The General Data Protection Regulations (GDPR) are set to come into force in May 2018. This set of regulations represents the most sweeping change in the way companies are required to handle data since the dawn of the Internet. Compliance is universally required and failure to comply can result in heavy fines.
The fines, of course, have garnered the most attention. Smaller incidents result in fines of up to €10 million or 2% of a firm’s global revenue, whichever is larger. The largest fines are up to the greater of €20 million or 4% of a firm’s global revenue. In one recent example, a global hospitality company was fined $700,000 for a breach of customer data. Under GDPR, that fine could have been as much as $420 million. The UK Register reported that fines could increase 79x under GDPR. For those companies operating in the UK looking for any relief under Brexit, the proposed UK Data Protection Bill offers a very similar approach and mirrors many of the GDPR provisions.
European officials are quick to say that they do not expect to see such an increase in fines. The UK’s Information Commissioner, Elizabeth Denham, states on the ICO Blog, “[W]e intend to use those powers [granted under GDPR] proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective. ”
While Ms. Denham may be perfectly sincere in her sentiments, for those companies less trusting of the statements – sincere as they may be – of a government official, there are things that you should be doing now.
How Do You Move a Mountain?
The sheer expanse of the GDPR universe of responsibility is overwhelming. GDPR requires you to have an understanding of your data stores well beyond what most companies actually have today. In a perfect case, data of individuals would be fully linked, anonymized, completely documented as to the reasons for storing the data, fully secured, yet each piece of data easily accessible in the event that individual issues a subject access request. In many cases, these requirements necessitate a full rethinking and reconfiguration of a company’s data stores.
But you move a mountain one stone at a time and companies should focus on the immediate first step: mapping and identifying all their data subject to GDPR.
Of course, this is just “best practices.” The average total cost per data breach for a company is $3.62 million according to 2017 Poneman Research Study, not to mention reputational damage to the brand and possible litigation. No entity is immune from ransomware gangs, careless employees exposing records or hackers. Given the seriousness of a data breach in compromising the privacy of individuals, companies typically act quickly to remediate the situation. This often includes locating personally identifiable information (PII) in different areas across the organization’s network environment and other data stores, and doubling down on implementing policies and processes to ensure that PII related content is controlled.
Unfortunately, this traditionally has been a reactive approach implemented only after a breach. To comply with GDPR, organizations need to go a step further and proactively reclaim and secure all PII related content within the organization. Given the breadth and complexity of IT infrastructure, companies using traditional tools will be hard pressed to meet the GDPR deadlines with any degree of confidence that their results are accurate and complete. Fortunately, using an analytics-based strategy, there is an opportunity for companies to create a better process for identifying and securing PII to preempt risk and comply with GDPR at a fraction of the cost in time and money.
Mapping and Securing Data with Analytics
Here’s how one company addressed this problem after discovering data in a place where it shouldn’t have been:
First, the company needed to confirm that internally sensitive information, in addition to PII, was accessed only by individuals who were authorized to do so. All documents accessible by employees with standard system rights (e.g., network and SharePoint) were analyzed. Using a risk triage approach, software searched for data patterns using keyword and regular expressions to search hundreds of file formats, developing an index of “hits” (documents containing sensitive information) and “non-hits” (content without sensitive information). The “hits” were ingested into an analysis platform, which the company had installed as a temporary mobile platform in its data center.
At the next level, analytical models were run to provide a deeper and more intelligent level of analysis to isolate sensitive data. Limited data sets of text and metadata were then transferred for analysis to a big data analytics platform that identified data trends that were then applied on subsequent scans, enabling a higher level of accuracy with each iterative scan. Subject matter experts then reviewed data flagged as containing potentially sensitive information; this intelligence was used to further enrich the analytics model.
The analytics then assessed documents containing PII and other sensitive information—regardless of user permissions—across the entire organization’s data stores, providing a holistic assessment of where sensitive data resided that might not be within the expectations of proper control of the company. This analytics approach gave corporate stakeholders assurance that the company had taken proactive steps to protect the assets of the company and its sensitive information.
Finally, with the data mapped, identified and secured, the company can build or revise workflows to ensure that sensitive data is handled properly in the future. With this information in hand, they are moving to the next step of GDPR compliance.
No Data Left Behind
As this scenario illustrates, data breaches could involve far more than PII; virtually any type of sensitive information that is exposed could harm the company, such as pricing information, IP, product plans, sales and marketing data, accounting records, and more. In light of the significant costs associated with data breaches, companies must shift to a more proactive approach.
But while all sensitive information matters to companies, now that GDPR will be rolling out in just over five months and given the financial exposure of companies to fines for non-compliance, companies can ill afford to wait any longer to implement protective measures to understand where their data resides, how to reclaim it, and how to secure it.