Daniel Mintz, Chief Data Evangelist at Looker:
“After the best part of two years of preparation, debate and conjecture, today, the general data protection regulation (GDPR) is upon us.
“From customer communications to employee records and beyond, a significant chunk of information held within a business qualifies as personal data meaning, according to the GDPR, it must be controlled, secured and ‘deletable’. Yet, for most organisations, allowing access to analyse such information has typically required copying, exporting and extracting data – leaving a trail of personal data across laptops, servers and systems, both inside companies and third parties. As a result, businesses have been left with disparate data ‘swamps’ that are impossible to search and even harder to manage and protect.
“From the perspective of IT, becoming GDPR compliant is a huge challenge, especially when you’re unaware of how many of these swamps exist, what data is inside, how it’s used and you don’t know who has access to it. It’s a challenge many are still trying to solve however, today’s deadline and the threat of severe GDPR punishments, has made building a data culture across a company imperative.
“It’s an issue requiring a long-term solution. It can’t be solved by a one-time data swamp clean-up because, if the data analysis tools encourage “data sprawl” – extracting data and moving it to ‘data workbooks’ for analysis – the problem will reoccur.
“Businesses need a single access point for their data, allowing them to see who has accessed it and what they’ve done, all in one centralised, managed and secure place. Once this is in place can the development of a data governance and analysis strategy, where analysts can provide their organisation with business insights while maintaining compliance with regulation, becomes possible.
“An easier process. Cleaner data. And GDPR compliant. That’s the modern approach to analytics any data-led business should adopt.”
Joe Garber, Global Head of Product Marketing, Information Management & Governance at Micro Focus:
“It’s official: the GDPR has finally come into force and with it, the face of data regulation has been transformed as we know it. Now is the time to reflect on the changes that both businesses and consumers will see as a result of the legislation overhaul. In the run up to its implementation, there has been a tendency to focus on the negative consequences of non-compliance – perhaps not surprising given the risk of hefty fines and loss of credibility with customers if a business fails to comply with the regulation. Nonetheless, today we should consider the GDPR from a different angle and explore the opportunities it will bring to not only improve privacy and security, but also to help brands discover the real value of data.
“For businesses, the GDPR is a fundamental step to ensure data is managed in a more holistic way, allowing them to gain a greater and more well-rounded view of the information they store. Once the correct processes have been deployed to organise this data and implement analytics tools (and the privacy requirements of the GDPR have been taken into account), useful and accurate insights can be gleaned – a benefit for organisations and consumers alike. Businesses will be able to use customer insights and ultimately grow their business in a way that would not have been possible before. And, as a consumer, I am looking forward to what the GDPR can do for me as an individual, protecting my personal data in a time of severe mistrust around data sharing and use.”
Nigel Hawthorn, Data Privacy Expert at McAfee:
“The GDPR was not intended to be considered an add-on set of policies and procedures changing how data is handled. Instead, all new systems must be designed from the ground up to take into account best practices for data minimisation, which is why, even on deadline day, many companies still aren’t compliant.
“As of today, companies are required to notify a relevant data protection authority of any data breaches within 72 hours of discovery. To help reduce their risk, companies can restrict sensitive information to only managed devices, use behavioural analytics to detect any unusual activity, and must have plans in place to react quickly to correct any threats in the event of a breach.”
Emma Butler, Data Protection Officer at Yoti:
“We’ve been talking about GDPR for a long time now, but it’s still worth remembering that 25th May is the start not the end. It’s the beginning of an ongoing higher standard for privacy compliance and data governance and, like with current law, over time we will all build up experience and identify best practices, understand regulator expectations and have case law set lines in the sand. Businesses need to make sure they have put in place an ongoing data governance and privacy programme to continue the aspects they haven’t done yet, or that aren’t national law yet, and to maintain the higher compliance standards going forward. Anything that was deemed a lower priority still needs to get done long after everyone has lost interest and moved on to other things.
