Story image

Managing the information paradox in the NDB/GDPR era

26 Jun 18

Article by M-Files Australia and New Zealand alliance and partner director Nicholas Delaveris

Recent legislation in Australia and overseas puts more stringent requirements around businesses collecting and retaining personal information.

The Australian government’s mandatory notifiable data breaches (NDB) scheme and Europe’s General Data Protection Regulation (GDPR) both demand that organisations protect individuals’ data and notify the appropriate authorities if a breach happens.

While GDPR is primarily a European law, it applies to any business that interacts with a citizen of the European Union, which means many Australian businesses will be affected. 

This creates a paradox for businesses who both rely on information and need to protect that information.

Compliance with these new pieces of legislation demands that businesses have unprecedented visibility into the information they collect and store and that they be able to demonstrate how that data has been treated. 

Businesses need to make information available at the right time on any device so employees can do their jobs.

But they also need to control that information and make sure no unauthorised person can access it.

These two goals have traditionally been somewhat incompatible.

To overcome this issue, businesses need a solution that helps manage compliance and audits, while making it simple for people with the right permissions to access the data they need.

Compliance is mostly about being able to demonstrate control.

It’s about being able to identify who has accessed information, whether they’ve edited or shared it, and when.

Flat file stores are hard to control and, as people leave and join the business, keeping track of access permissions and history gets tangled.

Businesses, therefore, need to take a process-based approach to becoming compliant with NDB and GDPR legislation.

That means taking a step back and gaining an overarching view of data including where it resides and what policies apply to it.

Everyone in the organisation should understand how data needs to be managed and be able to comply with those requirements.

This should be an ongoing process.

Privacy-related legislation tends to include requirements around what personal data can be collected and retained and for what purposes, as well as how businesses must respond to requests for that information either from the individual whose information is stored or from third parties. 

Businesses need to be able to react fast and appropriately when they receive requests for data.

They need to know what data can be shared and what data must never be shared.

If a person requests their own data, the business must be able to provide it immediately.

It’s not good enough to say they couldn’t find it or they assume it has been destroyed; they need to be able to prove it. 

Organisations need a solution that tags the data with information such as whether it contains personal details, how long it needs to be kept for, and why it needs to be kept.

If it shouldn’t be kept, the organisation needs to be able to demonstrate that the data has been destroyed.

If the organisation hasn’t destroyed the data, it needs to be able to demonstrate that it’s keeping the data for legal and legitimate reasons. 

Managing this process manually is difficult, and businesses can look at automation to simplify these processes.

The cost of trying to maintain compliance without an appropriate, metadata-driven content management tool is prohibitively high.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.