With the European Union's General Data Protection Regulation (GDPR) having come into effect on May 25, 2018, many organisations remain challenged with the process of ensuring they are compliant. The new regulation is designed not only to provide greater uniformity to sensitive data protection across the EU, but also to better protect personal data that is processed for non-personal purposes.
GDPR is the EU's most demanding and far-reaching data privacy regulation to date, raising the bar on stringency for data privacy requirements, with an expanded definition of what types of data are considered personal.
Approved in 2016 by the EU, the GDPR overhauls and modernises existing data privacy laws, many of which date to an era before widespread internet accessibility. The regulation applies to any entity that controls or processes the personal data of European Union (EU) residents, whether that entity is physically located in the EU or not. Companies found in violation of the GDPR can be fined up to four percent of their global annual revenue or €20 million, whichever is higher.
It is incumbent on companies to take specific technical and organisational steps to proactively orchestrate industry-standard information security frameworks. Many organisations need to implement technology upgrades and end-to-end protection to assist them in meeting GDPR's data privacy requirements. Here are six “must-haves” that can help companies implement an effective governance strategy for sensitive and personal data:
A clear and comprehensive understanding of sensitive data across your organisation. Capturing the big picture of a company's data landscape can be challenging with so many potential repositories spread out over numerous locations with a variety of file shares like Hadoop and DBMS. Sensitive data may also be highly unstructured and difficult to locate. And with more data than ever before, manual detection and protection is no longer an effective or realistic option. The right type of data governance solution can detect sensitive data assets wherever they reside, working with all major Hadoop, Windows, and Linux file types and distributions while supporting a wide range of databases. Therefore, you should plan to conduct a policy-based discovery effort to locate telephone numbers, account numbers, salaries, emails, and other confidential personal data.
Data-centric governance. Find out what you don't know by pinpointing exactly where sensitive data resides with a data-centric governance analysis of the environment. Such analysis helps to remove the guesswork by serving as an audit across data repositories. This insight can help determine the strategic next steps in terms of which data should be encrypted versus masked, what data can be posted on the Web versus what must be kept within the walls of the organisation, etc.
Sensitive data protection controls. Placing appropriate controls on sensitive data is critical to protecting against outsiders as well as insiders. You can't assume that personal data is safe with your own employees, when the fact is that people on the inside know where the crown jewels are, and not everyone can be trusted. Therefore, make decisions about what types of information outsiders and insiders can see—and what they can't see. By selecting a solution that offers data-centric masking, you're able to safely transform, and thus protect, the data. Also seek a solution that provides data-centric encryption, which is a two-way protective process that allows data to be unencrypted by those with authorised access, to keep it safe from cyber-crime.
Sensitive data governance that is fully automated. The key here is to protect data at the element level as it enters the corporate network. When the auditing process is automated, you will be able to understand what sensitive data is connected to, what the data is mingling with, and who is accessing it. By automating these processes with an out-of-the-box solution where no programming is required, companies can save time and resources, while avoiding compliance costs and added complications.
Sensitive data reports that provide insight into data at rest and in motion. Your data governance solution should have monitoring capabilities so that you'll know in real time when any user, device, or system accesses sensitive data. The solution you choose should allow you to track how and where sensitive data is moving via a 360-degree dashboard. The information in these monitoring reports should show data quantities, as well as how much data has not been scanned and how much is being monitored. The reports should also have the ability to identify which data has been assigned with alert rules for 24x7 data monitoring.
Documentation that supports a predetermined plan. Paige Bartley, senior analyst at Ovum, suggests that those organisations who are behind the ball should prioritise the data targeted for control, and have the documentation in place to demonstrate a plan and associated progress made. Bartley says, “While this may not seem ideal in comparison to striving for full compliance, it may be more justifiable than a last-minute, uncoordinated rush to meet deadlines. The enterprise that finds itself in this position will be best served to stay the course, sticking closely to its predetermined plans, and documenting the exact steps that were taken to prioritise certain data or objectives over others. As long as good intent and systematic action can be demonstrated, the enterprise will receive a certain degree of insulation from regulatory action.”
Contributed by Manmeet Singh, co-founder & CEO, Dataguise.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.