What GDPR means for data management and storage
GDPR significantly impacts the way in which enterprise accesses, processes and stores data. In this report, you will examine the implications of GDPR on data management, storage and security. In particular, you will review critical security requirements laid down by GDPR and also the challenges that the regulation brings to your data security practices. You will also explore what strong GDPR-appropriate security includes and see how GDPR is a platform for business enablement.
GDPR and your data security approach
GDPR is an umbrella data protection mechanism of which data security is a fundamental component. Matters of data privacy and protection will have a profound effect on your business operations. Moreover, with the advent of GDPR, there exists the likelihood of having to make significant changes across your entire company with respect to data storage. The objectives of GDPR are transparently laid out in Article 5 ‘Principles relating to the processing of personal data. The principle applying to data security stipulates that personal data must be ‘processed in such a manner that ensures appropriate security.
Appropriate security
What does GDPR mean by appropriate security? Article 5 makes this clear: data must be protected against unauthorised and unlawful processing. Furthermore, the regulation requires that data must be protected against accidental loss or destruction.
GDPR does not provide a specific checklist of compliance controls for data security. Instead, it requires your IT guys to implement control ‘to ensure a level of security appropriate to the risk’. By extension, this implies taking a risk-based view of security. The model risk = asset x threat x vulnerability has gained momentum in providing a framework to determine risk. This is not a mathematical model but a means of visualising the size of a specific risk in relation to another.
Risk-based security
Risk-based security means evaluating data sensitivity, determining network vulnerabilities and ascertaining threats, such as potential cyber attacks. Risk-based security is a holistic tack in which you build an understanding of risk into every data security decision. Risk-based security is a pragmatic strategy that is business impact-driven, not simply compliance driven. In short, you are applying the highest levels of security not simply to be in line with GDPR, but to strengthen your business operations.
GDPR-appropriate data security
GDPR-appropriate protection isn’t only down to prevention. In fact, you’d be making a mistake by investing in expensive preventative technology to keep your data secure and as a GDPR quick-fix. Realistically, prevention is not possible 100% of the time.
A robust security MO is comprised of three critical elements: protection, detection and response. When you implement a security strategy that focuses on these components, you’ve got it right. They form the backbone of an initial GDPR-focused security plan. Also, when they are ingrained in the security operation of your business, you can sit back for a moment knowing that your sensitive data is as secure as it can be.
Protection
Effective protection means applying risk-based security controls and using the latest technologies. Your IT infrastructure should be protected with the best possible anti-virus and anti-malware software that you can afford. Your IT department or outsourced Managed Service Provider (MSP) should conduct a risk assessment to determine whether you should store data on-site, use a third-party cloud provider or adopt a hybrid cloud solution.
Effective protection also means having a thorough knowledge of your business-critical assets and data: where they are, who has access rights to them, and how they are secured. Taking a risk-based approach to data security and using advanced threat intelligence will protect your assets along with the applications that manage your information.
Detection
GDPR requires that you are able to effectively and quickly detect system and data breaches. To achieve this, you must have complete visibility across your entire IT infrastructure. This includes all networks, servers, mobile devices, all endpoints, cloud storage and Software-as-a-Service (SaaS) applications. Sound like a lot, doesn’t it? However, without visibility, you will be able to monitor or detect anything.
Successful detection needs 24/7 monitoring; not simply flagging possible threats. By accessing enhanced IT intelligence, you should be capable of querying and analysing all intrusion data. Such analyses will facilitate pinpointing exactly which systems and data are compromised.
Intelligent IT detection software will allow you to see how the intrusion occurred plus how you can restore systems, minimising downtime. You will also be able to judge if the breach is reportable to the ICO under GDPR requirements. Detection processes are effective when you have identified the intrusion in time to prevent a widespread data compromise. The more accurate and precise your detection methods, the more efficient your response will be.
Response
GDPR requires you to report any notifiable breach to the regulator, the ICO in the case of the UK, within 72 hours. Being prepared is the key to reporting incidents in a timely fashion. You will need to know and document your data risks. Incident response also entails, but is not limited to:
- understanding statutory reporting requirements such as deadlines and formats
- deciding who will be held accountable
- allocating roles for decision making
- planning how to mitigate the impact on your operations
- have strategies to inform all stakeholders
Remember that with a tight deadline of 72 hours looming over your head, your IT department and management don’t have time to reinvent the wheel. You also don’t have the time to discover that your incident response methods are ineffective. Also, realise that’s it’s not all about reporting. You can learn a lesson from any breach event, contain the damage and take remedial action to prevent it from happening again in the future.
Business enablement
GDPR requires Privacy by Design and default. Put simply, this means that privacy and data protection must be integral to the entire life cycle of data within your business. Undoubtedly, ensuring this principle will be time-consuming and a burden on resources. But instead of seeing GDPR as a hindrance, seize the opportunity to create a strong data security agenda. In the long term, your risk-based approach to security fosters business enablement as well as regulatory compliance.
Security threats and data breaches will significantly impact your brand perception and value. If you encounter lengthy downtime, you’ll also reel from the almost immediate financial effects. Serious breaches may threaten your digital and financial assets and IP. Reflect on this question: Will you be fully focused on business if you and your team have to deal with the aftermath of a major breach.
By comprehensively addressing the security requirements of GDPR you are protecting the privacy of clients, stakeholders and employees. You are also avoiding any penalties for GDPR non-compliance. But there’s more; with unprecedented security measures in place, you have a competitive advantage and will be considered a trustworthy and reliable partner by your clients, end-users and other stakeholders.
GDPR compliance for the future
Being GDPR compliant does not come without its challenges. It means adapting to a risk-based approach to your data management and security. However, working with a trusted MSP will make the challenge less formidable or resource-heavy. The MSP will provide guidance on information security, incident response and how to embed risk-based security into your organisation.
You don’t need to panic and buy ready-made GDPR solutions off the shelf. Using a risk-based approach, you can assess your level of GDPR maturity, identify gaps for remediation and further develop your data security practices and policies.
A risk-based data solution can be extended to all information that is valuable to your enterprise. This could be intellectual property, core data, web pages, or transactional data. Using the simple combination of protect, detect and respond, your business will rise to an elevated position of resilience. A position that is GDPR compliant and is also ready for sustained business enablement in the future.
