We, the public, all want to believe that any company or organisation who we disclose our personal information to is doing their up-most to ensure our data doesn’t fall into the wrong hands. These regulations transform that ‘belief’ into an assurance.
What can your organisation do, and what should you focus on, in order to adhere to these regulations? Well there are four key areas I would recommend focusing on: Classification, Metadata (retention), Governance & Monitoring. The challenge is tying a number of IT solutions together in order to have at a glance an overview of these four areas. The good news! With a little research you will find there are a few all-encompassing products that cover off all of these areas. We don’t need to re-invent the wheel, the solutions are there!
Here are the four key areas, mentioned above, and a brief explanation of their relevance to the new EU regulations:
- Data classification– Know where personal data is stored on your system, especially in unstructured formats in documents, presentations, and spreadsheets. This is critical for both protecting the data and also following through on requests to correct and erase personal data.
- Metadata– With its requirements for limiting data retention, you’ll need basic information on when the data was collected, why it was collected, and its purpose. Personal data residing in IT systems should be periodically reviewed to see whether it needs to be saved for the future
- Governance– With data security by design and default the law, companies should focus on data governance basics. For unstructured data, this should include understanding who is accessing personal data in the corporate file system, who should be authorized to access, and limiting file permission based on employees’ actual roles – i.e., role-based access controls.
- Monitoring–The breach notification requirement places a new burden on data controllers. Under the GDPR, the IT security mantra should “always be monitoring”. You’ll need to spot unusual access patterns against files containing personal, and promptly report an exposure to the local data authority. Failure to do so can lead to enormous fines, particularly for multinationals with large global revenues.
Want to know more? Please do not hesitate to contact us here