The New EU General Data Protection Regulation (GDPR) is coming, and will officially apply from May 25th, 2018. It establishes a single law to enforce European data protection & regulation rules, as well as the right to personal data protection. GDPR has been largely commented upon, especially regarding how non-European big tech companies will have to handle personal data, by the new extraterritoriality rule (Art. 3).
But GDPR is also about how any company must protect and manage their data, prevent breaches and thefts. At a time when Shadow IT and the use of consumer public cloud solutions has never been so high within the enterprise, many companies will be forced to make significant changes to be sure that personal data is not spread across uncontrolled public clouds.
It has even become a necessity since serious infringements to the regulation can lead to a fine up to 4% of a company’s annual revenue (art. 5 & art. 7).
HOW WILL GDPR AFFECT COMPANIES
Making a complete list would be too long, but here are five main points in GDPR that will have a major impact on companies and that any IT Manager should bear in mind
- The right to Erasure and “to be forgotten” (Art. 17): Companies must be able to easily find specific data, target it, and automate the removal of personal data upon request.
- Implement Data protection “by design and by default” (Art. 25): The Privacy by Design (PbD) rule includes minimising data collection, deleting personal data that is no longer necessary, and securing data through its entire lifecycle.
- Records of Processing Activities (Art. 30): companies must implement technical and organisational measures to properly process personal data
- Notification of personal data breach to the supervisory authority (art 33): this will include having a response plan in place.
- Data Protection Impact Assessment – DPIA (Art. 35): Companies should create data protection risk profiles, and assess processing of sensitive data. A Data Protection Officer (Art.37-39) will be responsible for advising on and monitoring GDPR compliance.
GOLDEN RULE N°1: DEFINE A DATA POLICY
One could argue that GDPR simply legislates common sense data security ideas that many IT Departments are aware of. The big change is that they will now have to take actions, with a corporate roadmap and strict governance principles in mind.
First, focus on your data storage infrastructure: identify where personal data is located, and try to build a consistent architecture to be able to track and monitor what becomes with this data.
[easy-tweet tweet=”As soon as you manipulate personal data, you will be accountable for the use you are making of it” hashtags=”Data,IT”]
Then, define an official security policy and share it within your company: data encryption (in transit / at rest), secure access methods (multi-factor authentication…), sharing documents with passwords and expiring links, etc… Identify your criteria, depending on the specificities of your professional activity and your use cases. Also, be very strict about using personal devices (BYOD) inside your company.
GOLDEN RULE N°2: TRACK WHO ACCESSES YOUR DATA
As soon as you manipulate personal data, you will be accountable for the use you are making of it. Very Often, data breaches are caused by mistake made by an end-user and do not involve the infrastructure or IT policy. Sharing data with the outer world cannot be 100% safe, that is why you must be sure that you have enabled all protection options.
You must understand who is authorised to access personal data in the corporate file system, how they access it, and define permissions based on your collaborators’ real usages, beyond their team belonging and titles. In other words, implement “role-based” access controls.
GOLDEN RULE N°3: MONITOR YOUR DATA FLOW
Data Loss Compliance and breach notification requirements place a new burden on IT Departments and data managers. The new IT golden rule is now “always monitor”. You will need to be alerted to suspicious activity and potential security incidents, spot unusual access patterns to files containing sensitive data, and promptly report any exposure to your local data authority.
This underlines the need for adequate solutions, especially regarding file sharing and collaboration tools. File Sharing solutions must come with a powerful Admin Dashboard giving IT Managers the opportunity to have a comprehensive vision of what is going on the platform, get user behaviour analytics (UBA), monitor the sharing processes, devices involved, and draft reports based on all the data he can access to.
GDPR clearly imposes new constraints on companies: turning them into a business advantage requires for IT Departments to define and explain new processes, adapt the IT infrastructure when necessary, and implement the right sharing & collaboration tools on top of it.