“Often perceived as a burden, GDPR is actually an opportunity for a business to look holistically at its data collection and use practices, see how processes can be streamlined and improved, and do data governance better. It’s about embedding privacy as business as usual and increasing customer trust by doing it well. The GDPR is an evolution of the current data protection law, so businesses that are already compliant with this will find the process far easier than those who are catching up.”
Chirag Shah, CEO and Founding Partner at Nucleus:
“It is important to note that not all businesses will be subject to the same requirements when it comes to GDPR. The key to compliance is knowing what steps you should be taking when it comes to your business specifically.
The GDPR state that some organisations must have a data protection officer (DPO) on board, who will oversee all of its data protection strategies. The appointed data collection officer will also be responsible for overlooking an organisations compliance programme.
Whilst it is not necessary for all organisations to appoint a data protection officer, it is recommended that all organisations do so anyway. The DPO will need to act as a point of contact for supervisory authorities, as well as individuals whose data is processed. However, if your organisation strives to meet best practice guidelines, you should appoint a DPO regardless.”
Tim Jesser, Director of Global Product Marketing at Snow Software:
One particularly risky area of GDPR compliance is the prevalence of SaaS usage within organisations. Below, Tim offers his advice on the steps GDPR teams can take to ensure all personal data repositories are accounted for, regardless of delivery platform.
“1 – Establish automated discovery across on-premise and cloud environments
Performing a data inventory is a critical component of GDPR compliance. Automated discovery solutions can help build this inventory not only initially, but ensure it is updated on an ongoing basis as new systems – both on-premises and cloud – are added or removed. Automated discovery solutions help ensure accuracy, as they can sift through thousands of applications and easily identify SaaS solutions that house or process personal data.
2 – Determine what data is shared with vendors and how they handle it
One of the many ways GDPR is complex is that an organisation is responsible not only for ensuring adequate security measures are in place in its own environment, but also in the environments of vendors with whom it shares the personal data of its customers. Since many controllers share personal data with processors via SaaS applications, knowing what SaaS data you have will enable you to identify the vendors that are processing this personal data.
3 – Categorise personal data by type and know where it resides
Many GDPR processes require organisations to know not only where personal data resides, but what type of personal data is stored. For example, to manage a “right to be forgotten” request, companies must be able to find the personal data for a specific subject and then segment out what data needs to be deleted and what should be kept.
4 – Govern access to personal data
As with automated discovery solutions, most organisations do a reasonably good job of maintaining access controls for on-premise data repositories. Again, in parallel with discovery, these controls break down when it comes to SaaS-based personal data repositories. When it comes to SaaS, organisations frequently rely on simplistic access control hierarchies that give a wide swath of user’s visibility to personal data. Establishing access visibility and control for all personal data repositories, including SaaS-based repositories, is a critical component of GDPR compliance.”
Rob Price, Pre-Sales Consultant at Snow Software:
“Though having a watertight process and the performing of rigorous technological checks may be two key components to ensure compliance, instilling the right culture will be critical to guarantee that employees adhere closely to what’s required of them. Typically, the road to compliance can be portrayed as too technical, which can, in turn, lead to a breeding ground for misinformation. Instead, organisations should be focusing on improving employee understanding, instilling a culture of the foundational tenets of compliance, and, given the harsh realities of today’s cyber climate, providing constant reminders of the importance of protecting data. Only then can they move on to establish concrete processes, which is where self-assessment and the identification of gaps comes into play.
Some basic steps like setting up a cross-functional data governance team, made up of the data protection officer (DPO), IT leaders and business leaders from a range of functions including Compliance, Legal, HR, Customer Service, and Marketing is a solid starting point. These are the individuals who can help the importance of customer data protection become woven into the fabric of a business model. By repeatedly emphasising the importance of data protection, CIOs will set themselves, their teams and their organisations up for success. And, positioning data privacy front and centre will enforce a company culture that can truly help to deliver GDPR compliance collectively.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.