Inside Track: Data protection—good for all
Becoming clear | |
“’Right to erasure’ will be a challenge for many organisations because their IT teams have tended to hold on to data for a long time simply because they lacked controls for disposing of it” | Sureskills Kevin Reid, CTO |
With little more than a year to go until GDPR becomes law, many of the main issues as they relate to IT are already becoming clear. What is also apparent is that many organisations will need to re-engineer their data storage environments to accommodate what the regulation will ask of them.There will also need to be a closer understanding of the term ‘data protection’: IT teams interpret it as backups and data recovery, but the business viewpoint is to think of it as holding data securely and in line with regulatory requirements. The key data management principles of GDPR include what is known as the ‘right to be forgotten’, or as Article 17 of the regulation describes it, the ‘right to erasure’. For organisations, this will entail being able to find—and remove—all instances of data pertaining to an individual if that person asks them to do so.I predict that will be a challenge for many organisations because their IT teams have tended to hold on to data for a long time simply because they lacked controls for disposing of it. Data often falls into multiple categories, from structured or semi-structured application data to unstructured files and folders. Another important principle enshrined in the regulation is the idea of data privacy by design. This means businesses must be more proactive about how they protect information that identifies consumers. To comply with GDPR, organisations will need to ensure ongoing confidentiality, integrity, availability and resilience of the data they store and process. GDPR also calls for notifying the relevant data protection authority within 72 hours in the event of a breach, which is another challenge for organisations to know every instance where their data is stored in order to ascertain whether it has been leaked. As I see it, managing the data protection demands created by GDPR will come down to two essential concepts: simplicity and visibility. Organisations used to try and achieve visibility by adding yet another silo system that took copy of their data and archived it. Research from IDC has found that many organisations now hold at least copies of each database, which suggests the problem is far from solved. Simplicity can prove similarly problematic. From a systems perspective, many organisations’ IT reaches from external data centres and software as a service platforms to on-premises systems—all with different backup and recovery methods. This complexity hinders compliance and increases risk. From a technology perspective, a system that provides content indexing can make the process of locating and deleting much easier, no matter whether that data has been backed up or archived. SureSkills’ recently launched backup as a service addresses this issue, which is even more pertinent in light of GDPR’s requirements. The service ensures data is protected for the appropriate length of time in the appropriate way with appropriate controls. It uses the enterprise-class technology of Commvault’s platform and the on-boarding process will address organisations’ needs to identify, organise and control the data they are backing up. There is a lot happening with GDPR, and the smarter organisations are already starting on understanding where their data lies and how they need to manage it more effectively. The regulation will be a big change and a big responsibility, but its obligations can be met with the right combination of professional and legal advice, and with the ability to execute the policies from a technology and tools perspective. Engage with your partners and suppliers to see what level of support they can provide.
|
Comprehensive approach | |
“Once an organisation has a clear picture of the personal data they are processing, they then need to perform a privacy assessment to determine if processing is taking place in accordance with GDPR” |
Ward Solutions Paul Hogan, CTO |
Key to achieving GDPR compliance is the adoption of a comprehensive approach to ensure that all requirements outlined in the legislation are met. Ward Solutions has developed just such an approach.Firstly, organisations should perform an initial readiness assessment to gauge their current data privacy maturity and compliance stance. This can then be used to provide a high-level overview of the effort and activities that may be required to achieve compliance.
Following this, organisations should aim to create data inventories for all applications that process personal data throughout the organisation. The data inventory should also address how and why the data was gathered, how it is processed, and whether consent has been specifically given for that processing. Once an organisation has a clear picture of the personal data they are processing, they then need to perform a privacy assessment to determine if processing is taking place in accordance with the requirements of GDPR. Performing a gap analysis is the most effective method of establishing this. Many organisations may already have many of the necessary protocols in place, but they will still need to pay attention to some of the new requirements of GDPR which current legislation does not address. Following on from the privacy assessment and adoption of a risk-based approach, organisations should implement a data protection programme with specific goals to ensure ongoing compliance. Governance and accountability is a recurring theme of GDPR, and where possible we would recommend implementation of or alignment with established standards and frameworks such as ISO 27001. In terms of personal data protection measures, Ward Solutions recommends that, at a minimum, Irish organisations implement technical measures such as Fortinet’s Next Generation Firewall, adopt User Access and identity Management technologies such as multifactor authentication, optimise data lifecycle management from capture to deletion, and encrypt personal data at rest and in transit. Organisations should also implement measures driven by privacy policies such as staff vetting, staff training and awareness, and polices for BYOD. Finally, under GDPR organisations must inform the authorities of data breaches within 72 hours. Intrusion prevention technologies, Security Information and Event Management (SIEM) and Incident Response solutions from companies such as IBM can assist organisations in addressing breach notification requirements. As certified experts in Data Privacy, GDPR and Cyber Information Security Governance, Risk and Compliance, Ward Solutions is uniquely placed to provide an end-to-end solution geared towards ensuring that Irish businesses achieve GDPR compliance.
|
Subscribers 0
Fans 0
Followers 0
Followers