The GDPR is coming but there’s no need for panic
Added Monday 26 March 2018 by Arrow ECS
Data is the new fuel that drives business. The benefits it can bring make it a valuable asset but it’s one that needs to be traceable, accountable and, most of all, protected.
Unless you’ve been in hiding for the last year, you’ll be aware that the new General Data Protection Regulation comes into force on the 25th May. With the deadline now only two months away, it’s vital that organisations focus on a new set of compliance challenges to ensure they meet the new requirements.
It’s obvious that levels of readiness vary and many businesses are still only in the initial stages of preparation. However, there’s no need to panic. For most enterprises, GDPR doesn’t mean starting from scratch, it means assessing current systems and processes, finding the gaps and filling them.
What’s the biggest challenge that companies face? We've identified four key areas that we believe businesses need to look at before lift-off.
Locate and search: what data have I got, where is it, and who can access it?
Data is now critical to how companies make business decisions, but the volume produced can make it difficult to know what is held, and where and crucially, who can use, access, delete or manipulate it.
Today, data doesn’t just sit on physical servers or desktops. The number of devices, platforms and apps is growing and there are ever more places that personal data can reside. Communication happens over a growing number of devices, platforms, and apps. And while these developments are great for business, they also make the chance of data loss more likely.
All organisations need to ensure they know what data they have, where it is, how they can access it – and, ultimately, how to best use it, to not only protect it but get real value from it.
There are lots of products available that can help companies, whatever the complexity of their network, to: • Determine what data they hold and where it is - even if it’s held within forms or images • Control who can access it, even from unmanaged locations or devices • Police what level of access a user has, monitor and revoke access to sensitive data • Identify risky behaviour or security compromises • Manage data loss policies
Minimise: control and refine the data you have Under GDPR, any personal data held must be accurate and up to date, and organisations must be able to demonstrate that they have consent and for what purposes. However, having multiple records for an individual can make this difficult.
This is where using a de-dupe product can help to ensure records are accurate and up-to-date, even when someone appears multiple times, across multiple platforms - potentially with slightly different spellings.
Using de-dupe products can also have other benefits. As data explodes, storage needs grow and keeping up with demand can be costly. Storage management and de-dupe technology can help to reduce the demands on an already stretched infrastructure, while also keeping data safe and making sure you know what is where, whenever you need it.
Although, the key to controlling data is to have a disaster recovery plan in place to ensure the business can restore the data that it holds and that the system will meet the required standard.
Protect and ensure trust Once you have a view of the data you have, where it is and how to access it, then it’s time to look at protecting it. After all, despite the best laid plans, disasters can, and do, happen.
News reports of cyber-attacks are increasingly frequent and can have a serious impact on how customers perceive a company. The way a business responds to, and handles a breach, can make a big difference. And with the introduction of GDPR, public exposure is likely to increase, as breaches will need to reported within 72 hours.
The key to stopping hackers getting into the system and getting their hands on your data is to prepare for the worst. The sheer complexity of today’s security landscape means that many companies should focus on when they get hacked, not if.
Organisations should focus on proactive network security, that provides more protection than firewalls, malware protection and encryption such as: • Managing passwords • Keeping devices and data secure if lost or stolen using multi-layer encryption • Automatically encrypting or blocking sensitive data in emails • Protecting encryption keys • Stopping malware and ransomware • Stopping attacks at the network perimeter • Keeping individual files secure even when they leave the network or devices • Ensuring that only authorised recipients can access sensitive files
Monitor and manage: identify what’s gone wrong - and how - as soon it’s happened Having security tools in place creates its own set of data, but that data is only useful if it can be analysed and understood. Security and behavioural analytics products help to make sense of the information created and provides teams with the ability to rapidly discover advanced persistent threats.
Log Management or Security Information and Event Management tools help enterprises to test, assess and evaluate data security effectiveness. These tools are important for monitoring all users and system activity so that companies can quickly identify suspicious or malicious behaviour; it’s also important to monitor data stored, or processed in cloud environments.
With a 72-hour time limit on notifications of breaches, it’s vital to have a programme in place that identifies and flags breaches if they happen. The right product can gather real-time log data from distributed applications and infrastructure in one place to enable powerful searches, dynamic dashboards and alerts, and reporting for real-time analysis.
The new regulations require all parts of an organisation’s infrastructure and IT solutions to be as secure as possible, and that includes protecting against breaches from within, as well as attacks from outside. And while there is no one size fits all solution – overall, a proactive and positive approach to compliance and security will be a key factor in complying with GDPR.