With GDPR officially going into effect last week, what does this really mean? For some organizations it meant an entire revamp of how they run and manage their business, for
GDPR and really any previous regulation really focuses on Data Protection and Data Awareness. You can sum up a large percent of GDPR with a few simple questions:
1) What is your critical data?
2) Where is it located?
3) Who has access to it?
4) How is it protected?
The one big difference with GDPR over other regulations is the “right to be forgotten”. Essentially if a customer says that they no longer want to do business with you, they can request that all of their information be securely removed from their systems. While a simple concept to understand, it is a difficult concept to actually implement in practice when you look at
The fundamental component that GDPR is really driving home is the need for data classification. It is an area that
Compliance is coming to every organization no matter how big or how small and if you wait for the regulation to be passed, it will be too little too late. The bottom line is data classification is a key foundation item that is required to properly run any business that stores information in electronic form. If your organization currently does not have a data classification program and it is not currently on your security roadmap, verify that every other item you are working on is a higher priority than data classification.
Remember the golden rule of
1) What is the risk?
2) Is it the highest priority risk?
3) Is your solution the most
An organization will never be
Implementing Data Classification
While data classification is not simple, organizations make it a lot harder than it needs to be. In implementing data classification as a foundation for GDPR remember a few simple tricks:
1) Keep it simple – instead of implementing a multi-tier complex system implement a basic classification scheme of two initial levels: public and private. If over time you want to add a few additional levels, you can but
2) Make everything private by default – many organizations when they roll out data classification they assume the default level is public. The problem is if there is critical data that takes 9 months to get to and it is sitting as public for that time period, it could lead to a major compromise.
3) Start with new data first – many organizations roll out data classification by starting with the existing data first. The problem is that while they are focused on classifying the existing data, the new data grows at a faster rate which means the project will continue indefinitely.
Centralized Storage and Control
While data classification is a key component of GDPR because you cannot protect what you do not know, centralized storage and control is another key component in order to implement the “right to be forgotten”. If data can be stored in many places and in many locations not only is it difficult to manage but it is difficult if not impossible to delete.
With many organizations, if asked what is your critical data and where is it stored, they could tell you. Most likely they would state client information is the most critical and it is stored on 5 servers. While they are partially correct that it is stored on the 5 servers identified, it is also stored on 12 other systems they are not
What all of the data breaches over the years, combined with GDPR, it really emphasizes the need for centralized and controlled storage of critical data. While this is being attempted, the most dangerous culprit are laptops. Why are we giving 30,000 employees laptops that each contain 2 TB hard drives and if that is not bad enough, allowing them to plug in USB drives to make copies of that
GDPR- The Next Steps
Whether GDPR directly or indirectly impacts you, it needs to serve as a wake-up call that it is time to take a