How can businesses manage GDPR’s ‘Terrible Threes’?

Data protection
(Image credit: Wright Studio / Shutterstock)

GDPR is a ‘threenager’ this year, and despite battling through the terrible twos many organizations are still struggling to protect their data. Last year alone, the UK had the second-highest total value of GDPR fines across the EU, with companies paying £39.7m in total. And, at the start of the year, figures indicated that GDPR fines had reached a staggering £245m.

About the author

Wim Stoop, CDP Customer and Product Director, Cloudera.

The risk of fines are, however, not confined to GDPR. Currently, there are 128 countries with data protection and privacy legislation — including CCPA, PSD2, GLBA and a whole host of other acronyms.

At the same time, the business landscape has changed considerably in the last three years – cue obligatory mention of Brexit and COVID-19. To complicate the data protection challenge, the legislation itself could not have anticipated the fast-track adoption of technologies or the accelerated shift to cloud computing caused by the pandemic. A risk compounded by an unprecedented uptick of remote working and employees using home devices, and networks, that are almost certainly less secure than those found in the corporate environment.

These are not new concerns when it comes to data management and protection but the issue is that few businesses were prepared for how quickly things escalated. After all, many were focused on digital transformation to simply keep their business going so security in the design of new systems and processes was often neglected, albeit not through choice. The good news is valuable lessons have been learnt, particularly when it comes to protecting and managing data to ensure compliance. And through talking with many of our own customers, we can share a few.

Staying ahead of GDPR compliance

There is a shift from reactive to proactive — as it relates to data security and compliance. Many companies are starting to take a proactive approach to data security and are recognizing that ensuring regulation is met means laying a solid foundation by adopting the right IT infrastructure. They have started identifying how their data is sensitive and are assigning the right level of security to varying degrees. Be it personal data, such as biometrics, through to publicly available information, like your address or job title. Once classified, businesses can apply the appropriate data protection rules, for example, restricting access based on clearance requirements and the level of material sensitivity.

For some businesses, this will mean going through a reactive identification process, but a vital one nonetheless, as proactive data management requires getting your house in order first. The next step is closing the gaps in identifying, tracking and classifying all an enterprise’s data in real-time. To do this, establishing a data marketplace or implementing a data fabric gives organizations a secure data repository from which data sensitivity can be assessed from the outset.

As part of establishing a data marketplace, businesses must look beyond the use cases and at the individual sources of information available and understand them from the perspective of quality and metadata. Adopting this process naturally lends itself to privacy compliance being ingrained in the business. Exercising control and awareness of every piece of data means an enterprise can prevent data lockout, reduce friction for employees as a result of data control, and extract the most value from the data.

An oven-ready enterprise data solution

Another key piece of the puzzle in meeting GDPR, and other compliance standards, lies in data protection. For an enterprise to fully benefit from its established security and governance approach, applying the strategy to all its datasets across the business – be it on-site or in the cloud – is good practice. In this area, businesses have found that the use of cloud storage for data management is therefore rising considerably, especially as it gives them access to low-cost and scalable solutions.

As a response, enterprise data clouds (EDC) are growing in popularity. They offer a hybrid and multi-cloud platform that provides security across different environments and harnesses analytics at every stage of the data lifecycle. Data is visible to the organization, no matter where it resides, making it easy to manage. EDC’s slot into existing operations and support data functions, enabling data to be fully protected as it flows through the company’s infrastructure into the data marketplace. This ultimately provides trusted, governed data to end-users for them to address their business challenges.

The guv’nor; driving from the top-down

To set respected governance standards, businesses are coming to realize that a tone at the top approach is crucial to alleviating regulatory compliance challenges and can help decrease cross-border data security complexity. Senior stakeholder involvement in compliance-related projects improves compliance maturity with training across every level of the organization being an essential component. This approach also encourages, by necessity, a company to break down the different milestones needed to become compliant which in turn provides a road map to follow.

If a new GDPR rule is introduced, a top-down approach sees the requirements listed and flagged to the relevant departments, highlighting functional changes within systems and documents, as well as policy and procedure updates, and related timeframes and deadlines. Embedding this in the company culture establishes a secure baseline for your systems.

From a cybersecurity perspective, a top-down approach means the IT team is no longer solely responsible for the tech stack. Departments no longer work in siloes and all teams understand the role they play in cybersecurity. Systems are only as secure as the least safety-conscious team member, which brings us on to how data privacy and compliance is more than addressing technology and processing issues; it’s about people too.

The human factor: driving from the bottom-up

The past year has taught many organizations that technology alone is not enough to make a company compliant; the people and processes behind that technology must also be in harmony to ensure that new and existing data protection regulations are abided by.

The rise of remote working, coupled with reduced teams – both symptoms of the pandemic – has highlighted to businesses that although the sensitive data it handles may be encrypted with access restricted, the use of devices outside of network security parameters poses a real threat. And despite IT leaders trusting their staff, worryingly, almost half of employees working from home confess they are less likely to follow safe data practices either because they are distracted or due to the IT team not being around to watch their actions.

With the modern workplace no longer tethered to an office environment, the creation of islands of governance – whereby employees and departments have safeguards to ensure data compliance – is lost. For enterprises to overcome this, an overarching framework to provide a standard for data governance is imperative. For enterprises, this requires proactive data management and the right technology, such as EDCs, operating in unison with informed and experienced staff to drive regulatory compliance from the bottom-up. This combination of a top-down, bottom-up approach provides the framework for enterprises to set the rules needed for regulatory compliance without underestimating the importance of staff and their first-hand practical knowledge as fundamental to administering data security protocols.

In a scenario where a data breach occurs, early reporting can not only reduce the damage but also related fines – having the tools to identify these breaches is key but having vigilant staff knowing what to look out for and versed at spotting anomalies provides that extra edge.

Data protection beyond today

Ever-increasing volumes of data and the security vulnerabilities resulting from remote working means enterprises need to stay on top of data protection from the start. GDPR, and other data protection legislation, require proof of compliance. And today’s user expects their privacy to be respected and complemented with transparency from those enterprises handling and storing their data. By keeping up-to-date on, and meeting, GDPR standards, enterprises can not only build public and user trust – benefiting their reputation – but in that process can also create watertight data privacy strategies that keep them compliant with other data management and protection regulations outside of GDPR.

CDP Customer and Product Director, Cloudera.