Since May 25th, 2018, organisations have been working on their General Data Protection Regulation (GDPR) posture to comply with the EU regulation. It has been over two years, and the effects of this regulation are starting to be seen far and wide.
GDPR is a comprehensive regulation that protects EU consumers by holding companies to a standard of governance and IT security for personal data. The regulation seeks firmer IT security controls and audit measures to be put in place by organisations.
This is of particular importance to South African companies who are doing business in the EU region. Not only should these companies comply with the local Protection of Personal Information (POPI) act, but they are also held to account by the regulation in other regions.
We all know that “data is the new oil”. Everyone is holding onto information and within that data, we also find personal data. GDPR compliance is essential to securing the personal data of customers, suppliers, and employees alike.
Data mining is an enormous industry, extracting value, and turning people into products that can be sold to and traded.
The GDPR regulation keeps big data exploiters in check and provides the individual (data subject) the power to choose how their data should be used by anyone who holds it.
These companies now have to act within the regulation and may not use personal data without the individuals’ explicit consent.
Personal data is not just the names of the data subject but extends to their phone numbers or bank accounts, IP addresses, photos, sexual preference, and anything that can identify a person, even the phone or device’s MAC addresses, browser history and other data that identifies the data subject.
The regulation helps to build confidence with consumers that their data is being used for what it was collected for and that the information is safe.
The regulation defines and demands accountability from organisations on how personal data is processed and protected.
It is clear that if an organisation does not take GDPR seriously, then it is likely that there is something nefarious going on, as the regulation has been out for enough time for organisations to show diligence and due care.
GDPR is about individuals handing over data on their terms, and then being able to trust enterprises with this data.
This trust, if abused, allows for the individual affected not only to seek compensation but also to get resources through the supervisory authority which regulates the jurisdiction.
Because the regulation was normalised throughout 29 countries and there is co-operation, it is simpler to enforce.
GDPR is positive, but many businesses are struggling to achieve the compliance benchmark. There are several reasons for this, and we explore the challenges below.
- Many organisations do not know where their data is, the data is spread out on servers on-premise, in the cloud, on devices at home, at the office, on backups. Basically, all over the place. There is no definitive list of where the data is, what it is and the contents of that data.
- Almost all the organisations we have dealt with during the GDPR term do not know what data is exposed and to what level. Also, the content of actual data is often unknown as users are creating the information all the time on their remote computers, servers, cloud, and platforms.
- The next challenge is most organisations don’t know who has access to the data. Most organisations think they know, but when challenged, it becomes clear that they do not explicitly know.
For instance, IT usually has access to all data, and then there are third parties that support the company, they too have access. What about the service providers that host the data and manage the environments? They also have access.
It is very easy for data to go from internal user to external user and then get lost in the “ether” which means the company is then out of compliance, so if we are honest there is still a lot of work to do.
This means that the company does not have reasonable controls around the personal data, which means they are not compliant with GDPR. Many believe they are compliant which is problematic because if there is a data breach, they will be held liable.
Mass Data Fragmentation: What Is It and Why Does It Make GDPR Compliance So Challenging?
With the increasing threat of cyber-attacks and ways in which data can be stolen, companies large and small are finding it difficult to keep their data safe and to meet GDPR policies.
More than 80% of all data within an enterprise sits in backups, archives, object stores, files, and test/dev environments. This data, sometimes called secondary data, lives in siloed infrastructure that is spread across multiple points, products and locations, including on-premises and in public cloud infrastructure.
In a survey of over 900 senior IT decision-makers conducted by Vanson Bourne, the results showed that 87% of respondents acknowledge that secondary data is fragmented and becomes impossible to manage long term.
63% have 4-15 copies of the same data, and 85% store data between 2-5 public cloud platforms.
These statistics raise major questions for organisations globally: If they have all of these data copies, how can they possibly know what Personal Identifiable Information (Pll) is in those copies?
And, if those copies have been replicated to a host of public clouds, who is keeping track of what PII is where?
Digital Tracking and GDPR Compliance
Companies are gathering data, deriving our identities from our online behaviours, and identifying us as a unique data subject and then selling that data on, which is in complete contravention of GDPR.
It has gone beyond cookies, tracking pixels, behaviour monitoring, browser history, and other unique information that does fall under GDPR.
Due to this vast data sprawl and lack of visibility, it is challenging for the controllers to locate data and take corrective action (with technical and administrative controls) on so much personal data that they might have within and outside of their environment –because they don’t know what data they’ve got and where it’s located.
At the end of two years of GDPR, there is adequate evidence that organisations have struggled from lack of resources and the sheer complexity of handling of data to ensure compliance.
So, What Can We Do About Compliance?
Consolidate systems and storage so that data is not spread out on every online and private storage platform. Where data is stored, encrypt it so that the data can be protected. This includes your backups.
Secure data against unauthorised access: use the rule of least privilege and always use multifactor authentication for all platforms where possible. If the platform does not support it, put it behind a portal that does.
Backup all data and make sure that the data is not left on a system without strong access control when stored and transmitted. Audit the data and track where it goes and who produces the data, knowing where the data is and goes, is key to protecting it.
Automate where possible data retention periods: this will help take data offline, so it is not exposed and also tracks what your company is holding onto.
It is possible to employ tools to do a lot of, this work for you and keep on top of your obligation, however take note that if it is found that you are not applying reasonable measures as described in this article for any personal data of an EU citizen, the supervisory authority will take action appropriate to the breach.
GDPR is a great regulation that helps data subject’s retention control of their personal data as part of their right. This data belongs to the data subject, and many companies have made trillions out of this without proper consent and the data subjects’ visibility and knowledge.
Two years on data subjects are protected, and the regulation only gets more ingrained in what we do, and the evolution is positive.
It is well known that cybercrime is a business risk and an organisation can only mitigate this risk with skilled IT security resources by their side.
ENHALO (Pty) Ltd is the most agile and progressive cyber technology company with a complete range of cybersecurity offerings to ensure tailored GDPR compliance.