By now, your company should have a good handle on what needs to be done to meet the forthcoming GDPR guidelines. But is everyone clear how the IT department can help? When the guidelines first came out, most IT departments were thrown the challenge of working out what was needed to meet them. It quickly became clear though, that it was a people and process issue and not a technology one. So the IT departments passed the buck on to the legal, HR and finance teams. As companies have gained a handle on the policies and procedures they need in place to handle their data, they are now throwing the issue back over the fence to IT asking how they can help.
Some IT vendors are making overstated claims as to how IT can help with GDPR, but really it’s quite simple. It isn’t a security play; this should be being done already. IT is an enabler to get your processes right. IT departments have access to some excellent tools that they can deploy to help ease the burden of complying with the GDPR. IT tools can help you understand what data is flowing through your organisation and where it is. Data discovery tools can not only help identify unstructured personal data, but also offer the analytics, tracking and reporting necessary to deliver accountability for file use and security.
While data mapping is not a specific requirement of the GDPR, meeting the requirements of the regulation would be extremely difficult without having a clear picture of the lifecycle of personal data in your organisation. This can be extremely challenging and requires ongoing maintenance. Mapping tools allow companies to identify areas where there is a risk to the rights and freedoms of data subjects in order to specify and implement appropriate technical and organisational measures to mitigate the risk.
Encryption tools can also be used in a variety of ways to support the guidelines, including protecting data in transit or at rest, providing verification of data integrity and authenticity, and even offering a means of secure destruction. But remember, the encryption may need to be reversible and those responsible for your data must ensure that the technologies selected are appropriate for the formats needed.
Best practice requires that organisations should implement adequate technical measures to protect personal data during transmission, over and between networks, to further protect confidentiality and integrity. This is achieved through a combination of network protection (ensuring attackers are unable to intercept data) and encryption (to render the data unintelligible). Controls could include the use of virtual private network (VPN) solutions, disabling insecure protocols, supporting strong protocols and even private point-to-point connections between data centres.
Hosted solutions offer smaller organisations the use of security tools that were previously the preserve of larger ones, thereby supporting their efforts to comply with the secure processing requirements of the GDPR. These could include robust firewalls, enterprise quality antivirus and web filtering, encryption of emails and management of all endpoints. By outsourcing the storage, backups, security, and processing of data, and provided they meet the requirements for appointing a data processor, organisations are able to significantly reduce their compliance burden. But companies should make sure their managed service provider is working to the right ISO requirements as well as the GDPR.
With some estimates suggesting that 90% of all the data in the world has been generated over the last two years, effective data management i.e. the use of architectures, policies and procedures to manage the information lifecycle needs of organisations, is becoming increasingly challenging. Easy-to-use data visualisation tools can help organisations uncover what personal data is hidden, identify risks, and accurately classify all personal data, providing the intelligence to demonstrate many obligations for GDPR compliance.
The data breach notification requirements oblige enterprises to notify the supervisory authority (ICO) without undue delay and, where feasible, not later than 72 hours after having become aware of a data breach. With the time involved in detecting a breach typically being measured in months, this requirement presents a significant challenge to organisations. Tools that monitor and log activity, and create alerts when anomalous events are detected, and support reporting both for the purpose of breach notification and continuous improvement, should be considered.
Under the guidelines, organisations should be able to locate and retrieve personal data at the request of the data subject. Tools that support the effective retrieval of data from systems in common machine-readable formats should be considered, in order to minimise the overheads that might be incurred as individuals exercise their rights. Finally, organisations need to be able to clean and dispose of data and IT equipment previously used for the processing of personal data to ensure permanent erasure, for example, through the use of electronic file shredding programmes.
The IT department in itself cannot meet the GDPR guidelines. But once the necessary legal, HR and financial policies and procedures have been identified and are in place, the IT department can bring to bear a considerable arsenal of tools to help make sure the correct data is found and managed appropriately to align with those policies and procedures.