Prior to GDPR – the legislation protecting personally identifiable information and the active prevention of data exfiltration was weak and seen as a toothless tiger – the view was ‘if I do not have to tell anybody or there is no real legislation or authority policing such incidents, then what’s the worst that can happen?’ (See The Stick below) Sadly the reality is far from this – GDPR has teeth and is VERY live and dangerous.
What is GDPR? You would be surprised at the number of people that know “of” GDPR, but not what it really means! – for those that don’t know these resources might be useful
http://www.dummies.com/education/politics-government/general-data-protections-regulation-gdpr/
OK, so let’s get the official bit out of the way – The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
What does GDPR really mean?
Protection of personal data. What constitutes personal data?
GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier and reflects changes in technology and the way organisations collect information about people.
The Stick – It hurts – So what if I do not care or take measures?
Organisations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28) or not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.
Who has been hit?
You may think it’s too soon for action to be taken… Check out what happened to Hilton Domestic Operating Company Inc (a.k.a. Hilton). GDPR is live and dangerous.
https://digitalguardian.com/blog/hilton-was-fined-700k-data-breach-under-gdpr-it-would-be-420m
Have I been GDPR’d and How would I know?
Simply put – if you have no way of knowing or understanding the data that you keep (structured or otherwise) then you are at risk – you simply cannot manage and ensure governance around what you cannot see. In almost every organisation the visibility to information stored and data types is the most difficult issue to overcome, and as such often gets put in the “too hard” or “we will get to it sometime” bucket.
Visibility is Key
Before deciding whether you have or will be GDPR’d, you need what few have achieved – the ability to see in the dark and by that, I mean, unless you know with certainty what information is created, shared, and stored, you really have no way of knowing how prepared you are.
The legislation states that you must prove that you have taken ‘reasonable’ measures to protect GDPR compliant information and can disclose the information you hold. This can only be achieved if you have continuous visibility into the data you can see, and that which resides in the dark (storage, copies, remote locations, or worst case, unsanctioned cloud services. Remembering always that non-compliance could mean fines up to 4% of annual global turnover or €20 Million. You absolutely need to start with visibility – only once you can see everything can you begin to take measured action.
Recommended Steps
Becoming GDPR safe is not a simple task so we are only recommending one area to look into – the one where you are largely in the dark – Shadow IT (use of IT which is not supported or approved by the central IT department – think someone firing up an instance of AWS on their credit card or leveraging DropBox to share files).
Start with assessment tools to look at the level of Shadow IT in your organisation and consider the implications of the corresponding Shadow Data. All too often, people within an organisation share information innocently with each other, or into a cloud service for ease of access. Once the information leaves the corporate perimeter, you lose control and are introduced to unknown risks.
A Shadow IT Assessment is the first step in visibility and will quickly help to uncover and understand where immediate risks can be mitigated. Once that is under control, you have taken the first step.
Next, you need to look within the perimeter and understand what is being created, stored and shared – the perfect use case establishing a Data Loss Prevention policy. Again, start with an assessment. By undertaking a Data Loss Prevention Pilot, you will be able to scan internal file systems and storage areas to gain an understanding of the data residing there to enable you to then enforce policies to enforce classifications and controls. This is a very high-level view of course, but the point is, you cannot secure what you cannot manage, and you cannot manage what you cannot see. Visibility is everything, and speed is nothing without control.
It is now fair to say that legislation tiger around the management of personal information now has very big teeth, GDRP is live and dangerous – but you don’t have to be afraid, you just need to open your eyes and take measured action.
