One of the most frequent questions I’ve been getting from clients recently is around the European Union’s Global Data Protection Regulation (GDPR), which goes into effect on May 25, 2018.
Enough ink has been spilled on what GDPR entails (and how it will affect not only European companies, but any organization that stores or processes the data of a European Union resident), so I won’t spend any time here rehashing its implications or its consequences. Instead, I’d like to share how good alignment of Information Security and Records and Information Management can help facilitate compliance with GDPR for those organizations that it affects.
Over the past year, I’ve been spending most of my time helping clients address (and reduce) their data risk surface, by identifying and managing sensitive data in both structured and unstructured data repositories. One of the major trends I see across all types of organizations and industries is the importance of aligning Information Security with the Records and Information Management functions.
I tell all my clients it’s a not a matter of if, but when, they’ll face a breach or a security incident of some kind. And while it’s critical for Information Security to build better and stronger walls to keep the bad actors out, the CISO needs to spend just as much time dealing with what’s behind those walls. By reducing the volume of what needs to be protected—i.e. the amount of junk, orphaned, and over-retained data—it becomes easier to protect the really important stuff as well. (For more on this topic, see my previous blog post, “Minimizing the Risk Surface of Unstructured Content for InfoSec: Content Cleanup and Disposition,” or Joe Shepley’s recent video, “Cleaning Up Legacy Content.”)
The same concepts help with GDPR compliance. By reducing the total amount of data behind the secure walls of your organization, you make it easier to comply with various provisions of GDPR, including Breach Notification, Right to Erasure, Right of Access, and Data Portability. Here’s an overview of how good Records and Information Management practices help facilitate GDPR compliance:
The less data you are storing beyond its operational or regulatory life means the less data available in the event of a breach and therefore the potential for less severe consequences in the event of a breach. And the less data available in a breach means lower costs for things like credit monitoring or potential fines.
When you keep data for only the duration of its critical business or regulatory need, it becomes much easier to identify and “erase” a limited set of a particular data subject’s data upon their request for erasure.
By reducing the amount of data you store on a particular data subject, the easier it is to respond to Data Access requests (which must provide the data subject with information regarding what data an organization keeps on that particular data subject).
What’s likely to be the most challenging GDPR provision to comply with suddenly becomes much easier to fulfill when you reduce the amount of data stored on a particular data subject. Clearly there are business needs for keeping customer or consumer data for a data subject while they are considered “active,” but once that data is past its business or regulatory life, it’s no longer needed—and the more data you have stored on a data subject, the harder it will be to collect and provide in a machine-readable format in the event of a Data Subject request.
I’m sure you get the idea. The less data you’re keeping, the easier it is to protect the really important stuff, and the easier it is to comply with regulations like GDPR. And for those of you thinking that GDPR may not apply to you? Perhaps you’re right. You may not process the data of European Union residents, but U.S. states such as California and Massachusetts have begun to implement rules and regulations similar to those of GDPR. Given that many other states are likely to soon go this direction, and given the fact that good records and information management makes Information Security’s life easier, why wouldn’t you consider identifying and remediating your critical data repositories?
We’re here to help. Check out our Information Security practice and our services in information governance and sensitive data identification. If you’re thinking about preparing your organization for the future, we can help you put together a strategy for cleaning up your data repositories, along with a roadmap with all the steps you need to take to do it.