LensThe General Data Protection Regulation (GDPR) has been receiving much press the last couple years on both sides of “the pond” and for good reason.  It impacts companies not just in Europe but potentially anywhere in the world.

We’re doing business in a world that’s increasingly globalized and intertwined, much more so than it’s ever been.  Large multinational companies have offices throughout the globe.  Partners and supply chains are distributed across continents.  And the ubiquity of mobile devices and cloud apps breaks down physical borders like never before.

There are plenty of resources detailing GDPR requirements – what they mean and the penalties for non-compliance.  However, we’ll look at GDPR from a different angle – from a macro lens that views GDPR compliance as just one component of a much broader agenda.

GDPR as the Catalyst for Change

Simply put, many businesses are using GDPR compliance as a springboard for larger transformational projects.  With seemingly everything going digital today, companies are undertaking massive transformation projects to ensure that they remain agile enough to execute on their business initiatives.  For example, companies might explore mergers and acquisitions (M&A) and joint venture (JV) opportunities to scale their businesses, enter new markets, or enhance their competitive positions.  When there is a merger or acquisition, nasty, complex, and expensive IT consolidation projects typically ensue.

But, to be successful, these projects require solutions that allow for enough flexibility to respond to corporate or regulatory changes quickly and without compromising security and compliance mandates.

Don’t Be Afraid of a Gap Analysis

Sometimes it’s necessary to take a good, long, honest look at your security posture.  You may be surprised at what you find out.  Case in point: role-based access control (RBAC) has been the incumbent technology the last 20 or so years when it comes to protecting sensitive data.  RBAC solutions use pre-defined roles that are associated with specific employees and privileges.  Nowadays, with the IT landscape more complex than ever – thanks to an extended ecosystem of customers, partners, devices, employees, cloud computing, Big Data – the RBAC approach is showing its cracks.  In short, it’s difficult and costly to maintain.

Attribute-based access control (ABAC) is the successor technology to RBAC.  ABAC doesn’t necessarily replace RBAC, but rather, augments it by giving organizations the flexibility to control data access at a fine-grained level.  Instead of roles, ABAC looks at attributes to make authorization decisions.  Attributes could be characteristics about the user, the data, the device, IP address, or any other factor that could affect the authorization outcome.  For instance, ABAC policies can determine who can access the data, where the data can be accessed from, when the data can be accessed, what data can be accessed, and how the data can be accessed.

Look at the Big Picture

When you combine ABAC with data classification, digital rights management, and auditing and reporting, now you’re talking about an end-to-end approach that keeps all the stakeholders happy – CISOs, IT admins, security architects, compliance officers, etc.  It’s an approach anchored by a centralized policy management framework – one that can keep pace with today’s complex IT landscape.

With this framework, you can essentially secure data anywhere it goes and keep an audit trail of everything.  You’ll enable secure collaboration across your whole business network, including suppliers, partners, and customers.  You’ll streamline your compliance processes by utilizing more automation.  And you’ll make IT happier by slashing the amount of resources (time, money, and people) needed to keep the business running.

But even more importantly, you’ve looked at things from a macro level and taken the necessary steps to mitigate your risk profile and position yourself to focus on the business initiatives that matter most.

Digital Transformation Is a C-Level Concern

So, what started as a post on GDPR has morphed into the broader issue of digital transformation to stay relevant from a business perspective but without losing sight of security and compliance objectives. Digital transformation projects get C-level attention and for good reason: failures of this scale don’t go unnoticed and can have dire consequences.

The highly publicized data breaches at Yahoo, Equifax, and Target illustrate the massive risks if minimum security precautions and measures aren’t undertaken.  Plummeting stock prices, regulatory fines, and damaged reputations are just some of the consequences.

A well-defined and executed plan can help you avoid many of the pitfalls associated with digital transformation projects and instead put you on better footing from a risk management standpoint.