into database infrastructure activities. It also
non-intrusively discovers databases containing PII and connected
applications, and automatically maps how the information is being
processed.

The DBN-6300 performs passive scanning on a network terminal access

point rather than using active scanning, which can miss undocumented
databases. It is available as a physical appliance or in an Open
Virtualization Format (OVF) and supports database management systems
including Oracle server, Microsoft SQL Server, and SAP Sybase ASE.
The virtual machine supports VMware vSwitch, dvSwitch, and a software-
defined network (SDN) platform configured to allow network tapping.
  Opus Global’s Third-Party Compliance

software as a service (SaaS) solution moves assessment into the supply

chain by identifying third parties with whom their customers’ personal
data is shared. Questionnaires about data security controls are
automatically sent to third-party users. The tool analyzes responses to
determine whether they comply with GDPR requirements and provides
recommendations for remediation. This allows the organization to fully
document who has access to covered data and how it is protected. This
SaaS solution requires no hardware, software, or IT infrastructure.
  Microsoft GDPR benchmark assessment tool

The Microsoft GDPR Detailed Assessment tool consists of an Excel

workbook, a Power BI output file, and a PowerPoint template for customer
discussions. The Excel file is made up of yes/no questions, grouped by
theme and sub-scenario. The four themes are Discover, Manage, Protect,
and Report (DMPR), and the sub-scenarios are more granular activities
within those themes.

The backend mechanics for how recommendations are generated is hidden

by default and can be accessed by unhiding the hidden tabs. Use caution if
making any changes to the hidden tabs, as this could break key analysis
formulas, as well as the outputs in Power BI.The Power BI output file is
linked to the Excel file and provides high-level visualizations of the end-
customers’ maturity overall and within each theme. It also generates
recommendations to help customers improve their GDPR maturity within
each theme.

Additionally, the GDPR Detailed Assessment tool provides integration

with Microsoft Compliance manager, enabling partners to work with their
customers on assessing the GDPR compliance posture for the customers
assets in the Microsoft cloud, such as Office 365
  Microsoft GDPR readiness assessment tool

The Discovery capabilities in Cloud App Security, Microsoft’s CASB

solution, can now help you determine whether your cloud apps and
services comply with GDPR requirements, so you can take corrective
action if necessary. Sourcing from a catalog of more than 16,000 apps,
Cloud App Discovery enables you to identify which cloud apps and
services are being used in your organization.
Before today, the service leveraged 60 different parameters, including
regulatory certifications, industry standards, and best practices, to assign
a risk score to each one of those apps.We have added 13 new components
to the risk assessment, directly aligned to GDPR requirements, to provide
you with a more comprehensive GDPR readiness overview for your
organization. In cases where a cloud provider is listed as not GDPR ready,
you will also be able to see which GDPR controls have not been
implemented by the cloud service provider.
GDPR Implementation Tools

 Secureprivacy.ai

is an automated consent management solution to make websites compliant

with GDPR requirements for obtaining informed consent from users for
collection and use of data. It also allows them to opt out. Once installed,
the Secureprivacy.ai script provides granular page-by-page notifications
for the appropriate opt-in and opt-out requirements. Screenshots are saved
to document user consent and are available through a dashboard. The
solution is formatted for both desktop and mobile devices and includes a
plugin for users of WordPress. Documentation includes the user IP address
and location and can be easily exported for business and regulatory uses.
  Datum Information Value Management for GDPR

is a special edition of its information governance software that is

preconfigured with GDPR base processes, rules, standards, templates, and
frameworks. It aligns an organization’s data with regulatory requirements,
identifying the data that is covered under the EU privacy rules and the
capabilities and controls that are required. The tool discovers the data and
how it is used and maps it to the organization’s governance process. This
allows data to be used and shared with stakeholders across the
organization within the requirements of the privacy regulations, and
documents compliance for regulators.
  SAS for Personal Data Protection

creates a unified environment with a single user interface for accessing

and managing data. It allows organizations to access, identify, govern,
protect, and audit personal data so that they can comply with GDPR
requirements that personal data must not only be protected, but must be
removed upon request. This combination of SAS software and services
allows organizations to blend data types from multiple sources such as
Oracle, Apache, and Hadoop, identifying personal data in structured and
unstructured sources. Its data governance features enforce policies and
protect data through role-based masking and encryption that secures
sensitive information while at rest and in use.

 Neupart Secure GDPR

Neupart is based on the company’s Secure ISMS security management
system. Added features designed for companies to implement and
maintain GDPR processes include templates, data protection and impact
assessment tools, data breach notification capability, and gap analysis to
track your current compliance status. It also provides a data protection
officer (DPO) dashboard so DPOs have a single view of key compliance
areas.

 Neo4j

Neo4j is a graph solution that provides visibility into the organization’s

data and the connections between and among data. Personal data can
reside in many applications at many locations across the enterprise and in
the cloud, and must be protected and managed in all locations.
Organizations must be able to track data through its lifecycle, from its
acquisition through use to removal. To track and control the data,
connections among multiple systems and data silos must be understood.
The Neo4j native graph database provides this visibility, together with
analytics and data integration. It is available either as a download or an
online tool.
  Aircloak Insights

allows organizations to make use of protected data by anonymizing it for

analysis so that the results can be shared without restrictions under GDPR.
The solution consists of two pieces of software (the Air web frontend and
the Cloak anonymization engine) running on two Docker containers for
virtualization on Windows and Linux. It works with most popular
databases, including a large set of SQL databases.

GDPR Maintenance Tools

 BigID BigOps
A scanning tool that uses machine learning to continuously track changes
in PII across the production and development environments in the data
center or cloud. Machine learning allows the software to understand
known personal data and its contexts, and then discover and catalog all
personal data across the data stores. It integrates with automation
frameworks such as Jenkins to monitor changes to the data across the
development lifecycle, helping to ensure that it remains in compliance
with GDPR requirements. It also helps with requirements for data breach
response by allowing an organization to compare its data with that in a
purloined data dump to determine within minutes if there has been a
breach.

 OneTrust privacy management software platform

Automates tasks to enable continued compliance with GDPR requirements

for website cookies and maintenance of subject request portals. OneTrust
conducts ongoing scans of an organization’s web pages to identify and
categorize cookies and provides a transparent mechanism for obtaining
required cookie consents. The cookie compliance solution includes
continuous scanning against a database of 5.5 million cookies.
Organizations also can use OneTrust to create a portal and branded web
form to deal with user requests for managing PII under GDPR. It can track
and document user requests and the organization’s response.

 FileCloud

File Cloud is known as a enterprise file sharing and syncing platform. It

now offers features to ease tasks associated with some GDPR
requirements. Privacy settings make it easier to ask users for consent while
accessing content from the cloud. Administrator tools allow for the
deletion or anonymization of PII for right to be forgotten requests, or to
reply to requests for PII that a company has on an individual. FileCloud
also addresses the data portability requirement with the ability to export in
standard formats.
  Loom Systems Sophie for GDPR

which Loom describes as an algorithmic IT operations (AIOps) tool, uses

artificial intelligence (AI) to “analyze logs and unstructured machine data
for immediate visibility into the IT environments.” The product has a
“Find my PII” feature that automates the collection of sensitive logs. This
makes it easier to comply with GDPR’s right to be forgotten mandate, as it
allows you to quickly locate and delete personal data when a request to
remove is received.

End