Four things you can do right now to prepare for GDPR compliance
Four things you can do right now to prepare for GDPR compliance
There are less than six months to go before the European Union's General Data Protection Regulation (GDPR) comes into effect in May 2018. Are you ready? The new regulation is designed not only to provide greater uniformity to sensitive data protection across the EU, but also to better protect personal data that is processed for non-personal purposes. 

As the EU's most demanding and far-reaching data privacy regulation to date, GDPR raises the bar on stringency for data privacy requirements, with an expanded definition of what types of data are considered sensitive. As stated in Article 4, EU GDPR definitions include: 

“‘personal data' means any information relating to an identified or identifiable natural person” 

“an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Since the GDPR affects any company that directly or indirectly controls or processes personal data of EU citizens even if the company is physically located outside of the EU, this pending legislation means that organisations in the US and worldwide need to prepare for these upcoming compliance challenges. Why is advance preparation so critical? For one thing, there are severe financial penalties for noncompliance—as high as four percent of the annual revenue of violating companies. 

With this reality in mind, it is incumbent on companies to take specific technical and organisational steps to proactively orchestrate industry-standard information security frameworks. Many organisations will need to implement technology upgrades and end-to-end protection to assist them in meeting GDPR's data privacy requirements. Keep in mind that GDPR compliance must be in place by the 25th of May in 2018, so the clock is already ticking.
 
To help put your company ahead of this year's compliance requirements, here are four steps that organisations can take immediately to put an effective governance strategy in place for sensitive data:

Understand the sensitive data landscape of your entire organisation. Visualising the big picture of a company's data landscape can be challenging because there are so many potential repositories across numerous locations with a variety of file shares like Hadoop and DBMS. Sensitive data may also be highly unstructured and difficult to locate. Plus, since there is more data than ever before, manual detection and protection is no longer an effective or realistic option. 

The right type of data governance solution can detect sensitive data assets wherever they reside, working with all major Hadoop, Windows, and Linux file types and distributions while supporting a wide range of databases. Therefore, you should plan to conduct a policy-based discovery effort to locate telephone numbers, account numbers, salaries, emails, and other confidential personal data. A data-centric governance solution can help you find out what you don't know by pinpointing exactly where this type of sensitive data resides. Such a solution can also remove the guesswork by conducting an audit of the sensitive data that has been discovered. These insights can help you determine strategic next steps in terms of which data should be encrypted versus masked, what data can be posted on the Web versus what must be kept within the walls of the organisation, etc.

Employ appropriate sensitive data protection controls. It's critical to place appropriate controls on sensitive data to protect against outsiders as well as insiders. While you may think personal data is safe with your own employees, the fact is that people on the inside know where the crown jewels are, and not everyone can be trusted. Therefore, make decisions about what types of information outsiders and insiders can see—and what they can't see. By selecting a solution that offers data-centric masking, you're able to safely transform, and thus protect, the data. Also seek a solution that provides data-centric encryption, which is a two-way protective process that allows data to be unencrypted by those with authorised access, to keep it safe from cyber-crime.

Fully automate processes for sensitive data governance. The key here is to protect data at the element level as it enters the corporate network. When the auditing process is automated, the company will be able to understand what sensitive data is connected to, what the data is mingling with, and who is accessing it. By automating these processes with an out-of-the-box solution where no programming is required, companies can save time and resources, while avoiding compliance costs and added complications.

Generate sensitive data reports continuously for data at rest and in motion. Your data governance solution should have monitoring capabilities so that you'll know in real time when any user, device, or system accesses sensitive data. The solution you choose should allow you to track how and where sensitive data is moving via a 360-degree dashboard. The information in these monitoring reports should show data quantities, as well as how much data has not been scanned and how much is being monitored. The reports should also have the ability to identify which data has been assigned with alert rules for 24x7 data monitoring.

Contributed by Manmeet Singh, co-founder & CEO, Dataguise

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.