About the author
Nigel Tozer is Solutions Marketing Director EMEA at Commvault.
Regardless of where in the world you work, every business today needs an understanding of global privacy regulations like GDPR, and how to comply with them.
Over one year on from GDPR’s inception many businesses are struggling to implement data strategies that help them to meet this challenging regulation; however, with the potential risks and loss of customer trust that you jeopardise by not safeguarding your customers’ data, now is the time to act.
As a starting point, there are five main data strategies that can help you on your data protection journey.
- Ten tips for GDPR compliance
- GDPR Subject Access Request: authentication cannot be an afterthought
- Understanding how GDPR has impacted fleet managers
Get to know your data
Data management is complex, and making sure that it doesn’t prevent you from complying with GDPR is difficult. But to tackle this, think of GDPR as knowing about what type of data you have. The data that is held by businesses, especially unstructured data, can often become messy due to the fact that everyone who can access it has the ability to use it, copy it and change it. When it comes to personal data, many businesses treat it as though they own it, when actually, they are merely the custodians.
Data mapping – pinpointing personal data, its content and its risk profile – helps stakeholders to understand the ‘before and after’ of a breach, which in turn helps to predict where a loss could occur and the potential impact this could have. There are going to be incidents no matter what, so the data protection team needs to plan for the worst, as the regret of knowing you didn’t do everything you could is very unpleasant indeed.
Mitigate the people problem
When it comes to the people in your business, everyone is accountable for data, from the C-level in the boardroom, all the way to the individual teams that make the business happen. The key fact to bear in mind is that ‘you can’t patch people’ – there is no quick fix if your employees are struggling with their role in good information governance.
Every single business relies 100% on employees, but despite this they always have the potential to be your weakest link, though that is no excuse to skimp on training, of course. Education remains the most important factor to consider when working towards GDPR compliance. They shouldn’t feel drowned in it, but instead have enough information and training to enable them to keep processing activities legitimately, and ensure the data that they are working with is secure, to keep the risk of a data breach to a minimum.
It’s also important to foster a ‘no blame’ culture so that staff feel comfortable about reporting a breach; fear really is your enemy in this case.
Don’t let your data take over
Though data is the centre of your business, it should never control it – instead, your business should keep control of your data. It’s important to remember that encryption does not equal infosec, and security does not equal data protection, so don’t fall into the trap of thinking this is the case. Other precautions need to be implemented to ensure that data is only used for its intended purpose, which should also include controls on copy creation. It is too easy to make copies of databases for ‘dev and test’ processes, where data is used without being anonymised. Copy controls can also help to stop un-encrypted or un-anonymised data finding its way onto open cloud shares – a common way for breaches to happen.
It is also valuable to monitor all of the data that is held on personal devices such as mobiles, laptops and USBs, and to give them an in-house backup of this data not only for recovery purposes, but also so that the data protection team knows the risk if that device is lost or stolen. If you can remotely encrypt or wipe personal data on those devices, even better, as this will mean you will know where you are in regards to reporting to the supervisory authority should a breach occur.
Automation is the way forward
Unstructured data is a problem, and it can often be too big a problem to resolve manually. In a typical organisation around 70-80% of data is unstructured, which causes endless management and breach-related headaches. Part of the challenge is that most businesses don’t have a single person that owns this data, and this leads to it becoming unruly and challenging to work with.
There are lots of data inventory and mapping tools available, but they often lack the ability to cover everything from laptops, across heterogenous on-premises systems and the cloud, including SaaS offerings like Office 365. Control means more than mapping too – automation based on content, attributes and risk profile are what’s needed for it to become an actual game-changer. Left to users, data spirals out of control; smart automation will expire data appropriately, as well as manage access and location. Not only does this have a cost reduction benefit, but breach risk is also significantly reduced.
Governance is not a roadblock
Data protection processes will nestle neatly within your wider governance program, and are most definitely not the same thing. Compliance in terms of data protection is about meeting regulations that have been set out by governing bodies, whereas governance encompasses all manner of processes and procedures above and beyond mere legal compliance. Governance can be a USP – being easy to understand and transparent about your use of customers’ personal data can put you in a more trusted position than your competitors. Reputation takes years to build, and only seconds to lose; very few businesses survive a large data breach where the trust that customers had placed in them has been lost.
To avoid this, embedding a culture of good data management and ethical data practices that support good governance in your business really is a must. Getting your employees to live and breathe ‘privacy by design and default’ is better than trying to retrofit it afterwards. They need to learn to think like that anyway; it is part of GDPR after all. By building good governance into your company DNA, you are able to deal with privacy from day one and will be able to slowly develop the measures you need to monitor and manage risk effectively without any excessive costs.
By implementing these five data strategies, businesses can work towards GDPR compliance and ensure that the data they hold is processed appropriately and is safe and secure. The best data strategies will provide cost savings as well as other efficiencies, and deliver a sound ROI rather than ‘just compliance’. Gaining full visibility of your data and automating its management means you’re also planning for worst case scenarios. This allows you to make your employees your main focus, and your data will be able to work for your business and not against it.
Nigel Tozer, Solutions Marketing Director EMEA at Commvault