Regardless of where in the world you work, every business today needs an understanding of global privacy regulations like GDPR, and how to comply with them.
Over one year on from GDPR’s inception many businesses are struggling to implement data strategies that help them to meet this challenging regulation; however, with the potential risks and loss of customer trust that you jeopardise by not safeguarding your customers’ data, now is the time to act.
As a starting point, there are five main data strategies that can help you on your data protection journey.
Get to know your data
Data management is complex, and making sure that it doesn’t prevent you from complying with GDPR is difficult. But to tackle this, think of GDPR as knowing about what type of data you have. The data that is held by businesses, especially unstructured data, can often become messy due to the fact that everyone who can access it has the ability to use it, copy it and change it. When it comes to personal data, many businesses treat it as though they own it, when actually, they are merely the custodians.
Data mapping – pinpointing personal data, its content and its risk profile – helps stakeholders to understand the ‘before and after’ of a breach, which in turn helps to predict where a loss could occur and the potential impact this could have. There are going to be incidents no matter what, so the data protection team needs to plan for the worst, as the regret of knowing you didn’t do everything you could is very unpleasant indeed.
Mitigate the people problem
When it comes to the people in your business, everyone is accountable for data, from the C-level in the boardroom, all the way to the individual teams that make the business happen. The key fact to bear in mind is that ‘you can’t patch people’ – there is no quick fix if your employees are struggling with their role in good information governance.
Every single business relies 100% on employees, but despite this they always have the potential to be your weakest link, though that is no excuse to skimp on training, of course. Education remains the most important factor to consider when working towards GDPR compliance. They shouldn’t feel drowned in it, but instead have enough information and training to enable them to keep processing activities legitimately, and ensure the data that they are working with is secure, to keep the risk of a data breach to a minimum.
It’s also important to foster a ‘no blame’ culture so that staff feel comfortable about reporting a breach; fear really is your enemy in this case.
Don’t let your data take over
Though data is the centre of your business, it should never control it – instead, your business should keep control of your data. It’s important to remember that encryption does not equal infosec, and security does not equal data protection, so don’t fall into the trap of thinking this is the case. Other precautions need to be implemented to ensure that data is only used for its intended purpose, which should also include controls on copy creation. It is too easy to make copies of databases for ‘dev and test’ processes, where data is used without being anonymised. Copy controls can also help to stop un-encrypted or un-anonymised data finding its way onto open cloud shares – a common way for breaches to happen.
It is also valuable to monitor all of the data that is held on personal devices such as mobiles, laptops and USBs, and to give them an in-house backup of this data not only for recovery purposes, but also so that the data protection team knows the risk if that device is lost or stolen. If you can remotely encrypt or wipe personal data on those devices, even better, as this will mean you will know where you are in regards to reporting to the supervisory authority should a breach occur.
Automation is the way forward
Unstructured data is a problem, and it can often be too big a problem to resolve manually. In a typical organisation around 70-80% of data is unstructured, which causes endless management and breach-related headaches. Part of the challenge is that most businesses don’t have a single person that owns this data, and this leads to it becoming unruly and challenging to work with.
There are lots of data inventory and mapping tools available, but they often lack the ability to cover everything from laptops, across heterogenous on-premises systems and the cloud, including SaaS offerings like Office 365. Control means more than mapping too – automation based on content, attributes and risk profile are what’s needed for it to become an actual game-changer. Left to users, data spirals out of control; smart automation will expire data appropriately, as well as manage access and location. Not only does this have a cost reduction benefit, but breach risk is also significantly reduced.