Data privacy standards and legislation complicate modern business operations. Rules are particularly tight around the use and management of information that pertains to private individuals. You need to protect that type of data from being stolen or accidentally leaked. You also have to be aware that there is a limited number of uses you can implement with that data, and you need to be able to track all access events.
Data privacy management issues also cover the integrity of data. You have to allow members of the public to know what data you hold on them, where it is stored, and how it will be used. You also have to ensure that all information is correct and cannot be accidentally lost.
Here is our list of the eight best data privacy management tools:
- SolarWinds Security Event Manager EDITOR’S CHOICE A log management and SIEM security service with automated risk management and compliance auditing. It runs on Windows Server. Get a 30-day free trial.
- StandardFusion A cloud-based risk assessment and compliance auditing package with an automated compliance manager.
- ServiceNow Governance, Risk, and Compliance A cloud-based data privacy management system that ties into a service desk system and project management tools.
- N-able Risk Intelligence A cloud-based vulnerability assessment tool with a data discovery system and a permissions analyzer.
- ManageEngine DataSecurity Plus A package of data management services that include discovery and categorization procedures, a vulnerability scanner, and a file integrity manager. It runs on Windows Server.
- Spirion Sensitive Data Manager A data privacy manager with data discovery and classification processes and file protection services This a cloud-based service with on-site agents for Windows, macOS, and Linux.
- Azure Information Protection A cloud-based sensitive data manager that tracks access to files and manages their movements.
- Acronis Cyber Protect A package that includes a vulnerability scanner, a data backup system, and a data loss prevention module. It runs as a virtual appliance.
Data privacy legislation
PCI DSS is the Payment Card Industry Data Security Standard. It only applies to businesses operating in the USA, and it is a required standard for any business that handles payments by credit or debit card. HIPAA is the Health Assurance Portability and Accountability Act. It covers the protection of “Protected Health Information” (PHI), which means data related to individuals processed within the health sector.
Members of the general public can be tracked by “Personally Identifiable Information” (PII). Leaks of PII can lead to compensation claims for all people who disclosed data related to – that can prove very costly to businesses.
The EU’s General Data Protection Regulation (GDPR) lays out a standard of expected protection for PII. GDPR stipulates that a company that fails to protect PII adequately can be fined an amount of up to 4 percent of its turnover. That’s per leak event. The GDPR laws also allow individuals to bands together and launch class-action suits against companies that leak their data.
Another legal recommendation of the EU bundled into GDPR laws in member states is the ePrivacy Directive. This is where the requirement for cookie consent comes from. Combined, GDPR and the ePrivacy Directive create a headache for businesses that hold PII in digital format – the data doesn’t have to be collected on the Web to be included in these laws.
These data privacy standards require companies to implement a Data Subject Access Request (DSAR) mechanism. This allows members of the public to request copies of all of the information held on a system about them. They have the right to ask that mistakes are corrected and demand that PII be removed.
The EU is not the only area in the world where data privacy issues have been codified into law. The primary standard that mirrors GDPR currently in operation is the California Consumer Privacy Act (CCPA). However, the USA has regulations about PHI and card information, thanks to HIPAA and PCI DSS. Other areas of PII usage weren’t regulated. CCPA fills in those gaps.
Brazil’s Lei Geral de Proteção de Dados (LGPD) stipulates a requirement for the protection of PII. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is in effect as a GDPR-like system. South Africa’s version is called the Protection of Personal Information Act (POPIA).
Other places in the world are catching up on the issue of data privacy legislation. The subsequent law in the USA to be launched in this field is the Consumer Data Protection Act (CDPA) in Virginia, which will come into effect in 2023. Many other areas of the world are currently formulating their data privacy laws, notably India, Chile, and China.
Dealing with data privacy obligations
Although there are many different pieces of legislation either in effect or scheduled for launch, there are commonalities to all of them. The basis is that data should be protected from disclosure, loss, or misuse and that there should be a mechanism to inform the general public about how their data will be stored and used, plus a way for them to query their PII records.
A big problem with all of these different laws is that they don’t apply to the location of the data-holding business, they relate to the location of the person that the data is about. So, even if your company is based in an area with no local privacy law, such as Sri Lanka, you will need to comply with every law in the world if you have a website.
There is a way around all of these laws. That is to not hold data in electronic format about individuals. One other option is to decide not to do any business with consumers in those places with privacy laws. Given the global nature of the World Wide Web, you will get visitors from people in those companies if you have a website. Again, there is a way around this problem – just block access to physically located people in an area of the world where privacy law is in force. You could allow access to the site but block access to any data gathering function.
The problem with the decision to just withdraw from business in areas governed by privacy laws is that they tend to cover very lucrative markets.
Data privacy management tools
You don’t need to cut your business’s ties to its most lucrative markets. Fortunately, there are many similarities between all of the existing and emerging data privacy standards. It is possible to introduce a data privacy management solution and keep your company legally trading in all of those places that are covered by privacy laws. As more countries introduce data privacy legislation, a strategy of avoiding these obligations will continuously reduce your business’s areas of operation.
Data privacy management tools solve all of the requirements of laws and standards around the world. These keep you trading with the world while keeping it legal. There are several phases to data privacy management that you need to pay attention to. These tasks are grouped under the abbreviation “GRC.” This stands for governance, risk management, and compliance.
Governance refers to the auditing and access controls that you need to have in place to track all actions on sensitive data. Risk management describes the identification of data that needs to be protected and a classification process that grades different types of data according to whether the damage, loss, or disclosure of that data will have serious consequences.
Not all risk issues relate to data that is covered by data privacy laws and standards. Your company will have trade secrets, such as working practices that give it a competitive edge, research for new, innovative products, and price lists that only apply to specific customers. The disclosure of that information wouldn’t incur a fine, but it could seriously damage the business’s competitive advantages.
