Story image

Managing the information paradox in the NDB/GDPR era

26 Jun 2018

Article by M-Files Australia and New Zealand alliance and partner director Nicholas Delaveris

Recent legislation in Australia and overseas puts more stringent requirements around businesses collecting and retaining personal information.

The Australian government’s mandatory notifiable data breaches (NDB) scheme and Europe’s General Data Protection Regulation (GDPR) both demand that organisations protect individuals’ data and notify the appropriate authorities if a breach happens.

While GDPR is primarily a European law, it applies to any business that interacts with a citizen of the European Union, which means many Australian businesses will be affected. 

This creates a paradox for businesses who both rely on information and need to protect that information.

Compliance with these new pieces of legislation demands that businesses have unprecedented visibility into the information they collect and store and that they be able to demonstrate how that data has been treated. 

Businesses need to make information available at the right time on any device so employees can do their jobs.

But they also need to control that information and make sure no unauthorised person can access it.

These two goals have traditionally been somewhat incompatible.

To overcome this issue, businesses need a solution that helps manage compliance and audits, while making it simple for people with the right permissions to access the data they need.

Compliance is mostly about being able to demonstrate control.

It’s about being able to identify who has accessed information, whether they’ve edited or shared it, and when.

Flat file stores are hard to control and, as people leave and join the business, keeping track of access permissions and history gets tangled.

Businesses, therefore, need to take a process-based approach to becoming compliant with NDB and GDPR legislation.

That means taking a step back and gaining an overarching view of data including where it resides and what policies apply to it.

Everyone in the organisation should understand how data needs to be managed and be able to comply with those requirements.

This should be an ongoing process.

Privacy-related legislation tends to include requirements around what personal data can be collected and retained and for what purposes, as well as how businesses must respond to requests for that information either from the individual whose information is stored or from third parties. 

Businesses need to be able to react fast and appropriately when they receive requests for data.

They need to know what data can be shared and what data must never be shared.

If a person requests their own data, the business must be able to provide it immediately.

It’s not good enough to say they couldn’t find it or they assume it has been destroyed; they need to be able to prove it. 

Organisations need a solution that tags the data with information such as whether it contains personal details, how long it needs to be kept for, and why it needs to be kept.

If it shouldn’t be kept, the organisation needs to be able to demonstrate that the data has been destroyed.

If the organisation hasn’t destroyed the data, it needs to be able to demonstrate that it’s keeping the data for legal and legitimate reasons. 

Managing this process manually is difficult, and businesses can look at automation to simplify these processes.

The cost of trying to maintain compliance without an appropriate, metadata-driven content management tool is prohibitively high.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.