Deep Dig in to GDPR -A Must know for Organizations

During the journey to adhere to the GDPR, many organizations stumble on frequent challenges in “proving” that personal user or client data is protected. Have you targeted the four things that organizations need to do to ensure compliance with the new security mandate.

EU General Data Protection Regulation (GDPR) compliance is a vast topic, embracing legal, technology, process, strategy, and marketing. The data protection component is just one part of the bigger picture. During the journey to adhere to the GDPR, many organizations stumble upon challenges and difficulties in “proving” that personal data is being protected. The four things that organizations need to do are:

• Transform their governance and practices (new roles and processes)
• Protect both structured and unstructured data all along their lifecycles
• Detect and report your data breaches and leaks (within 72 hours)
• Reduce IT (and security) costs (for example by deploying digital and cloud services and relying on global, trusted partners).

Let us dig in deeper into the four things all organizations must do:

Transform your governance and practices 

Even though the GDPR is about protecting personal data, it will also affect how we perform in comparison to how we work today. Since the GDPR was approved and adopted by the EU Parliament in April 2016, not much has happened in terms of organizational changes to current governance and practices. In some organizations, a DPO (data protection officer) was appointed in the false hope that “now we have someone in place so we should be good.” In point of fact, however, a DPO is not necessarily always needed.

According to GDPR requirements, a DPO must be appointed by: (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, you do not need to appoint a DPO. However, all larger organizations evaluate the benefits of having one focal point that truly understands the GDPR and the business impact a breach would have. Governance can be performed automatically, with the CRO (chief risk officer) or someone in a similar role such as HOC (head of compliance) provided with 24/7 access to the current status of the organization’s adherence to the GDPR via an online dashboard in order to support the DPO.

Protect both structured and unstructured data

Gathered and stored information is (usually) classified as either structured on unstructured. The former is the data stored in fields in a database and the latter is normally presented in eight different ways: e-mail messages, word processing documents, videos, photos, audio files, presentations, webpages, and any other kinds of business documents. Although such files may have an internal structure, they are still considered “unstructured” because the data they contain doesn’t fit neatly in a database.

In addition to structured and unstructured data, there is also a third category—semi-structured data. Semi-structured data is information that doesn’t reside in a relational database but that does have some organizational properties that make it easier to analyze.

Structured data is mostly protected by encryption, with clear separation of access based on “need-to-know” and clear ownership and delegation of encryption keys. Unstructured (and semi-structured) data, however, does not have the same rigorous protection, as it is more difficult to establish. The way forward is to ensure that structured, semi-structured, and unstructured data is managed in adherence to data protection laws and the best way to manage this data is through various software tools.

Detect and report your data breaches and leaks

As I mentioned above, the move toward new technologies will also change overall governance and how we practice compliance within organizations. It will enable organizations to print and save time stamps of GDPR adherence and detect and report (within 72hrs) any breach “that may pose a risk to individuals” in accordance with the new regulation. Resilience may be the key to enabling organizations to detect and report data breaches effectively but it is also dependent on people/staff being trained in handling data breaches on time. In conclusion, changing the way we work is not only a recommendation, it is a crucial must and, “resistance is futile.”

Reduce IT (and security) costs

Organizations must assess which data will be collected and stored, which data is no longer relevant, and where this data will be located before they select the software tools that best fit their data protection needs. The less data is needed, the lower the costs for its processing, storing, detection, management, governance, and erasure.