GDPR – Everybody’s Got an Opinion…
Now that the dust has settled on Brexit I’m getting a lot of “Is GDPR relevant to us” questions and therefore I thought I would pen my thoughts on the subject in this week’s blog.
The General Data Protection Regulation (EU) 2016/679 is designed to strengthen control and protect personal identifiable information (PII) more than current legislation. Through a common set of guidelines and directives it is hoped that a unified approach to data security will be adopted across Europe with each member state conforming to a single set of rules. This will in turn be enforced with financial penalties which is one of the predicating factors and concerns when I speak to organisations as fines can total up to 4% of the worldwide turnover of an organisation.
GDPR is a sledgehammer that will impact any organisation that processes or controls PII and therefore its impact is far reaching and in some instances will mandate that information be monitored for compliance by the appointment of a Data Protection Officer (DPO). The DPO will not only be responsible for ensuring that data is protected but will also need to be knowledgeable about cyber security as they will have a duty to notify governing bodies in the event of a breach in a timely manner.
As if it wasn’t challenging enough already for CISO’s with Chief Digital Officers and Chief Marketing Officers driving the spend on shadow IT, we now have a DPO who has the potential to spend swathes of the IT budget “protecting data”. Maybe the challenge is to get in ahead of the game now?
“But if we’re leaving Europe what does it matter?”
The regulation was adopted by The Council of the European Union and the European Parliament back in May 2016 which means the GDPR will become European law in May 2018. Given that the UK is still currently a member state, we are signed up to adoption when it becomes law in 2018 and therefore UK businesses need to be compliant as this will predate our exit and separation.
“So where’s the silver bullet?”
Now I’m a big fan of two speed IT – the concept of rapidly developing IT in the cloud whilst allowing traditional IT to continue at a slower pace – however I don’t believe that GDPR compliance can be delivered either in the cloud or at pace. The challenges facing us are many and varied which is why a structured approach to compliance will need to be adopted. Digitisation and Cloud Adoption have not only eroded traditional security perimeters but have also enabled corporate information and therefore PII to leak outside of the data centre. Be this to endpoint devices or to cloud architecture it’s imperative that organisations understand where their data is located both at rest and in motion.
But where is your data going? Every organisation will have a different use case for what technologies they use to find out where their data is going to but I thought I would list some of the common technologies we use for assisting with this:
- Data Loss Prevention(DLP): whilst a great concept is hard to implement and administer unless you already have centrally hosted data stores and a reasonable governance model in place. Which is why a managed service may help you understand where your data resides and is moving but the clue is in the name – DLP helps you prevent the loss of data that you know about or can monitor…
- Data Classification: Likewise, whilst great in concept unless you already work in a heavily governed environment, data classification will not resolve the issue. It will however help provide traceability once you know where your categorised data resides moving forward.
- User Behaviour Analytics: UBA has become this year’s buzz word – I’ve seen DLP, Endpoint and a host of other platforms lay claim to providing UBA. Understand the concept before you buy in to the hype – that said understanding what your users are doing will help identify the non-traditional routes that data leaves an organisation be it maliciously or as a result of employees working smarter.
- Access Rights Management: there’s no doubt that the hardest source of data loss to monitor is unstructured data which is why an access rights management solution can help you not only monitor where data resides, but to tighten the security model and permissions whilst ensuring that data is retired and archived in a timely manner.
- Archive Solutions: Once a boring subject, the archive platform is one of the most cloud aware solutions you could have. Developments in this space not only reduce the amount of file duplication but are able to back up unstructured data wherever users chose to place it.
- Cloud Access Security Broker (CASB): Most organisations underestimate their cloud usage by up to 90% and therefore have no accurate view of what data is being stored in unapproved repositories such as online file sharing platforms or social media. Understanding what unapproved services are being used in any given time and what information is being “lost to the cloud” will help greatly in defining and controlling your cloud usage.
The important point to make is that you don’t need to invest in all these to be GDPR compliant and if you are unsure then ask… we have a wealth of experience to help you understand where your data is, how to secure and monitor it and ensure that the right alerting mechanism is in place when data movements deviate from the norm.
GDPR will become a Top 10 agenda item over the next 12 months so get ahead of the game and start addressing this in your current strategy and investments; only by doing this will you get ahead.”