With the arrival of the European Union's General Data Protection Regulation imminent, many organizations are scrambling to implement data policies and controls that will provide auditable evidence of compliance with GDPR rules on managing and securing personal data. For forward-thinking companies, however, a GDPR initiative could just be the start of a broader effort to protect sensitive data.
In particular, GDPR compliance means identifying and protecting information about individuals that's stored in corporate systems. That ranges from conventional types of personal data, such as names, email addresses and identification numbers, to associated pieces of information that effectively describe an individual's characteristics, behaviors or opinions.
The latter category includes both virtual and physical location data -- for example, the IP addresses of computers and electronic devices, internet cookies and geo-tagging data generated by GPS interactions and radio frequency ID tag transactions. It also encompasses health-related information and physiological data, such as fingerprints, iris scans and genetic data. Social media posts, racial and ethnic data, political opinions and sexual orientation are all covered under GDPR, too.
Consultant Nick Merker discusses GDPR compliance issues.
Complying with GDPR poses some clear data management and governance challenges for organizations, including U.S. companies that do business in Europe -- and the clock is ticking to address those challenges before the law takes effect in May 2018. However, the issues associated with improving data protection aren't limited to only what is mandated by the GDPR rules.
The risks that companies face might also include exposure of corporate intellectual property, important business documents, restricted communications and other sensitive data. Consider the leaks of classified information from the National Security Agency, the hacking of email accounts belonging to Democratic National Committee staffers and Hillary Clinton campaign officials and the Sony Pictures data breach in 2014. Each incident involved sensitive data that wasn't necessarily or exclusively personal data.
GDPR compliance now, more later
As a result, a valuable byproduct of implementing GDPR compliance measures is the ability to abstract them to meet the needs of a more general data protection policy. Under the circumstances, it's certainly a good idea to get on the right side of the GDPR rules first. But a broader strategy would then apply new data governance and security methods to different types of sensitive data via the following steps:
- Defining categories of "data sensitivity." The rules for securing and managing personal data might differ from the rules for protecting intellectual property. Therefore, the first step is to decide what levels of governance and security are required in different data sets. The sensitivity assessment and your overall data protection strategy could also include credit card data and other payment information, financial records, business plans, legal documents and internal security data itself.
- Identifying sensitive data. This step is more complex than it might seem, especially in an organization that hasn't previously considered the need to classify and organize its data assets in a comprehensive way. It can be eye-opening to realize the degree to which sensitive data is spread among the different systems across an enterprise. There are tools on the market that claim to help users find personal data and other sensitive information in systems, but there are still challenges in expanding that capability to scan through a variety of structured and unstructured data sets, document what's in them and classify each one according to the data sensitivity categories you've created.
- Applying data protections. Data governance policies and procedures need to be created for different data sets to help ensure that information is managed and used properly. Different approaches to data security are also likely to be incorporated, ranging from the deployment of firewalls and other perimeter security tools to the use of access controls, data encryption, data masking and document locking.
- Monitoring for noncompliance. Controls must be built into the environment to validate that the appropriate data protections and governance mechanisms are being applied in the right places. These controls help ensure that sensitive data is properly managed, and they provide an audit trail for verifying compliance with the GDPR rules and other regulatory requirements.
Putting this framework together provides the means to protect sensitive data of all stripes in a coordinated fashion, not just to comply with a specific regulation -- even a significant one like GDPR. In that sense, your GDPR compliance initiative may indeed turn out to be the beginning of something even bigger.