Here we stand, just over two months until the EU General Data Protection Regulation (GDPR) becomes a reality for so many of you. Despite the short timeframe, many organizations are greatly under-prepared, under the assumption that a ‘security by design’ approach will help ensure compliance. The reality is that GDPR is more than just another data regulation with fines for audited non-compliance. GDPR was designed to have widespread consequences for offending organizations, including damaged company reputation and a weakened competitive position.
Based on findings from our 2017 Black Report—don't forget to register to receive this year's report, coming soon—sophisticated and determined hackers have rendered cybersecurity defenses unsuccessful, with 88% of professional hackers claiming they can break through cybersecurity defenses in just 12 hours. The mindset that breaches can be prevented is therefore naive. Organizations need to assume they have already been breached. So, if you can’t prevent hackers or insiders from getting into your network, it is vital to minimize the damage they can cause.
Obligation to Respond
In addition to inevitable yet unpredictable data breaches, GDPR requires you to respond to subject access requests, freedom of information enquiries, and ‘Right to Be Forgotten.’ Are you prepared to meet your obligations in these areas?
- Subject Access Request – This enables citizens to review personally identifiable information (PII) held by organizations about them. While these requests are already a staple of many country-level data privacy laws, the GDPR’s Right to Be Forgotten (see below) will enhance it, and organizations need to be able to respond effectively.
- Freedom Of Information – Again, this a right that already exists. EU citizens can request the government and authorities to provide any information on them in a timely manner. However, the introduction of GDPR means this will be more complicated, and treated more like a subject access request. This can be particularly complex where several individuals’ data are intermingled.
- Right to Be Forgotten – Under GDPR, citizens will have the right to have all PII an organization holds about them deleted, provided there is no good business reason for the organization to keep it. This will need to be carried out by the controller of the data ‘without undue delay’ and in a manner provable for future audits.
All of these requests demand an ability to understand the topography of your data and confidently locate very specific records with accuracy and speed. Traditional information governance and eDiscovery practices and tools can reliably be turned to this use.
Visibility and Action
We are uniquely positioned to provide visibility into unstructured data and deliver real-time information, which security professionals and non-technical teams alike can rapidly act upon. This is achieved by deploying search terms and data patterns to locate data most relevant to GDPR policies. Using pattern recognition, the data strings most likely to be problematic are mapped to specific endpoints, cloud and network storage, third party repositories, and mobile devices.
Once you identify the data, Nuix’s “privacy by design” approach will protect the personal data you hold, making it more accessible for retrieval, deletion, and portability. This means that when an individual or regulatory agent makes a data request, you can retrieve the data rapidly and safely in line with GDPR, going beyond the narrow view of data merely for cybersecurity reasons.