GDPR and Why You Should Care
GDPR–General Data Protection Regulation—has been enacted by the European Union (EU) to provide individuals with greater visibility and control over the personal information collected by others. You might think this is all about Google, Facebook and Twitter. And you’d be right. But only partly right.
GDPR applies to:
- Organizations in the EU.
- Organizations that offer goods and services in the EU, regardless of where those organizations are located.
- Organizations that collect and analyze information associated with EU residents. (And again, regardless of where the organization is located.)
So, the odds are pretty good that GDPR is going to apply to your organization. Let’s talk about how to manage compliance with GDPR.
The first step is to figure out what personal information your organization is storing now. You want to consider any information that could be used to identify a person. This includes information such as:
- Physical location
- Social media posts
- Website cookies
- IP address
- Email address
- Banking information
Where might such information be stored? Start with email. Most customers don’t have a policy to regularly purge email. And those organizations with such a policy might be ignoring user-created .PST files. Also, most organizations don’t use programmatic means of keeping certain kinds of information (such as Social Security numbers) out of email. So email is a treasure trove of potential user information that you need to examine.
Here are some other potential information stores:
- Databases (including those ad hoc Excel spreadsheets)
- Removable media
- Log files
- Backup files
Here is where you begin to appreciate how easy it has been to create and store data.
Now that you have an idea of what kind and amount of personal data your organization has on hand, it’s time you started managing it.
A good first step is this: get rid of any personal data that you don’t need to run the operations of your organization. When you thought that the only cost of data was storage costs (and those continue their dive downward), it didn’t matter if people collected data they didn’t need. Now you understand that a big cost of personal data is keeping it properly managed. So, make the problem smaller by getting rid of any personal data the organization doesn’t absolutely have to keep.
Now that you’ve purged unnecessary data from the organization (and didn’t that feel good??), you have a smaller pile of data. And that data must be properly managed. This means creating and enacting policies and procedures connected to this data. These policies must address how the data is treated. The policies and procedures must also address who has what role or responsibility in the handling of the data.
For instance, how will you handle data at rest? In transit? How will you store data? When will you dispose of data? How will you dispose of personal data? Who can access the data? Under what circumstances? With what controls?
We know that not all data has equal importance or sensitivity, so we’ll need to develop a classification system. We’ve seen classifications such as:
You might not need all these classifications. And you might have others. What’s important is that you know what defines each classification level. Once you have the levels in place, you can define how data at each level is going to be handled, stored, accessed, retained, and retired.
Now we come to the part you thought would come first. How do we protect the personal data we store from attack? Traditionally, we would focus on protecting the places where the information is stored. We would also control who has access to the information. Both of those approaches are still important. But we also must recognize that it’s easier than ever to transmit data “into the wild.” A user might copy information on to a removable flash drive and leave the drive somewhere. We’ve heard plenty of stories about lost or stolen laptops that contained private information.
We know we can’t rely on a “walled garden” approach alone to protect data; it’s important to protect the data itself. We have to enact controls that specify who can access the data and what they can do with the data. These controls have to be “attached” to the data files themselves.
Lastly, we have to maintain records associated with the data. We’ve already handled some of the reporting requirements via the policies and procedures covered earlier. The policies and procedures will answer questions of how the data is classified and protected.
In addition, we will want to
- Maintain lists of who has requested data
- Record which external parties have been granted access to the data (and for how long)
- Maintain audit logs of activities connected to the data
- Keep records of attempted or successful data breaches
- Review compliance with GDPR and other privacy regulations the organization addresses
Help is Available
You can see that managing GDPR compliance is more than buying an appliance or a service and moving on. In fact, it’s as much a management challenge as anything. And we know that no one in IT has gobs of spare time waiting to be consumed by GDPR.
Fortunately, there are tools and services available that can help manage, protect and report on data. And there are consultants (ahem) that can work with you to put the appropriate policies and procedures together. If you want to know more about what tools and other assistance might be right for your organization, just let us know.
It’s Best to Lead
We’re not going to hit you over the head with details of the fines that can be imposed for lack of GDPR compliance. Frankly, there’s enough vagueness in the regulations that there will inevitably some sorting out of what the regulations mean.
That said, ask yourself this question. Is it wiser to take the steps toward GDPR compliance now when you can determine the pace of your activities? Or would you prefer to wait until you’re being cited for non-compliance and you have to stop everything else to get this work done?
Be smart. Get out in front of GDPR compliance. Treat the work as an opportunity to accomplish some much-needed data management. You’ll be glad you did.
Here are links to some further reading and resources on GDPR.
What is an information asset? http://bit.ly/2GTkisz
GDPR terminology definitions: http://bit.ly/2JfDbnM
More advice on GDPR compliance: http://bit.ly/2Gyw50c