The compliance part of GRC refers to conformance to particular standards that apply to the types of data that the company holds. Compliance requirements include external auditing, which requires extensive log retention, access controls, data loss mitigation procedures, data usage reporting, and DSAR processes.
During ongoing operations, you will need data security and data management tools to restrict and track access to data stores and block malicious activity.
The best tools for data privacy management
Data privacy management involves a range of tools. Some providers manage to package together just about all of the tools that you will need to adequately protect data from loss or misuse while still making it available for legitimate business processes.
What should you look for in a data privacy management system?
We reviewed the market for data privacy management tools and analyzed the options based on the following criteria:
- A bundle that offers linked services that include many tools needed for data privacy management
- An easy-to-use dashboard that includes graphical data interpretation for rapid status recognition
- A system that includes automated monitoring processes
- Security tools that include file integrity management
- Data protection systems that have backup and restore functions
- An assessment opportunity provided by a free trial or money-back guarantee
- Value for money provided by as many of the tools necessary for data privacy management in one bundle
Taking these requirements into account, we assembled a list of practical systems that will help you manage data privacy easily.
You can read more about each of these data privacy management solutions in the following sections.
SolarWinds Security Event Manager is a log management and system security package that will help with compliance with PCI DSS, GLBA, SOX, NERC CIP, HIPAA, and other data privacy standards.
This service is a SIEM system. It searches through log files for suspicious activities and organizes those logs so that they can be queried for compliance auditing. All log files are protected from tampering.
The package also includes a vulnerability scanner for risk assessment plus automated remediation mechanisms should a data loss event occur.
The Security Event Manager runs on Windows Server, and it is available for a 30-day free trial.
SolarWinds Security Event Manager is our top pick for a data privacy management tool because it includes security protection plus activity tracking for standards compliance. This combination of services reduces the number of packages that you need to buy and creates value for money.
Get a 30-day free trial: https://www.solarwinds.com/security-event-manager/registration
Operating system: Windows Server
StandardFusion is a data privacy management service aimed at standards compliance. The standards this package implements include GDPR, HIPAA, PCI-DSS, ISO, SOC2, NIST, CCPA, and FedRAMP. The service helps you adapt your IT system and working practices for standards compliance through a series of questionnaires.
The automated processes in the plan perform a risk analysis that highlights changes that need to be made to make the IT system compliant. It reassesses each change until the system reaches an appropriate state. The StandardFusion package includes data discovery and classification service. It then monitors file access in sensitive data stores, creates logs, and protects log files from tampering.
The system integrates with Jira, Confluence, Slack, OpenID, DUO, and Google Authenticator. This is a hosted service, and it is available for a 14-day free trial.
ServiceNow is a service desk system, and its GRC package can be integrated into that system management tool. The primary tool in this package is risk assessment related to the protection of sensitive data. Risk assessment also extends to the evaluation of third parties and decision support for new projects.
The tool’s governance sections help you establish safe working practices and create a data privacy management policy together with the risk assessment system. Compliance features help you track data protection goals.
ServiceNow Governance, Risk, and Compliance are available for a demo.
N-able Risk Intelligence is a vulnerability scanner for all endpoints on a network that runs Windows and macOS. The vulnerability scanner references the Common Vulnerability Scoring System (CVSS) to identify system risks. The scanner examines access rights and file permissions and remembers weak system settings.
The service also scans for sensitive data, categorizes it, and maps its locations. The sensitive data discovery tool searches for email addresses, license plate numbers, bank accounts, social security numbers, ACH data, and credit card numbers. It generates a risk report for each type of PII that it discovers.
N-able Risk Intelligence is hosted as a SaaS system and is suitable for compliance with PCI DSS, GDPR, and CCPA. Other utilities in the package include a vulnerability scanner and security issues surrounding the email system. You can assess N-able Risk Intelligence on a 14-day free trial.
ManageEngine DataSecurity Plus performs File Server Auditing, Data Leak Prevention, and Data Risk Assessment. Each of these modules is also available individually.
Features in the package include a sensitive data discovery tool that assigns a vulnerability ranking to each discovered piece of data. The package examines file permissions and access rights to devices and folders to assist in tightening data security. DataSecurity Plus also includes File Integrity Management (FIM), which records changes to files that hold sensitive data. The service controls USB sockets and prevents file transfers. It also examines attachments to emails.
ManageEngine DataSecurity Plus installs on Windows Server. You can assess it on a 30-day free trial.
Spirion Sensitive Data Manager is a cloud-based service that tracks data on all of your sites plus cloud platforms. It includes a data discovery tool called AnyFind that identifies intellectual property, PII, PHI, and credit card information. A module called Watcher implements data classification for sensitivity. This facility also examines vulnerability levels of data. Spyglass’s module applies security measures to sensitive data stores, such as FIM and data loss prevention.
Spirion Sensitive Data Manager will help you achieve compliance with GDPR, CCPA, HIPAA, and PCI DSS. Spirion offers a demo of the package.
Azure Information Protection searches for sensitive data on your sites or any of your cloud services. It then monitors for emails, document access, and data stores.
According to the standards that need to be followed, the actions of the Information Protection service are adaptable. Accordingly, the service will protect different types of data. It is possible to block the movement, copying, or printing of sensitive data with this tool. The service also offers an encryption system to protect files both at rest and in transit.
Acronis Cyber Protect includes a backup system, a vulnerability scanner, and a threat-protection system. The backup service can replicate servers, so you don’t have to restore to the same server. It will backup servers running Windows Server and Linux, and it can also protect virtual servers.
The vulnerability scanner tightens up your system to prevent data loss and the threat protection service further shields data from intruders. Acronis Cyber Protect is available for a 30-day free trial.