General Data Protection Regulations of the EU
GDPR Compliance - The Guide Part I
GDPR is coming.
The comprehensive and vast General Data Protection Regulations of the EU will become European law this coming May.
The Regulations touch on a slew of topics related to IT and enterprise. As the deadline approaches, the most important issue on the agenda for firms should be how to take the first steps toward achieving compliance.
This introduction to GDPR will present the central responsibilities companies will have after the Regulations become law, and how the DLP and data protection solutions of GTB can help companies fulfill them.
First off, some important highlights of GDPR:
- The vast “Personal” Data Pool defined by the Regulations will include data of pulled from a variety of sources, from cookies, genetic data, IP & MAC addresses
- The practice of Data Profiling will probably require explicit consent from the subjects of profiles
- Personal Identifiable Information (PII) may need explicit consent for collection from clients and subsequent processing into company databases
- Companies based outside the EU, but interacting with EU residents, are still required to comply with the Regulations.
- Data Protection Officers must be designated to oversee data protection and compliance with the all aspects of GDPR
- Data authorities and consumers must be notified within 72 hours after the discovery of the breach.
- GDPR codifies big fines, in some cases up to 20,000,000 EUR or 4% of total company annual turnover (whichever is the greatest)
- The severity of penalties in the event of a breach depends on the level of the companies implemented security standards
The Processing and Storing of PII (Sensitive Personal Data)
The most difficult aspects of GDPR compliance relates to the collection, processing and storage of PII / Sensitive Personal Data where "Personal data" means any information relating to an identified or identifiable natural person (‘data subject’).
The standards are high.
The Regulations demand that companies keep an extremely tight handle on all personal data. Companies have to be able to account for all personal information they’ve collected and report to official bodies on their locations and methods of storage. Clients and business associates have the right to demand a firm to locate erase all their identifying data from their databases.
To meet these demands firms must have a top-notch data control strategy, including solutions for Data Discovery and the Inventory, Classification, and protection PII.
Covering all of these bases can seem intimidating.
Complying with GDPR does not have to be an insurmountable challenge. GTB’s DLP Suite is designed to simplify achieving compliance. Content aware discovery tools of the Suite use machine learning and artificial intelligence to hone in on sensitive data. This increases accuracy and, most importantly, efficiency in data encryption. It is this point that will be the critical key to an effective GDPR compliance strategy.
Discover and Inventory PII
What makes this approach essential for effectively abiding by GDPR?
The locations on a network containing PII can be numerous, widespread, and often disjointed. PII data may reside on file shares, Exchange, Local PST/OST files, databases, SharePoint, cloud storage platforms. The GTB suite features a Discovery System that allows an organization to discover data on all possible storage locations without having to install separate components on each scan target.
The Discovery System then classifies each target location based on the presence of PII. Scans can be done via batch process or on specified demand. Once PII is identified, it can then be inventoried in another location for GDPR reporting purposes.
Defining PII Discovery Policies
The second point organizations will have to tackle, is clearly defining which information qualifies as actual PII within the datasets they process and store.
This is no easy task, as system scans cover large volumes of data and will inevitably produce false positives. Common PII discovery tools can regularly produce a mountain of files defined as containing PII with over half of them being false positive results. The most efficient and simple method to avoid such results is to “fingerprint” PII data and define detection policies based on these fingerprints. Fingerprinting through intelligent proprietary algorithms is a simple process. It calls for reading specific fields from a Database Table and storing hash values of such fields in the Discovery System, which then learns how to define PII based on these elements. These factors can include first name, last name, email addresses, telephone numbers, and salary of employees.
After these elements have been defined, they can be mapped as the systems PII Detection rules for specific classifications. In this way, any file that contains PII data is automatically be defined as such by inserting a new Meta Data Field of classification and inserting the classification value.
There are a range of option for how the classification value appears on a file, such as placing it at the header or footer of a document. (More methods are available https://gttb.com/dataclassification-techniques-defined/)
Content-Focused PII Protection
What makes GTB’s DLP platform unique is its ability to give organizations control over their PII, protect and secure sensitive data, remain compliant, all while not hindering the dynamic work environment of the business.
How is this accomplished?
GTB’s DLP that Works protects the actual content of files as opposed to the files themselves, which allows content to be altered, engaged with, and made accessible to collaborators, while staying under the protection of the DLP system.
The system protects data in all states: in motion, at rest, in use including data at the endpoint and in cloud storage. While data in motion is typically vulnerable to being intercepted and extruded to the internet or to other devices such as USBs, GTB DLP accurately protects organizations for these points of vulnerability.