The EU-US Privacy Shield legislation – a replacement for the Safe Harbour pact declared invalid last year – has now been formally adopted. Under Privacy Shield and the existing EU General Data Protection Regulation (GDPR), organisations with trans-Atlantic businesses must ensure US operations fulfil more rigorous data protection standards when managing European data. And though the UK recently voted to leave the European Union, the ICO – Britain's chief privacy regulator – has stated that it will adopt these regulations with minimal changes, regardless of EU status.
Any new regulation brings an inherent risk of non-compliance. To avoid issues, organisations need to understand exactly where any sensitive data is stored. Unfortunately, this is usually much easier said than done. The exponential increase in the amount of data produced makes answering even basic questions about how information is created, stored and managed difficult for many businesses to answer. This lack of insight creates a tremendous amount of risk.
However, there are steps organisations can take to better manage data, reducing their risk of non-compliance, and mitigating potential damages in the event of a cyber-attack. The process starts with knowing which questions to ask.
Asking the right questions
Understanding how your organisation processes, controls, and maintains personal data across borders can be a daunting task. It's also a critical one. When evaluating your data management strategy vis-à-vis new regulations, it's important to go back to the basics and ask who, what, where, when, and how data is managed.
What counts as sensitive data?
The first question to ask is, what does your organisations' sensitive data landscape look like? Sensitive data may look different within every organisation. Retail firms may be most concerned about customer financial data, while pharmaceutical companies may prioritise the protection of trade secrets and intellectual property. Risk management solutions must allow users to create custom definitions for sensitive data. Only then is it possible to properly discover and protect high-risk, high-worth data.
Where is data located (and for what purpose and for how long)?
In the past, security teams worked to manage data that was often stored across multiple geographic locations. Today, virtualisation means security teams must deal with a multi-dimensional landscape with an increasingly large amount of data stored in “borderless” cloud data stores. Security teams need to analyse and differentiate between private networks, cloud repositories, and third-party applications like file shares, office 365, etc. to completely map where sensitive data is stored. So not only do security teams have to find data in a more complex world, the new EU regulations also require organisations to define the purpose for saved data and the retention period of data stored or archived.
Mapping the data landscape will help organisations avoid issues that can commonly occur with regard to data sprawl and data retention. For example, sensitive information often leaves an organisation by accident, as data stored in hidden rows in spreadsheets, included in notes within employee presentations, or as part of long email thread. Companies can avoid accidents like these by scanning the enterprise for sensitive data at-rest to understand where data is located, and then removing that data from unauthorised locations.
Who has access to sensitive data?
Once the questions of ‘what constitutes sensitive data?' and ‘where is it stored?' are answered, access rights should be based on roles and responsibilities within relevant departments or business functions. Unauthorised access to PII is a major source of risk and organisations are often shocked by who has access to information within the company. Employee training is also critical to ensure sensitive data stays with authorised personnel. Organisations need to involve HR to educate everyone about the importance of proper data handling. Understanding the value of data reinforces its value as an asset that needs to be protected, just like physical property.
When is data being transferred?
Perhaps the most important question for maintaining compliance, organisations need to understand when personal data is transferred from within the EU to countries outside the European Economic Area (EEA). Under new regulations, this can't be done unless appropriate protections are in place. it's important to note strict requirements under new cross-border data privacy regulations like GDPR and Privacy Shield – For example, if a user in the US views a file located in the EU, that is considered a data transfer.
And finally, how is data managed?
Understanding the answers to the previous questions allows an organisation to begin building a data-centric privacy strategy to reduce digital risks. To do so requires an up-front investment of thought, energy, and yes budget. In 2016, the Ponemon Institute found that the global average cost of a data breach was US$ 4 million (£3 million), and rising. This does not include additional – and growing – regulatory, legal, and reputational costs. Risks can never be fully eliminated, but with a data-centric approach, they can be managed.
Protecting data and ensuring compliance with the new regulations, like Privacy Shield, is about asking simple, but inherently challenging, questions. Trust is something businesses work to establish with customers every day and, once lost, it is very difficult to regain. Proactive data management policies, combined with the right technology solutions, will make it much easier to comply with the new regulations and reduce digital risk for any business.
Contributed by Fortunato Guarino, solution consultant EMEA, cyber-crime & data protection advisor, Guidance Software