PeopleSoft and GDPR: 2018’s Elephant in the Room

Who does GDPR Affect?
  • Does your organization store or process European Union (EU) consumer data?
  • Do you have employees that are citizens of any EU countries?

If you answered ‘yes’ to either of these questions, you’ve probably heard of the European Union’s General Data Protection Regulation (GDPR). GDPR is a regulatory guideline that protects and empowers the information integrity of European citizens. The introduction of this regulation gives citizens of European Union countries discretion over how their personal data should or shouldn’t be used, processed or shared. In addition, GDPR’s introduction calls for stringent compliance with offenders facing steep financial penalties (Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher.)

Specific articles under GDPR’s Compliance Guidelines pose challenges to organizations leveraging PeopleSoft:

Article 15

“The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and purposes, recipients, time period…”  

Challenge:

  • PeopleSoft consists of hundreds of pages that contain personal data processed within them
  • PeopleSoft does not have the means to track all of the instances that a person’s personal data is accessed – let alone tying it to who accessed it, when, and where. This makes capturing access data for even one page extremely labor intensive.
  • Because any data subject can request an audit, this means that organizations have to be ready to respond to dozens or even hundreds of requests
  • PeopleSoft does not allow for masking rules that provide control over how personal data is processed, whereas GreyHeller can both control and log all access by the processor to an individual’s personal data.

Article 33

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.”  

Challenge:

  • Identifying a personal data breach and aligning it to the people impacted is a difficult and manual process, often requiring weeks of analysis. Without a monitoring and logging solution like GreyHeller’s Application Security Platform, it is difficult or (in some cases) impossible to meet this requirement.

Article 35

“The controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Challenge:

  • Without a product like the Application Security Platform, which applies controls, measures usage, and helps identify breaches, the assessment would need to involve every key stakeholder in the organization, analyzing all access by users of the hundreds of pages in PeopleSoft with sensitive data. By centrally capturing and controlling this access, the Application Security Platform rules are sufficient for reporting what is already in place.

Time to Establish your GDPR Compliance Plan:

No matter where your organization resides in the world, if you handle any information for EU citizens, you must take steps to ensure your compliance. As stated above, non-compliance penalties are severe.

The larger the volume of PII, the more complex compliance gets. Since GDPR’s enforcement is set to begin starting this May, organizations must be in motion toward a compliance plan.  In case you are behind or are evaluating your next move – consider these (3) steps:

  • Step one – Establish data whereabouts – Identify data locations across your disparate systems and business entities
  • Step two – Put data governance in place – It is imperative to lay out guidelines and policies for appropriate and authorized data access
  • Step three – Prepare for optimum information security – Data breach response has been thrust into the spotlight and a detailed system of alerting and response objectives is mission critical. A data breach can cost your organization millions of dollars in GDPR fines (before the actual clean-up costs.)

Establishing standards and guidelines around data access is key:

You can start with identifying, managing and tagging safe access locations. To establish compliance without compromising the convenience of mobility, you can identify devices, along with establish multi-factor authentication solutions to ensure PII cannot be easily accessed. These solutions are not native to PeopleSoft.

Enhancing how you monitor and log access is key:

Your PeopleSoft environment automatically captures and logs system access information on a broad level. This enables you to go back and look into the details if a data breach occurs, but while complying with GDPR (where you have to report a breach within 72 hours), that’s not going to be an ideal approach or solution. Since no one is constantly monitoring your security log, if or when you notice the breach it might already be too late. Even with good intentions, you could have run out of time before you were even made aware of a threat.

How GreyHeller Application Security Platform Can Solve these Challenges:

GreyHeller’s Application Security Platform enables you to overcome these challenges by employing solutions for multi-factor authentication, location/privilege-based access, enhanced logging, and intrusion response. By layering these solutions within your PeopleSoft applications, you can ensure that the stringent articles of GDPR compliance will not keep you up at night; as these contextually aware solutions are designed to give you maximum influence over what data is accessed, by whom, and how it is used. In addition, incident response solutions ensure that you are on top of any potential threats and ready for any potential compliance audits.

We are here to answer any questions you may have – Get a free security consultation for GDPR compliance today!

Let's Get Started

Request a live demo and consultation with a Solutions Specialist

Request A Demo