GDPR: Where does your organisation stand after the first year?
It was the source of much consternation in boardrooms around the world before coming into force in May 2018.
Now, just over a year later, Europe's GDPR (General Data Protection Regulation) rules are still causing stress for many global businesses with European customers.
While Australia has its own privacy laws, GDPR requirements are quite extensive and continue to receive a great deal of mindshare from forward-thinking businesses looking to protect themselves in the future, not just for the here and now.
One of the key requirements of GDPR is that organisations must report any breaches involving personally identifiable data to authorities with 72 hours of their occurrence.
According to a recent report by international law firm Pinset Masons, the United Kingdom's Information Commissioner's Office (ICO) has received an average of 1267 data breach notifications each month.
Interestingly, 82% of those reports required no action to be taken.
So why are organisations reporting so many breaches that are of no real concern?
One school of thought is that many are fearful of being penalised and would rather wave a flag than not.
However, it also shows there is still considerable work to be done in terms organisations not only being able to protect their data but ensure they know what data they've got and whether that data is in compliance.
Streamlining data stores
As organisations grapple with GDPR compliance, one key issue many businesses face is having very distributed data stores and are unsure of exactly what is being held where.
This can make it challenging to identify exactly what data has been accessed should a breach take place.
It's a trend dubbed 'mass data fragmentation' and relates to the growing spread of data across myriad different infrastructure silos and locations.
These locations could be remote offices, in-house servers and cloud platforms.
This situation prevents organisations from readily locating, controlling and securing that data.
The challenge is amplified by the sheer volume of point products organisations are using to manage workloads such as backups and file shares.
Many report using more than six different solutions to get the job done.
Research conducted by industry analysis firm Vanson Bourne found there are also issues with multiple copies of data existing in different locations.
The research found 63% of organisations have between four and 15 copies of the same data.
The picture becomes even more complex when you consider that, of the organisations making use of a public cloud platform, 74% make a second copy and store it either in either the same public cloud or another one. Keeping all this secure is no trivial task.
Improving GDPR compliance
Clearly, GDPR is here to stay, and so organisations around the world, including in Australia, must find ways to comply with its requirements while at the same time not overreacting and reporting insignificant incidents.
For those that realise there is still work to be done, there are 10 key steps that should be considered:
- Assess current status: Conduct a thorough assessment of where all data within the organisation is stored, who has access to it, and how it is being secured. Check whether GDPR actually applies based on this audit, and discuss if the "best practice" should be to adopt the regulations regardless. This will provide a clear roadmap for any required changes.
- Adhere to data minimisation requirements: Make sure you review data retention periods so that data can be retained or deleted based on policies. Companies can use software to automate this process.
- Appoint a responsible manager: Consider introducing the role of Data Protection Officer into the organisation even if not necessary by definition of the regulations, and ensure that person fully understands all the requirements of GDPR and local privacy laws.
- Consolidate infrastructure: Look for infrastructure solutions that enable you to easily backup, manage and have oversight of your enterprise data from one platform. This will help you not only have better visibility into your data but could help you reduce the number of data copies and reduce instances of having personally identifiable information scattered around.
- Deploy the latest search capabilities: It's critical that organisations utilise infrastructure that enables them to search across vast arrays of unstructured data and easily identify where personally identifiable information is located.
- Review vendor contracts and SLAs: If data is shared with third parties, ensure they are also GDPR-compliant. Any breach of their systems could easily become an issue for you.
- Check insurance policies: In some instances, it is possible to take out insurance to defray the cost of security breaches and similar liabilities. Check the policies currently in place and determine if they are the best fit for current circumstances.
- Review marketing: Sales and marketing activities can often involve the collection and usage of personal data. Carefully review all activities in this area to ensure compliance in terms of the materials produced and data received.
- Check international activity: GDPR restricts the transfer of personal data outside the European Economic Area. Review how data is being used and whether any data is moving outside this region, including to cloud storage providers.
- Consult your legal team: GDPR is a complex set of regulations, some of which are open to interpretation. Take the time to consult your legal team to ensure you are meeting compliance requirements in all areas.
In the year since its introduction, GDPR has led to some significant changes for organisations operating in the European region, but there is still much work to be done.
Despite it originating from Europe, it is absolutely something Australian businesses should be looking to adopt, or at the very least, fully understand.
Taking steps now to ensure compliance will avoid regulatory problems in the future.
It will also help protect your brand in the eyes of consumers who are less likely to trust a brand that has fallen foul of GDPR or had a security mishap that has resulted in customer data being leaked.