Three steps to prepare for important new rules that will impact how data is managed and governed.
Information volumes are growing dramatically across the globe. This growth is creating new requirements on how that information is managed and governed, and it is forcing organizations to re-think their current IT practices.
Perhaps one of the most complicated and impactful of these requirements is the newly ratified General Data Protection Regulation (GDPR) in Europe. GDPR provides specific guidance on how organizations classify, secure and take action of private citizen data in the European Union (EU). These rules directly impact companies operating in the EU, as well as any organization with customers there or that collect private EU citizen data from across the globe.
Now organizations of all sizes have about 18 months to adhere to the May 2018 deadline or face significant repercussions, spanning from lost customer confidence and sales, fines, sanctions, potential lawsuits, and (importantly) the inability to best leverage that information to drive top-line revenue with confidence. Moreover, on the surface, these regulations appear complex and difficult to address, meaning that the time to get started preparing is now.
Empowering the individual, GDPR clarifies the law as it relates to the clear and affirmative consent to data processing, how and where the information can be stored, the right to be forgotten by citizens, as well as tough fines for organizations breaking the rules. Or in more simple terms, GDPR mandates that organizations must proactively classify data and then have the tools in place to take action on this information such as applying governance policies, detecting and responding to data breaches, and optimizing backup and recovery. The responsibility now falls on enterprises to not only understand their data and where it resides, but also how to protect it in use, in transit, and at rest.
As organizations take a breath and digest what GDPR means for their businesses, it is time to look ahead and understand what processes and technology practices are going to be critical to complying with it. For enterprises, this means top-level executives involved in technology, security, data, risk, compliance and privacy will have to assemble to assess current solutions and identify the best approach for their individual organization.
This can be time consuming and confusing, but it doesn’t need to be. To make things simple and ensure you’re ready to comply when the regulations go live, start with these three steps:
Step 1: Understand Your Data
Where to begin? Classification. Organizations that are subject to GDPR should first asses their data and determine what subset, such as personally identifiable information (PII), is in scope. Specific questions you should ask include:
- What and where is the information that falls under GDPR regulations?
- How do I identify information in accordance with “right to be forgotten?”
- How do I apply and enforce policies to manage information in use, in transit and at rest?
- How can I quickly and cost-effectively respond to investigations or legal matters requiring information under management?
- How do I mitigate the risk of a data breach? What is my plan of action if one occurs?
For organizations to understand what, where and how information resides, they must have greater insight into their data, so they can make informed decisions on what to do with it next without undue effort or risk. Consider advanced analytics and sophisticated data mapping of both structured and unstructured data as an initial foray—particularly given the volumes in play. This increased insight allows organizations to automatically classify the information and identify the portion that falls under GDPR regulations.
With this granular level of data mapping, organizations are then able to avoid manual, error prone processes for applying policies to the right set of information, such as defensible disposition, migration to specific repositories, security, and more. Organizations that effectively align governance and insight will be able to dispose of data that has little value to the organization and, in doing so, mitigate liability of an accidental data breach on previously “dark data.”
Step 2: Assess Technology Platforms to Ensure Compliance
Many forward-thinking organizations today have a strong desire to leverage the cloud for storing information throughout its lifecycle, and to capitalize on the greater flexibility, ability to pay for what you need, and shared risk afforded by the cloud. But historically, the cloud hasn’t been as widely adopted in Europe as elsewhere because of data sovereignty issues—i.e., many countries limit the ability for information to leave its borders.
Given the volume of information that may be in question and the potential length of time required to store a subset of that data, many organizations in Europe are now re-thinking their cloud strategy. To that end, a few key questions must be asked.
- Is data stored and processed within the European Economic Area?
- What security measures does the cloud provider have in place to protect data as it relates specifically to GDPR?
- How can I access this information for investigations and litigation, if necessary?
- Will these cloud-based technologies provide broad enough tools to address the full scope of GDPR, or will I have to bolt on other capabilities over time?
Fortunately, new technology frameworks are emerging today that can appropriately address data sovereignty challenges for multi-national organizations in Europe and around the world. What’s more, they work on a single index—a single source of truth—so new applications for archiving, content management, investigations, and e-discovery can be simply and efficiently added, as needed.
Step 3: Break Down GDPR into Simple Use Cases
Again, GDPR compliance may initially seem very complex and overwhelming. For some, that perceived complexity may be a barrier to compliance, either intentionally or unintentionally. This “wait and see” approach that many organizations have taken in the past to new requirements like the Federal Rules of Civil Procedure in the U.S. won’t pay off this time around. GDPR has more teeth and specificity than many of those requirements that came before it. As such, the risk is high. Even if organizations wait until right before the May 2018 deadline to prepare, they risk the possibility of not being fully implemented when the requirements kick in, leaving them, and their customers’ information, at risk.
The smart approach is to take GDPR compliance in a methodical, modular fashion. There are specific use cases mapped out by certain technology vendors—such as personal data assessment, defensible disposition, secure content management, litigation readiness and response, adaptive backup and recovery, encryption and pseudonymization, breach response and reporting, and breach prevention and neutralization—that align directly to GDPR requirements, and will allow you get started with simplicity and ease. This can be supplemented by consultancies that can also help you prioritize which ones are the most important to get started first.
The post Are You Prepared for the General Data Protection Regulation? appeared first on Strategic Cybersecurity News.
from Strategic Cybersecurity News http://ift.tt/2cgxiFe
via IFTTT