Why data privacy without data visibility doesn't cut it for GDPR

Image Credit: Shutterstock (Image credit: Wright Studio / Shutterstock)

We’re approaching the first anniversary of the General Data Protection Regulation (GDPR). Unfortunately, some companies still aren’t making the grade when it comes to protecting data. 

Most notably, Google earlier this year was fined €50 million by the French data protection authority CNIL for violations under GDPR. It was widely reported that the tech giant was penalised for not being transparent enough about how data is collected for the personalisation of ads and not getting proper user consent. While the financial penalty may be a drop in the ocean for Google, it shows that regulators are serious about leveling fines against companies that gather and use customers’ data without appropriate disclosures and permissions. 

Considered the most important change to data privacy regulation in 20 years, GDPR has inarguably impacted the way in which data is protected and shared across every business sector. For organisations at risk of running afoul of GDPR rules and facing penalties of their own, there are a few problem areas they should first look to correct. 

Two key problem areas

Firstly, it cannot be stressed enough that getting serious about data privacy means organisations must begin by getting really serious about data security and data visibility. Gaining true data visibility means an organisation knows where their data is, how it’s being used, who’s sharing it and for what purpose. Today, it’s increasingly difficult to determine where data is because it isn’t restricted just to user endpoints. It also extends beyond traditional security perimeters to cloud collaboration services. Achieving true visibility over data, and therefore having an accurate inventory of data, is a considerable challenge for many security teams.

Secondly, companies must establish continuous data handling practices to ensure that data is always used and shared properly — or face the penalties. Without the proper security tools to achieve data visibility, companies won’t be able to implement a sustainable auditing process, which is necessary in order to validate that they are using data in line with their data privacy program.

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Shutterstock)

Privacy starts with visibility 

Because GDPR is not a once and done regulation, it places an imperative on companies to implement programs, processes and technologies that provide ongoing visibility to data regardless of where it lives and moves. With the help of the right technology tools, organisations can more easily evaluate how their data is used and shared. 

These visibility requirements are motivating organisations to look for data security solutions that streamline and strengthen their data handling processes so they can meet GDPR requirements and other regulatory measures. These solutions are characterised by the ability to:

  • Provide point-in-time, comprehensive data inventory so companies always know where their most important data is located. Manual data inventories are no longer sustainable due to the speed at which data moves and evolves within an organisation.
  • Monitor file exfiltration activity to provide full visibility into all files being moved or shared with external parties.
  • Preserve files to satisfy security investigations and retention requirements related to compliance and legal needs.
  • Audit data use. Most companies don’t take this important step to verify they are using data in line with the data privacy policies they set.

In today’s increasingly regulated world, it’s important to have the tools in place to verify with confidence that a data privacy program is working properly. The right data security solutions offer companies peace of mind that they have upheld their commitment to data privacy and complied with regulations.

Richard Agnew, VP EMEA at Code42 

Richard Agnew

Richard Agnew, VP EMEA, Code42, is a veteran of the UK IT industry having held management roles at EMC, NetApp and Veeam. For Code42, Richard is responsible for growing EMEA. He jopined in July 2020.