it's 10 o'clock do you know where your PII is?
In May 2018, GDPR (General Data Protection Regulation) came into effect. Even though this is euro-centric, it caused ripples through many Australian companies. I saw varying responses ranging from the blasé 'this is a European directive and has nothing to do with us' to a panicked 'what do we need to do'?
At the time I was working for a service provider at an Australian company, and they were very concerned about GDPR. Representing my employer, I attended multiple meetings with contract managers, lawyers, IT and business unit executives to assess the potential impact of GDPR.
The customer elected to perform discovery to identify if and where GDPR data resided, and then assess whether existing controls provided appropriate protection.
So far so good, right?
Wrong.
‘Discovery’ in this case consisted of teams of people armed with clipboards and a pen, who interviewed system owners and asked them if the systems under their remit contained any GDPR data.
Once we had this ‘audit’ complete, security controls were assessed to determine whether they actually covered the systems hosting GDPR data, and whether the technology provided appropriate protection.
While this approach may have provided the company with warm and fuzzy sensations, at the risk of stating the obvious there were concerns about the approach:
- Relying on system owners to provide information is flawed. Most systems owners didn’t know if they had such data, or where this critical data resided.
- Even if system owners knew where critical data resided, they didn’t know if uncontrolled versions of this data existed elsewhere.
However, the real issue wasn’t about GDPR, it was about protecting Personally Identifiable Information (PII). And this organisation didn’t have a handle on where PII existed.
It took fear of a European regulation to start their journey, and this shouldn’t be the case.